The Texas Data Privacy & Security Act became effective July 1. Along with 17 other states, Texas has now enacted data privacy protections that will require many businesses to comply with new regulations about the collection, use, processing and treatment of personal data.
The Texas attorney general has authority to enforce violations of the TDPSA by imposing civil penalties up to $7,500 per violation and seeking injunctive relief, attorneys’ fees and fees for investigating and bringing an action for violations. A special team will investigate and enforce violations of Texas data privacy laws.
The Texas attorney general’s office signaled it will aggressively enforce data privacy laws. On June 18, the attorney general sent more than 100 letters to companies suspected of failing to register as data brokers under a similar privacy law that required registration by March 1. According to a press release, the attorney general’s office “takes Texans’ privacy seriously” and is “taking action to ensure that companies comply with our new data broker law, as well as other Texas consumer protection and privacy laws.”
Texas businesses should evaluate their privacy practices and policies to ensure compliance with the TDPSA or risk an enforcement action by the Texas attorney general.
Applicability
The TDPSA applies to companies that conduct business in Texas, produce products or provide services for Texas residents, process or engage in the sales of personal data, and are not a small business as defined by the Small Business Administration, which varies by industry and is based on number of employees or total annual receipts. The requirements generally depend on whether the business is an individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data (a “controller”), or a person who processes personal data on behalf of a controller (a “processor”).
The TDPSA applies to all nonexempt consumer data when the consumers act in an individual or household capacity. However, the law does not apply to information and data processed in the business-to-business or employment context. Other exemptions may apply when data is collected for specific purposes expressly outlined in the TDPSA that mostly relate to complying with laws, lawful investigations and governmental authorities or other safety and security reasons.
Review Website Privacy Policy
The TDPSA requires companies to maintain information in a privacy policy, including how the company collects, processes, protects, uses, shares and sells personal information from consumers. The privacy policy also must include information about consumers’ rights, including how to exercise those rights and appeal a decision denying a request to exercise a right. The Texas attorney general’s enforcement team is expected to scrutinize the privacy policies posted on the websites of companies that do business in Texas to ensure they are in compliance with the law. Therefore, businesses should review these policies immediately to ensure they include all of the elements required by the TDPSA, including notification of the consumer’s right to confirm the collection and processing of the consumer’s data, correct inaccuracies in the consumer’s data, to be deleted and to receive a digital copy (if available) of the data the consumer provided (the “privacy rights”).
How to Accept Requests to Exercise Privacy Rights
A controller should provide two or more accessible methods for a consumer to submit authenticated requests to exercise the consumer’s privacy rights that take into account various factors, including the way in which the consumer normally interacts with the controller and the ability of the controller to authenticate the identity of the consumer making the request. If the controller maintains an internet website, the controller must provide a mechanism on the website for consumers to submit requests to exercise their privacy rights. Companies should review how they receive and process these types of requests to ensure they are in compliance with the TDPSA.
Required Documentation
A controller must also have an agreement in place that contains certain requirements before sharing personal data with a third-party processor. Additionally, controllers must conduct a data protection assessment before certain types of data processing may occur. The attorney general may request a copy of the data protection assessment pursuant to a civil investigative demand and evaluate it for compliance with the TDPSA.
Sensitive Data
Sensitive data consists of any personal data revealing a consumer’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, uniquely identifiable genetic or biometric data, precise geolocation data (within a radius of 1,750 feet) or any personal data collected from a known child under the age of 13. A controller is prohibited from collecting or processing sensitive data without obtaining the consumer’s consent, or the parent’s consent for a person under 13 years old. The controller must post a notice informing consumers about the potential for the sale of sensitive personal and biometric data.
Consumer Consent
Many types of processing activities require advanced consent from the consumer, which is defined to require a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to process personal data relating to the consumer. Consent cannot come from accepting general terms of use or similar documents; hovering over, muting, pausing or closing a given piece of content; or a “dark pattern,” a user interface that has been designed to trick users.
Cookies and Universal Opt-Out Signals
Many businesses use cookies on their website that allow personal data of website visitors to be collected and shared with a third-party service provider. Authorities in other states have argued that these arrangements may constitute the “sale” of personal data when it is transferred in exchange for the service provided by the third party. Controllers should be cautious of these kinds of arrangements and evaluate whether the data is being “sold” as defined by the TDPSA, which would then trigger additional duties with respect to the data. Moreover, by Jan. 1 of next year, covered businesses will need to honor universal opt-out signals from browsers that indicate the consumer’s intent to opt out of processing.
Conclusion
Businesses that operate in Texas should be aware of, and prepared to comply with, the TDPSA by July 1. Companies should coordinate with their technology and legal teams to review policies and procedures and ensure their privacy policy, terms and conditions, and other documentation comply with the Texas law and other applicable privacy and cybersecurity regulations to ensure compliance and avoid enforcement actions by the Texas attorney general.
Zac Duffy is a shareholder in Munsch Hardt’s Dallas office. Zac counsels companies on a number of legal issues relating to intellectual property, technology and data privacy.
Blake Glatstein is an associate in Munsch Hardt’s Dallas office. Blake focuses his practice on complex commercial litigation and intellectual property matters across several industries, including data privacy, technology, financial services and real estate.