On May 28, 2023, Texas passed the Texas Data Privacy and Security Act (“TDPSA”), making it the tenth U.S. State to pass a consumer data privacy bill that governs the collection, use, and transfer of consumer data and the second largest state to do so. Once Governor Abbott signs TDPSA, it will take effect on July 1, 2024.  The bill builds on the trend of states enacting consumer data privacy laws in 2023. Texas is poised to become the fifth state, following  the footsteps of Iowa, Indiana, Tennessee, and Montana, to pass such a bill this year.

The TDPSA closely resembles the Virginia Consumer Data Protection Act (“VCDPA”), with some elements borrowed from the California Privacy Rights Act (“CPRA”). Some notable distinguishing features of the law include:

(1) Applicability and Scope 

  • The Texas law uses a unique applicability standard. It applies to persons that (1) conduct business in Texas or produce products or services consumed by Texas residents (which is different – and potentially broader – than other state laws, which focus on whether a business targets a state’s residents), (2) process or engage in the sale of personal data, and (3) are not small businesses as defined by the United States Small Business Administration (“SBA”). The TDPSA marks the first time a state has used the SBA definition of small business instead of relying on an entity’s revenue or the number of in-state residents whose data are processed. And while the SBA usually considers entities with fewer than 500 employees to be “small,” multiple definitions exist and depend on the company’s specific industry. Therefore, it is unclear which definition will apply, and raises the specter that entities in one industry will be considered small businesses, while similarly sized entities in another will not. If the 500-employee standard holds, the TDPSA is likely to apply to a narrower set of entities than the privacy laws of other states.
  • While the small business requirement raises the bar for what entities are subject to the entirety of the law, small businesses are not completely excluded: even small businesses are prohibited from selling personal data, particularly sensitive data, without receiving prior consent from the consumer.

(2) Definitions

  • Personal Data: Like other states, the TDPSA’s definition of “personal data” does not include publicly available information nor deidentified information, but is notable in that it does include “pseudonymous data,” defined as any information that cannot be attributed to a specific individual without the use of additional information that is kept separately.
  • “Sale” defined similarly to California: Like the California Privacy Rights Act, the TDPSA defines the “sale” of personal data broadly as “sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.”
  • ConsentConsent in the TDPSA is defined narrowly as a “clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.” Consent notably does not include acceptance under general or broad terms of use, hovering over, muting, pausing, or closing a given piece of content or agreement obtained through the use of dark patterns. The TDPSA does not specify if consent can be withdrawn (unlike the privacy laws of Connecticut and Montana).

(3) Controller Responsibilities 

  • Recognizing Universal Opt-Out Mechanisms: Beginning January 1, 2025, the TDPSA will require that controllers recognize universal opt-out methods, such as the Global Privacy Control (“GPC”), to allow consumer to opt out of the sale of personal data and targeted advertising. This means that consumers can exercise their opt-out right by default across sites, so long as they have configured their compatible browser accordingly. Texas now joins California, Montana, Colorado, and Connecticut, in requiring GPC signals be honored, further establishing GPC as a standard opt out technology going forward.
  • Data protection assessments: Like Connecticut’s law, the TDPSA requires that controllers conduct data protection assessments for certain high-risk types of processing – assessments which must weigh the risks and benefits of processing for the consumer, the controller, the public, and other stakeholders. The types of high-risk activities that would trigger these assessments are:
    • Processing personal data for targeted advertising;
    • Selling personal data;
    • Processing personal data to profile consumers, if the profiling presents a reasonably foreseeable risk to consumer of unfair or deceptive treatment, disparate impact, financial, physical, or reputational injury, physical or other intrusion upon seclusion or private affairs, or “other substantial injury”;
    • Processing sensitive data; and
    • Any other processing of personal data that presents a “heightened risk of harm to consumers.”
  • Additional Disclosures Pertaining to the Sale of Sensitive Personal DataThe TDPSA also requires specific language in the context of sensitive data sales. Entities that sell sensitive personal data must include the following in their notice: “NOTICE: We may sell your sensitive personal data.” And controllers that sell biometric data must state, “NOTICE: We may sell your biometric personal data.”
  • Exclusion of “sexual orientation” from “sensitive data”: Unlike every other state law, the TDPSA’s definition of “sensitive data” excludes data revealing “sexual orientation,” an exclusion that comes from the Texas Senate’s version of the bill. This narrower definition is likely to reduce certain data privacy protections for LGBTQ+ individuals.

(4) Enforcement

  • There is no private right of action. The Attorney General will enforce the TDPSA with civil penalties of up to $7,500 per violation. Before bringing an enforcement action, the Attorney General must give a controller 30 days to cure the alleged violation – a cure period that, unlike other states’ laws, will not sunset. Companies must notify the relevant consumers that alleged violations have been addressed, provide the attorney general supportive documentation to show how the violation was cured, and if necessary, make changes to internal policies. Notably, these remediation documentation requirements are more robust than other states’ cure requirements.

Takeaways

Texas makes ten states that now have comprehensive privacy laws. In the lead-up to the July 1, 2024 effective date, companies doing business in Texas or whose products or services are consumed by Texans should consider the following as part of their ongoing privacy compliance efforts:

  • Consider whether you’re a "small businesses”. True Mom & Pop businesses with well under 500 employees are probably exempt from the TDPSA (unless they process sensitive personal data, in which case opt-in consent is required), but larger companies shouldn't consider themselves categorically exempt even if they have under 500 employees. The TDPSA’s vagueness on what defines a small business means that most companies with over a couple dozen employees, significant sales, or that process or sell a significant amount of personal data should review their privacy practices and make moves to comply. The TDPSA’s requirements, compared to other states’ laws, are not onerous, so many companies should be able to comply relatively easily with Texas if they comply with other states’ privacy laws.
  • Out-of-state businesses take note. Unlike other states’ privacy laws, the TDPSA applies to businesses whose products or services are “consumed by” Texans, not just those targeted at Texans. Non-small businesses that know their products or services are consumed by Texans would do well to comply with the law, particularly because complying with the TDPSA is unlikely to pose significantly more challenges than complying with privacy laws already on the books in other states.
  • Prepare for GPC signals. Texas adds to the list of states requiring companies to listen for and process GPC signals, along with California, Colorado, and others. Companies that use any type of advertising tracking technologies on their websites should ensure that when users come to their sites with GPC turned on, all such trackers automatically turn off. Compliance with opt-out-of-sale rights is particularly concerning for regulators, so companies should ensure that they can comply with some of these low-hanging fruit.
  • Sensitive and biometric data have additional requirements. Companies planning to sell sensitive and biometric data must meet additional requirements. Namely, providing "reasonably accessible and clear" disclaimers in their privacy policies notifying customers that they may sell such data.
  • Curing requires additional documentation. When a company cures alleged violations of the TDPSA, they must take additional steps to notify relevant consumers,  provide the Attorney General with supportive documentation showing how the company cured the violation, and, if necessary, make changes to internal policies.