2023 has brought several states into the privacy limelight. As of Sunday, June 18, and with the signature of Texas governor Greg Abbott, the Texas Data Privacy and Security Act (“TDPSA”) was enacted, making the Lone Star state the tenth in the U.S. to pass a comprehensive data privacy and security law. The Act provides Texas consumers the ability to submit requests to exercise privacy rights, and extends to parents the ability exercise rights on behalf of their minor children.
The Texas Act provides the usual compliment of data subject rights relating to access, corrections, data portability, and to opt out of data being processed for purposes of targeted advertising, the sale of personal information, and profiling where a consumer may be significantly or legally effected. It also requires that covered businesses provide a privacy notice and other disclosures relevant to how they use consumer data.
Among the ten state-level comprehensive privacy bills, the TDPSA is the first to remove processing and profit thresholds from the applicability standard. Instead of using these thresholds to determine whether an entity is covered, the TDPSA applies to persons that: (1) Conduct business in Texas or produce products or services consumed by Texas residents; (2) Process or engage in the sale of personal data; and (3) Are not small business as defined by the United States Small Business Administration.[i]
Definitions and Obligations of Controllers and Processors
The TDPSA’s definition of “sale of personal data” aligns closely with that of the California Consumer Privacy Act (“CCPA”). It refers to the “the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.” The Act defines “process” as “an operation or set of operations performed” whether it be manually or automatically, on Texas consumers’ personal data or sets of data. This includes the “collection, use, storage, disclosure, analysis, deletion, or modification of personal data.” Unlike the CCPA, the law exempts data processed for business-to-business and employment purposes.
Covered businesses who are data controllers must provide consumers with “a reasonably accessible and clear” privacy notice. These notices include the categories of personal data processed by the controller, the purpose of processing personal data, the categories of data shared with third parties, and methods by which consumers can exercise their rights under the law. If a controller’s use of sensitive personal data or biometric data constitutes a sale, one or both of the following must be included:
- “NOTICE: This website may sell your sensitive personal data.”
- “NOTICE: This website may sell your biometric personal data.”
Processors, which are akin to “service providers” under the CCPA, are those people or businesses that process personal data on the behalf of the controller. Processors have a number of obligations under the TDPSA, including assisting controllers in responding to consumer rights requests and data security compliance. All processors will need to have a written data protection agreement (“DPA”) in place with a controller, which will include:
- “clear instructions for processing data;
- the nature and purpose of processing;
- the type of data subject to processing;
- the duration of processing;
- the rights and obligations of both parties; and
- a number of requirements that the processor shall follow under the agreement.
Processors will be required to ensure confidentiality of data, and at the controller’s direction, a processor must delete or return all of the information at the conclusion of the service agreement. However, this deletion requirement excludes data that must be retained pursuant to the processor’s records retention obligations.
Processors must also certify that they will make available to the controller all information necessary to demonstrate the processor ’s compliance with the requirements of this chapter, and that they will comply with a controllers assessment of their security practices. Lastly, should a processor engage any subcontractor, they will need another written contract that meets all of the written requirements set forth by the controller’s DPA.
Yet another state law DPA requirement brings into question whether businesses, particularly those on the national and multi-national level, are going to need separate addenda to service agreements that recite a la carte provisions that include separate definitions and commitments to comply with each state-level privacy law, as well as international data privacy laws such as the EU’s GDPR. Based on the new and upcoming privacy laws in the U.S., businesses can probably still operate using some form of uniform DPA that accounts for each of the different requirements. However, we may soon reach a point where the pages of all the appendices and addenda to comply with separate state requirements are greater than the typical service agreement contract.
Data Protection Assessment Requirement
The TDPSA mandates that controllers conduct and document data protection assessments. These assessments, which mirror those required by the Connecticut Data Privacy Act, require businesses to identify the purposes for which they are collecting and processing data, as well as the associated risks and benefits of that processing. Businesses will need to assess these benefits and risks for the following categories of processing activities involving personal data:
- Processing of personal data for targeted advertising;
- The sale of personal data;
- Processing for purposes of profiling if there is a reasonably foreseeable risk of unfair or deceptive treatment, injury to consumers (including financial and reputational risk), or physical intrusion to an individual’s solitude or seclusion;
- Processing of sensitive data; and
- Any processing activities that generally may pose a heightened risk of harm to consumers.
The TDPSA expressly states that it does not provide a private right of action. The Texas Attorney General holds exclusive power to field consumer complaints, investigate, issue written warnings, and ultimately enforce violations of the law. The AG may seek both injunctive relief and civil penalties of up to $7,500 in damages for each statutory violation.
The Texas AG also has the authority to investigate controllers when it has reasonable cause to believe that a business has engaged in, is engaging in, or, interestingly – is about to engage in – a violation of the TDPSA. While the Senate version suggested revising this authority to remove pre-violation (thought crime?) investigations, the language withstood its scrutiny and remained in the signed act. This was one of many suggested changes by the Senate prior to bill’s passing.
Back and Forth Between Texas Legislative Houses
As the TDPSA was drafted, a few notable revisions were made between the House and the Senate versions of the bill. However, most of the Senates proposed additions were not ultimately accepted. To start, the Senate added language that expressly excluded from its definition of biometric data “a physical or digital photograph or data generated from” photographs. Further, under the definition of “Sensitive data”, the Senate removed the House’s language that included sexual orientation data. Notably, the sexual orientation language has since been re-added to the finalized version of the law.
The House and Senate also went back and forth on some of the other definitions in the Act, including which entities fall are exempt. Under the “state agency” definition, the Senate broadened the language to include any branch of state government, rather than any branch that falls into the executive branch of government – which was on of the House versions. However, the Senate language made it into the finalized version.
For the most part, the two legislative groups were in agreement as to which entities were exempt from the TDPSA. These include exemptions for institutions and data subject to Title V of the Gramm-Leach-Bliley Act,[ii] the HIPAA[iii] and HITECH[iv], non-profits and higher education institutions. The Senate sought to add electric utilities and power companies to this list, but the finalized version kept them off the exempt list.
The Senate’s revisions also proposed language allowing consumers to authorize a designated agent to submit rights requests (similar to what we see in the CCPA), but that language was not signed into law. The TDPSA does not let anyone act on another person’s behalf to exercise their privacy rights, other than parents acting on behalf of their minor children.
Section 541.055(e), which provides consumers the ability to have a third party authorized agent submit opt-out requests on their behalf, goes into effect January 1, 2025. Other than that rather narrow delayed measure, the rest of the TDPSA is set to go into effect on July 1, 2024. It will be one of the broadest reaching in the U.S., particularly because of its unique applicability standard. Its mandatory data protection assessments and requirement for written contracts with all processors make the law slightly less business friendly than the rest of the state privacy laws out there. But California is still in a league of its own on that score.
[i] The SBA defines small business generally as a privately-owned enterprise with 500 or fewer employees. Depending on the industry, however, the maximum number of employees may fluctuate and in some cases may not be factored in. Some businesses are defined as “small” according to their average annual revenue.
[ii] 15 U.S.C. Section 6801 et seq
[iii] 42 U.S.C. Section 1320d et seq.
[iv] Division A, Title XIII, and Division B, Title IV, Pub. L. No. 111-5