The absence of comprehensive federal privacy regulation in the United States has created an open field for states to take the lead in addressing individual data protection and privacy rights.
The first state to take the field was California, which enacted the comprehensive California Consumer Privacy Act (CCPA) in 2018. More recently, Texas joined the game by passing HB 4, the Texas Data Privacy and Security Act (TDPSA), making Texas the 10th state to enact a comprehensive privacy statute. While both California’s and Texas’ laws share the common goal of safeguarding personal information and empowering consumers with new data rights, there are some significant differences in scope and coverage.
This article examines the key aspects of both privacy laws, illuminating their similarities, differences and their expected impacts.
Scope of the Laws
The California’s law targets “businesses” that are legal entities organized or operated for profit and conduct business in California, as long as they meet certain threshold requirements. Specifically, the CCPA applies to businesses if they alone or in combination with their affiliates either: (a) have gross annual revenue over $25 million annually; or (b) buy, receive or sell the personal information of 50,000 or more consumers, households or devices for commercial purposes. Additionally, if a company generates 50 percent or more of its annual revenue from the sale of consumers’ personal information, that company falls under the purview of the CCPA.
The Texas law applies to individuals or entities that conduct business in Texas, produce products or provide services utilized by Texas residents and that engage in the processing or sale of personal data. Notably, the TDPSA only applies to business that “sell” data and sets a lower floor for annual revenue than the CCPA. And, in contrast to the CCPA and all previous state privacy laws, exempt from the TDPSA’s requirements are those entities defined as small businesses by the United States Small Business Administration(SBA). The SBA determines company size based on the North American Industry Classification System, which takes economic characteristics, company size and revenue into account, but typically considers annual revenue of $16.5 million to be the upper limit for small business size.
Even though the annual revenue threshold is lower under the TDPSA, by considering both the size and the number of records held by the business — and not requiring a prerequisite “sale” of data — the CCPA ultimately captures a wider range of entities involved in data processing or commercialization, even if some entities might otherwise fall below the $25 million revenue threshold. This approach reflects the CCPA’s greater focus on the impact of processing large amounts of consumer data, while the TDPSA thresholds focus more on the impact of compliance costs on smaller businesses and business that don’t perform higher-risk “sales” of data.
Texas legislators took a fairly standard approach in crafting the definition of “personal information” under the TDPSA, aligning it with definitions found in most state privacy laws. According to TDPSA, “personal information” encompasses any information, including sensitive information, that is linked or linkable to an identified or identifiable individual.
This differs from the CCPA, which specifically incorporates the term “households” within its definition of personal information. By including households, California acknowledges the interconnected nature of individuals within a household and recognizes the potential privacy risks associated with the sharing of personal information at a family-size level. This inclusion reflects an understanding that certain scenarios may deserve privacy protection even if the information does not directly identify a particular individual, but instead pertains to the household to which the individual belongs. For example, data collected about home internet use and IP addresses are often tracked and organized on a household basis, and often can’t be narrowed down to a single person.
The exclusion of households from the TDPSA’s definition may lead to less oversight of the privacy concerns of family units as a whole. For instance, the absence of household information in the definition may allow for the selling of such information without notice or consent of Texas consumers, potentially permitting targeted advertising or profiling based on collective data gathered about a household where the CCPA would prohibit similar targeting of California consumers.
The TDPSA provides consumers with individual rights that are similar to those offered by the CCPA. Under the TDPSA, consumers have the right to know whether and how their personal data is being processed by a controller. Texas consumers can also request the correction of any inaccuracies in their personal data, taking into account the nature of the data and the purposes of the processing.
Perhaps recognizing the CCPA’s most-exercised rights, the TDPSA grants consumers the right to delete their personal information and obtain a copy of the personal data they have previously provided to a controller. Additionally, consumers have the ability to opt out of the processing of their personal data for targeted advertising purposes, the sale of personal data or profiling that may impact important legal decisions concerning the consumer.
These rights provided by the TDPSA align closely with the principles of transparency, control and accountability present in the CCPA. By enabling consumers to exercise these rights, both the TDPSA and CCPA aim to enhance individual privacy protection, giving consumers greater control over their personal information and how it is used by businesses. These provisions not only provide consumers with important safeguards but also reflect a legislative aim to foster responsible data handling and respect for privacy by businesses in the digital era.
The TDPSA not only grants consumer rights similar to the CCPA and other state laws, but also imposes various duties on controllers that align with the duties under the CCPA. Texas controllers are obligated to limit data collection to what is “adequate, relevant, and reasonably necessary” for the purpose for which the information was collected, mirroring the requirements of the CCPA and other similar state privacy legislation.
Like the CCPA, the TDPSA prohibits controllers from discriminating against consumers for exercising their individual rights under the act, ensuring that consumers are protected from any form of retaliation. Additionally, the TDPSA mandates that controllers obtain consumer consent before processing sensitive data, even if the controller is a small business. This emphasis on consumer consent in similar to other state privacy laws designed to promote the protection of sensitive information. Furthermore, the TDPSA grants consumers the right to opt out of targeted advertising, following the lead of the latest updates to the CCPA.
In terms of privacy-notice obligations, the TDPSA provides guidance in many ways more detailed than the CCPA. Most notably, unlike California, Texas sets a unique requirement for additional notice (specifically, “We may sell your sensitive personal data”) if the controller sells sensitive personal information.
Texas stands out as one of the few states that offers specific protections for biometric data. In contrast to California’s law, the TDPSA adopts a definition of biometric data similar to the state of Washington’s Biometric Privacy Law, excluding photographs, videos and audio recordings that do not uses biometrics to identify individuals from its scope. Texas also sets a unique requirement for additional notice (specifically, “We may sell your biometric personal data”) if the controller sells biometric personal information that is absent in California’s law.
A state’s attorney general has the exclusive right to enforce the TDPSA. Unlike the CCPA, there’s no private right of action in the TDPSA.
The TDPSA stands as another leading example of state efforts to address the need for comprehensive regulation that provides strong protection for individual consumers in the realm of privacy. Although the TDPSA doesn’t incorporate every key element from California and the other state privacy laws passed over the past several years, TDPSA has its own nuances that data controllers should be aware of and reinforces the growing significance of data privacy regulations in an increasingly interconnected world.
Gabor Szecsi is an attorney in the capital markets and securities practice group in Haynes Boone’s Palo Alto office. His practice focuses on general corporate law, commercial contracts and emerging growth companies, mergers and acquisitions.
Gavin George is a partner in the Dallas office of Haynes Boone. His practice encompasses privacy, data processing, technology transactions and intellectual property matters. He counsels clients on international, federal and state-level privacy compliance and transactional issues.