Don’t Mess with Texas: The Lone Star State Enacts Comprehensive Consumer Privacy Law
Privacy teams have more to do with Gov. Abbot signing the Texas Data Privacy and Security Act, also known as TX HB 4 (the Act), after several last minute amendments. This is in addition to new comprehensive privacy laws from Tennessee (also amended late in the game before submission to the Governor), Indiana, Iowa, Montana and Florida that have passed this spring alone.
Importantly, there is not a minimum number of records processed or annual revenue threshold for businesses to be in the scope of the law. It has broad applicability to companies who do business in the state and who process or sell personal data. It does contain the usual entity and data level exceptions (e.g., GLBA, HIPAA, FCRA, etc.) and explicitly excludes data collected in the human resources or business-to-business context.
Small businesses (as defined by the United States Small Business Administration) are largely excluded from the Act except that such small businesses may not engage in the sale of sensitive data without receiving prior consent from the consumer.
The majority of the Act goes into effect on July 1, 2024 with a 30 day cure period that does not expire. By January 1, 2025, businesses will need to scan for and interpret opt-out signals such as global privacy control subject to certain exceptions outlined in Section 544.055(e)(1)-(4) of the Act. While the Act does not provide a private right of action, it does outline a civil penalty of $7,500 per violation and injunctive relief enforceable by the Texas Attorneys General office.
It is similar to Virginia’s Consumer Data Protection Act (VCDPA) but includes key differences that are outlined below. It also borrows some CCPA concepts like a broad definition of sale with the inclusion of “any valuable consideration.” Consumers are also provided with familiar rights including receiving a copy of their personal data, confirmation of processing, correction, deletion, opting out of sales/targeted advertising/profiling and the right to appeal.
Like other state omnibus privacy laws, the Act imposes requirements on processors including minimum contractual requirements and an obligation to assist controllers in responding to consumer rights requests. Data protection assessments – with similar content and analysis requirements as the VCDPA – must also be performed by Controllers. Such assessments need only be performed on data processing activities generated after January 1, 2025 (and not applied retroactively) but must be made available to the Texas Attorneys General office upon a civil investigative demand. Like other state laws, “generated” is not defined and the common definition of the word would suggest that ongoing processing activities are subject to assessment.
Processing Sensitive Data
Subject to the usual exempt processing activities (outlined in Sections 541.201 and 541.202(a)), controllers must obtain consent before processing sensitive data. The definition of sensitive data includes i) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis or citizenship or immigration status; ii) genetic or biometric data that is processed for the purpose of uniquely identifying an individual; iii) personal data collected from a known child; or iv) precise geolocation data (1,750ft radius). Notably, the scope of health data included in the definition of sensitive data is less broad than in some other state laws.
The definition of personal data includes pseudonymous data but if the controller is able to demonstrate that the information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information, then the controller does not need to comply with the following consumer rights requests as to such data: confirmation of processing, rights to access, right to correct, right to delete and data portability. Additionally, controllers would also be exempt from the duties outlined in Section 541.101 (e.g. limiting their collection of data to only what is reasonable and appropriate, employing reasonable security measures and not processing sensitive data without consent).
Additional Notice Requirements
For controllers who sell sensitive or biometric personal data, they must include an additional notice, in the same location and in the same manner as the privacy notice that states: “NOTICE: We may sell your sensitive personal data” and/or “NOTICE: We may sell your biometric personal data,” as applicable. This notice is similar to what is required under Florida’s new Digital Bill of Rights. However, where Florida states “NOTICE: This website may. . .”, the Act states “NOTICE: We may. . .” (emphasis added). For more information on the Florida Law which is far more narrow in its application than the Texas law, see our posts here and here.
The Act also specifies that the Texas Attorney General will establish an online complaint mechanism where consumers can submit complaints relating to non-compliance with the Act.
With legislative sessions coming to a close, there is still time for additional states to pass comprehensive privacy laws – see our post here with helpful tracking information. The PW team will continue to monitor the passage of these laws to keep you in the loop. For more information, contact the authors or your SPB relationship partner.