On June 18, 2023, Texas Governor Greg Abbott signed the Texas Data Privacy and Security Act (the “Act”) into law, making Texas the 11th state to enact a comprehensive privacy law.
The Act’s provisions apply only to a person that:
- conducts business in Texas or produces a product or service consumed by Texas residents;
- processes or engages in the sale of personal data; and
- is not a small business as defined by the United States Small Business Administration, except to the extent that Section 541.107 (discussed below) applies.
“Sale of personal data” means the sharing, disclosing or transferring of personal data to a third party for monetary or “other valuable consideration,” like the California Consumer Privacy Act of 2018 (“CCPA”) but unlike Virginia’s Consumer Data Protection Act (“VCDPA”).
The Act contains exemptions similar to the VCDPA and other state laws that follow it, with certain departures. For example, like the VCDPA, the Act exempts entirely from its application a financial institution subject to the Gramm-Leach-Bliley Act (“GLB”) (as well as data subject to the GLB), a covered entity or business associate subject to the Health Insurance Portability and Accountability Act (“HIPAA”), protected health information under HIPAA, and certain personal data regulated under other laws, such as the Fair Credit Reporting Act, Driver’s Privacy Protection Act and Farm Credit Act. Unlike the VCDPA, the Act also contains a specific exemption for an electric utility, power generation company or a retail electric provider.
The Act defines “consumer" to mean “an individual who is a resident of this state acting only in an individual or household context” and also specifically does not apply to data “processed or maintained in the course of an individual applying to, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role.” Thus, like the VCDPA and similar state laws, the Act does not apply to personal data in the HR or B2B context.
The Act requires a controller to maintain a detailed privacy notice, and, unlike the CCPA and VCDPA, includes a specific requirement that if the controller sells sensitive or biometric data, the controller must include in its privacy notice a specified statement of that fact. “Sensitive data” means a category of personal data and includes (1) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status; (2) genetic or biometric data that is processed for the purpose of uniquely identifying an individual; (3) personal data collected from a known child or (4) precise geolocation data (within a radius of 1,750 feet). Notably, the Act, unlike the CCPA and VCDPA, defines “known child” to mean a child under circumstances where a controller has actual knowledge of, or willfully disregards, the child’s age. “Biometric data” means data generated by automatic measurements of an individual’s biological characteristics and includes a fingerprint, voiceprint, eye retina or iris, or other unique biological pattern or characteristic that is used to identify a specific individual.
The Act provides Texas residents with certain rights with respect to their personal data, including rights of access, correction, deletion and portability; the right to opt out of processing for the purposes of targeted advertising, the sale of personal data or certain profiling; and the right to appeal a controller’s decision regarding a rights request. The Act also requires small businesses (as defined by the United States Small Business Administration), which are not otherwise subject to the law, to receive consent from consumers before selling consumers’ sensitive data.
The Act also includes requirements relating to data minimization, processing limitations, data security, non-discrimination, third-party contracting and data protection assessments. Additionally, it imposes certain requirements directly on entities who process data on behalf of a controller.
The Act does not provide for a private right of action, but it allows the Texas Attorney General to issue a civil investigative demand if the Attorney General has reasonable cause to believe a violation of the Act has occurred. Prior to bringing an enforcement action, the Attorney General must provide notice of any violation and allow an opportunity to cure. The Attorney General may not bring an action against a person if the person cures the alleged violation within the 30 days and provides the Attorney General a written statement that the person:
- cured the violation;
- notified the consumer if the consumer’s contact information was available;
- provided documentation showing how the privacy violation was cured; and
- made changes to internal policies, if necessary, to ensure that no such further violations will occur.
A person who violates the Act after the cure period or breaches a written statement to the Attorney General is subject to an action by the Attorney General for up to $7,500 per violation.
The Act also directs the Attorney General to post on its website (1) information relating to consumers’ rights and the responsibilities of controllers and processors under the Act, and (2) an online mechanism for submitting consumer complaints.
Most of the provisions of the Act will take effect on July 1, 2024. Certain provisions regarding submitting requests via authorized agents will take effect on January 1, 2025.