On June 13 Texas Governor Greg Abbott signed into law the Texas Data Privacy and Security Act (TDPSA). Texas now joins several other states that have enacted a comprehensive data privacy framework this year. The TDPSA will go into effect on July 1, 2024.
As is common under state privacy frameworks (excluding California), the state attorney general has the exclusive authority to enforce the law and the power to impose penalties, which could amount to $7,500 per violation. The TDPSA does not create a private right of action.
Scope of applicability. The TDPSA applies to any organization that meets all of the following criteria:
- Conducts business in Texas or produces a product or service consumed by residents of the state
- Processes or engages in the sale of personal data
- Is not a small business as defined by the U.S. Small Business Administration (SBA)
The SBA defines a small business in terms of revenue or the number of employees and by the industry in which the business operates. Thus, unlike other states that provide a definitive boundary, the TDPSA presents an additional layer of complexity in determining whether a business is required to comply with its privacy requirements.
Under the TDPSA, personal data is defined as “any information, including pseudonymous data and sensitive data, that is linked or reasonably linkable to an identified or identifiable individual.” Accordingly, the TDPSA differs from similar U.S. privacy laws in that it defines personal data to include “pseudonymous data,” although the requirements concerning pseudonymous data are somewhat limited. Pseudonymous data is defined in part as personal data that cannot be attributed to a specific individual without the use of additional information.
The TDPSA defines “sensitive data” as “a category of personal data” including such data that reveals racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status; genetic or biometric data that is processed for the purpose of uniquely identifying an individual; personal data collected from a known child; and precise geolocation data. Unlike pseudonymous data, the requirements concerning the processing of sensitive data are fairly stringent and generally require an organization to obtain the relevant party’s consent prior to such processing.
The TDPSA includes several exemptions that are standard in data privacy frameworks, including exemptions for data processing activities governed by federal law (e.g., HIPAA, GLBA) and data processing conducted in the HR/employee and business-to-business contexts.
Consumer data privacy rights. TheTDPSA provides consumers residing in Texas with the following data privacy rights:
- The right to request confirmation of whether a controller is processing the consumer’s personal data
- The right to correct inaccuracies in personal data
- The right to delete personal data provided by or obtained about the consumer
- The right to obtain data (if feasible) in a portable, readily usable format so the consumer may transmit it to another controller
- The right to opt out of the processing of personal data for purposes of targeted advertising, sale, or profiling that leads to a decision that produces a legal or similarly significant effect
The TDPSA defines a “sale of personal data” as the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party but does not include the disclosure of personal data to data processors and other common data sharing practices (e.g., disclosure of personal data to an affiliate, at the request of a consumer, or as part of corporate restructuring).
The TDPSA creates a framework for how controllers must intake, authenticate, and respond to consumer privacy requests and mandates that organizations “establish a process” to allow a consumer to “appeal” a controller’s refusal to act on a data rights request within a reasonable period of time after the consumer receives the decision. Under the TDPSA, a controller that maintains a website must provide a mechanism on the website for consumers to submit data privacy requests. The TDPSA permits controllers to only provide an email address to facilitate requests if the controller operates exclusively online and collects personal information directly from the consumer. In addition, controllers must comply with consumer opt-out requests that originate from the consumer’s agent, including from technologies (e.g., website link, browser setting, global setting on electronic devices) that indicate the consumer’s intent to opt out of processing.
With respect to consumer data privacy rights appeals, the TDPSA specifies that the appeal process must be conspicuously available and similar to the process for intaking privacy rights requests. The controller must inform consumers in writing about the actions taken in response to appeals, including the reasons for decisions, and how consumers may contact the attorney general to submit a complaint.
Beginning January 1, 2025, covered organizations must recognize universal opt-out methods, such as the Global Privacy Control, to allow consumers to opt out of the sale of personal data and for having their personal data used in targeted advertising.
Privacy policies and other notices. Controllers are required to provide consumers with a “reasonably accessible and clear” privacy notice that describes their data processing activities (e.g., categories of personal data collected and processed, purposes of processing, categories of personal data shared with third parties, categories of recipients). The notice must also describe how consumers can exercise their data privacy rights, including how they can appeal a controller’s decision. A controller that sells personal data or uses it for targeted purposes has the additional obligation to “clearly and conspicuously disclose” such processing and how consumers can exercise their opt-out rights.
Further, controllers that sell sensitive data or biometric personal data must post a notice in the same location and manner as the privacy notice, and these respective notices must include the following language:
- For sale of sensitive data, “NOTICE: We may sell your sensitive personal data”
- For sale of biometric data, “NOTICE: We may sell your biometric personal data”
Processor obligations and contracts. The TDPSA places affirmative obligations on processors, such as those related to compliance with a controller’s instructions, assistance in responding to consumer rights requests, and the implementation of security controls to safeguard personal data from unauthorized use.
Like many other data protection laws, the TDPSA also requires controllers and processors to execute written agreements that contain certain data protection clauses, which must address, among other things, the nature and purpose of data processing, the type of data subject to processing, the limited manner in which the processor can use the personal data, confidentiality, and compliance assessments. The TDPSA also requires these controller-to-processor contracts to include clauses requiring the processor to delete or return the personal data in its custody at the end of the data processing services, unless retention is required by law. In addition, the TDPSA mandates written contracts between processors and subcontractors that require the subcontractor to meet the processor’s obligations with respect to personal data.
Data protection assessments. When engaging in data processing that “presents a heightened risk of harm to consumers,” the TDPSA requires a controller to conduct and document a data processing assessment. The TDPSA defines this category of processing broadly to address a variety of common business activities, such as targeted advertising, selling of personal data, processing of sensitive data, and certain types of profiling. The assessment must be made available to the Texas attorney general upon request.
Rewards programs and anti-discrimination. The TDPSA, like other state data protection laws, permits controllers to offer consumers different services or similar services at different prices that are related to loyalty or rewards programs. However, a controller may not discriminate against a consumer for exercising a data privacy right (e.g., by denying the consumer a good or service or charging a different price, or by providing a different level of quality of a good or service).
Consent. The TDPSA limits how a controller can use personal data without a consumer’s consent. For example, an organization “may not process personal data for a purpose that is neither reasonably necessary to nor compatible with the disclosed purpose for which the personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent.” A controller is also prohibited from processing sensitive data without obtaining appropriate consent. Although a “small business” is mostly exempt from the TDPSA, the law does provide that a small business must obtain prior consent from a consumer when engaging in the sale of sensitive personal data.
Breach Notification Amendment
In a separate action, on May 27 Governor Abbott signed into law Senate Bill (SB) 768, which amended the Texas breach notification law in two significant ways. First, the amendment changed the timeline in which organizations must notify the Texas attorney general of a data breach from no later than 60 days after the breach is discovered to “as soon as practicable and not later than” 30 days after such discovery. Second, the amendment requires organizations to submit a data breach notification to the attorney general electronically using a form accessed through the attorney general’s website. These changes will go into effect on September 1, 2023.
As background, the Texas breach notification law requires certain organizations to disclose to affected individuals and the Texas attorney general a “breach of system security,” which is defined essentially as any unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information.
Importantly, however, the definition of “sensitive personal information” for purposes of the Texas data breach notification law is much narrower than the definition of “sensitive data” under the TDPSA. In particular, the term “sensitive personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted: (i) Social Security number, (ii) driver’s license or government-issued identification number, and (iii) account, credit, or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account. It also includes information that identifies an individual and relates to the individual’s physical or mental health or condition, the provision of health care to the individual, or payment for the provision of health care to the individual.
The TDPSA requires processors to assist controllers with compliance requirements related to information security and breach notification. Specifically, the TDPSA provides that processors must assist businesses “with regard to complying with the requirement relating to the security of processing personal data and to the notification of a breach of security of the processor’s system [under the Texas data breach notification law], taking into account the nature of processing and the information available to the processor.”
This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.
This document may be considered attorney advertising in some jurisdictions.
© 2023 THOMPSON HINE LLP. ALL RIGHTS RESERVED.
