On May 10, 2023, the Texas State Senate passed H.B. 4, titled the Texas Data Privacy and Security Act (“TDPSA”), sending the bill to Governor Abbott’s desk for final signature. If signed into law, Texas will join a growing contingency of states enforcing comprehensive data privacy laws for their residents.
This alert provides answers to some general questions about the TDPSA as it is currently written. Be on the lookout for additional updates about the Act once signed by Governor Abbott.
Who will be required to comply with the TDPSA?
The TDPSA will regulate persons and entities that: (a) conduct business in Texas or produce products or services consumed by Texas residents; (b) processes or engages in the sale of personal data; and (c) is not a small business as defined by the U.S. Small Business Administration, unless the small business is involved in the sale of sensitive personal information. This applicability standard is broader than many other state privacy laws previously enacted because it does not have a revenue threshold. Rather, the applicability is based on whether the business qualifies a “small business”, which is a variable, context-specific standard, the status of which can be undone by its affiliations.
If you are a small business, but you are selling Texas residents’ sensitive personal data, the TDPSA will require you to obtain the data subject’s consent prior to sale.
Does my business process or sell personal data under the TDPSA?
“Personal data” is defined as any information that is linked or reasonably linkable to an identified or identifiable individual. If you are processing personal data, that means that your business is collecting, using, storing, disclosing, analyzing, deleting, or modifying of personal data. “Sale” means the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration to a third party. We have seen, particularly in California, that “sale” can have significantly broader applications than traditional notions of what constitutes a sale, such as receipt of analytic data. It has yet to be seen whether this Act would take a similar broad approach.
What rights would be granted to Texas residents?
Texas residents could soon have certain rights related to their personal data, including rights of access, correction, deletion, portability, the right to opt out of certain processing, and the right to appeal a controller’s decision regarding a rights request. The Act could also require data minimization, processing limitations, data security, non-discrimination, third-party contracting, and data protection assessments, as well as impose certain requirements directly on entities who process data on behalf of a party that makes decisions on how that data is used.
Which other states have comprehensive privacy laws?
As of this writing, seven states have signed comprehensive data privacy laws. California was the first state with the California Consumer Privacy Act (“CCPA”), effective as of January 2020. California’s amendments to the CCPA and the Virginia’s Consumer Data Protection Act (“VCDPA”) became effective January 1, 2023. Colorado and Connecticut’s laws will go into effect on July 1, 2023, while Iowa and Indiana’s will go into effect in 2025 and 2026, respectively. Similar laws from Montana and Tennessee are also awaiting final signature.
When will the TDPSA be effective?
If signed, the TDPSA will be effective on March 1, 2024.
Who is responsible for enforcement? Is there a private right of action?
The TDPA does not contain a private right of action. Rather, all enforcement will be through the Texas Attorney General, but the AG can make a civil investigative demand following a consumer request.
What is the penalty for violations?
The penalty is $7,500 per violation plus attorney fees and investigation costs incurred by the AG. Once the final act is signed, Kean Miller will provide additional resources regarding compliance with this Act. If you want to discuss this possible new Act in further detail, contact your privacy counsel.