The Texas Lawbook

Free Speech, Due Process and Trial by Jury

New Law Will Reshape Privacy Regulation in Texas

As the 88th Texas legislative session comes to a close, Texas residents are on the cusp of gaining significantly enhanced control over their personal data.

Over Memorial Day weekend 2023, the Texas legislature passed the Texas Data Privacy and Security Act. Texas is now poised to join a rapidly growing list of U.S. states that have passed “comprehensive” privacy regulations, a trend that began in 2018 with the enactment of the California Consumer Privacy Act. Unlike existing federal and state laws that apply to the use of personal data in specific industries (such as healthcare, financial services and consumer reporting) or contexts (such as information collected from children online), these new state laws cover the collection, use and disclosure of personal data generally, marking a paradigm shift in how data privacy is regulated in the U.S.

Individual Rights and Compliance Obligations

Under the TDPSA, Texas residents would have explicit rights to access, correct, delete or obtain a copy of their personal data, subject to certain exceptions and requirements. Texans would also have the right to opt out of the sale of their personal data, the processing of their personal data for targeted advertising purposes and certain types of profiling.

Companies that are subject to the TDPSA would be required to implement procedures for receiving and responding to requests from consumers seeking to exercise these rights. They would also need to comply with numerous other obligations, including:

  • providing certain disclosures to consumers prior to collecting their personal data;
  • entering into specific contractual provisions with service providers that process personal data on their behalf;
  • implementing and maintaining reasonable security measures to protect personal data; and
  • conducting data protection assessments when engaging in certain high-risk processing activities.

Exemptions and Enforcement

The TDPSA would not apply to state agencies, nonprofit organizations, institutions of higher education, certain utilities or certain regulated entities in the healthcare and financial services industries, and it would exempt employee personal data, business contact information and certain categories of personal data that are already subject to specific regulations. The TDPSA would be enforced by the attorney general, who could (following a 30-day cure period) issue civil penalties of up to $7,500 per violation.

Applicability and Scope

For many companies, simply determining whether they are subject to the TDPSA may prove to be a challenge. In all other states that have enacted comprehensive privacy laws, the applicability test largely hinges on straightforward questions like whether a business meets certain revenue thresholds or processes or sells certain amounts of personal data. As a result, smaller businesses that do not engage in significant personal data processing activities are typically out of scope. The TDPSA takes a novel approach to achieving the same goal — it would apply to any company that:

  • conducts business in Texas (or produces products or services consumed by Texas residents);
  • processes consumer personal data; and
  • is not a “small business” as defined by the U.S. Small Business Administration.

Small Business Status

While using small business status as the determining factor for applicability makes intuitive sense, this approach may prove to be much more complicated and confusing in practice. The SBA does not have a single definition for “small business” with general application. Rather, the label is extremely variable, and the factors that determine small business status (such as number of employees or annual revenues) heavily depend on the context in which the status is claimed and the industry of the company claiming such status.

For example, a company could qualify as a small business for purposes of bidding on a particular government contract but not for purposes of qualifying for a particular government loan. Likewise, a company could qualify as a small business with respect to services it provides but not with respect to products it sells. Moreover, companies that list a primary NAICS code on their tax returns may unwittingly lock themselves into a particular standard for determining small business status.

To complicate matters further, a company’s small business status could be undermined by its affiliations (corporate or otherwise) because of the SBA’s “affiliation” rules, which rely on a complicated factor-by-factor analysis. For instance, startups and emerging companies may lose their small business status upon receiving a substantial investment from a private equity firm, venture capital firm or hedge fund. And wrongly claiming small business status is not a light matter — small business fraud is heavily enforced in the government contracting world.

Far-Reaching Scope

Even companies that can rightfully claim small business status may still be affected by the TDPSA. Notwithstanding the general exemption for small businesses, the TDPSA would prohibit small businesses from engaging in the sale of “sensitive” personal data (a term that includes data elements such as race, religious beliefs, biometric data, sexuality and precise geolocation) without first obtaining consent from the consumer. While this discrete restriction may have limited impact, it would be the first instance of a state comprehensive privacy law imposing obligations on companies that do not otherwise meet its applicability test.

Likewise, companies that neither operate in Texas nor target Texas consumers may be surprised to find that they are not beyond the TDPSA’s reach. While the comprehensive privacy laws in other states only capture out-of-state companies that “target” their products or services to in-state consumers, under the TDPSA, simply having products or services “consumed by” Texas residents would be enough to trigger compliance, assuming the other applicability factors are met.

The TDPSA in Comparison with Other State Laws

Larger companies that have no expectation of qualifying for the small business exemption will likely face their own challenges in interpreting and complying with the TDPSA. Many such companies are already complying with the comprehensive privacy laws of other states and may reasonably assume that such efforts are sufficient for the TDPSA. While the basic elements of the TDPSA mirror its forebears (particularly the Virginia Consumer Data Protection Act), there are distinct differences beyond the approach to applicability.

Exemptions from “Sale”

In defining what constitutes a “sale” of personal data, each of the other state laws exempts personal data that is transferred to a third party as an asset in the context of a merger, acquisition, bankruptcy or other transaction in which the receiving party assumes control of all or part of the company’s business or assets. Under the TDPSA, however, this exemption would only apply in the context of a “merger or acquisition,” terms that are undefined. This seemingly deliberate change raises questions as to whether an asset sale or similar transaction in which the buyer does not assume full control of the seller’s business would be a “sale” of personal data under the TDPSA.

Curing Violations

The TDPSA follows the approach of other states in giving companies a window of time in which to cure violations before the attorney general can commence an enforcement action. However, the TDPSA would significantly increase the burden on companies to prove violations have been cured. Under Virginia’s law, for example, a company can avoid enforcement by curing violations within 30 days of being notified and providing the attorney general with a written statement advising that the alleged violations have been cured and that no further violations will occur. By contrast, the TDPSA would require a written statement that not only confirms that the company has cured the alleged violations but also states that the company has:

  • notified the consumer that the consumer’s privacy violation was addressed (if the consumer’s contact information has been made available to the company);
  • provided supportive documentation to show how the privacy violation was cured (whether such documentation has to be provided to the consumer or the attorney general is unclear); and
  • made changes to internal policies, if necessary, to ensure that no such further violations will occur.

Interaction with Consumers

The TDPSA is more prescriptive than its counterparts when it comes to how companies must interact with consumers. While all the states require in-scope companies to include specific disclosures in a consumer-facing privacy notice, the TDPSA would also require companies that sell sensitive personal data or biometric data to post a specific disclaimer disclosing this fact in the same location and manner as the privacy notice link.

And while all of the other state laws require companies to establish methods through which consumers can exercise their rights, only the TDPSA would expressly require certain businesses to “provide a mechanism” on their website for this purpose. The TDPSA does not define or elaborate on what would constitute such a “mechanism,” but a reasonable interpretation is that it would require implementing a web form or portal through which consumers could submit requests rather than relying solely on traditional methods of communication such as email or a toll-free number. (While California’s requirement to “make the internet website available” for consumers to submit requests could be read as imposing a similar obligation, the language of the TDPSA is less vague on this point.)

Next Steps

If the TDPSA becomes law, companies will have until July 1, 2024, to comply with most of the law’s provisions.

By the same date, the attorney general would have to post on its website information relating to the obligations and rights under the TDPSA, as well as provide an online mechanism through which consumers could submit complaints.

Meanwhile, by Sept. 1, 2024, the Texas Department of Information Resources would be required to create an online portal on its website for members of the public to provide feedback and recommend changes to the TDPSA for at least 90 days. By Jan. 1, 2025, the agency would have to release a report detailing the status of the TDPSA’s implementation and any recommended changes to the Legislature.

Michael H. Rubin, a litigation partner based in Latham’s San Francisco office, is global co-chair of the Privacy & Cyber Practice and global vice chair of the Technology Industry Group.

Robert W. Brown II, based in Latham’s Houston and Austin offices, is a counsel in the Data & Technology Transactions and Privacy & Cyber practices.

Contributors: Dean Baxtresser and Kyle Jefcoat are litigation partners based in Latham’s Washington, D.C., office.

©2024 The Texas Lawbook.

Content of The Texas Lawbook is controlled and protected by specific licensing agreements with our subscribers and under federal copyright laws. Any distribution of this content without the consent of The Texas Lawbook is prohibited.

If you see any inaccuracy in any article in The Texas Lawbook, please contact us. Our goal is content that is 100% true and accurate. Thank you.

© Copyright 2024 The Texas Lawbook
The content on this website is protected under federal Copyright laws. Any use without the consent of The Texas Lawbook is prohibited.