On June 18, Texas Governor Greg Abbott signed into law the Texas Data Privacy and Securities Act (TDPSA). Substantive portions of the TDPSA, otherwise known as H.B. 4, are set to take effect on July 1, 2024, making Texas the 10th state to implement comprehensive privacy legislation. This article highlights the key aspects of the TDPSA.
The purpose of the TDPSA is to “maximize both the utility of the rights provided to consumers and interoperability with other states to minimize compliance costs for businesses.” The Texas Attorney General is granted sole enforcement and investigative authority over consumer privacy data regulation under the TDPSA. Under the TDPSA, the Texas Attorney General will be required to: (1) make information available to consumers detailing their rights and controller and processor responsibilities; and (2) establish an online portal by July 1, 2024, for consumers to submit complaints.
What Makes the TDPSA Unique?
The TDPSA resembles the Virginia Consumer Data Protection Act (VCDPA) and has elements of the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). However, as with many things in Texas, the TDPSA is distinct in a number of ways from sister state privacy laws.
1. Applicability and Scope
The scope of the TDPSA is broad. The TDPSA applies to (1) entities that conduct business in Texas; (2) process or engage in the “sale” of personal data; and (3) businesses in Texas that do not identify as a small business under the U.S. Small Business Administration. On the other hand, the VCDPA and CCPA are limited in scope and apply only to businesses that meet the minimum consumer data processing and gross revenue requirements of those specific laws.
2. Definitions and Provisions
The TDPSA includes an expansive list of definitions of terms that are common to privacy legislation, including:
- “Personal data” – In contrast to the VCDPA and CCPA, the TDPSA’s definition of “personal data” also includes pseudonymous data when the data is applied “in conjunction with additional information that reasonably links the data to an identified or identifiable individual.”
- “Sale” – The TDPSA broadly defines a “sale” of personal data to mean “the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration.” The VCDPA, however, refers only to the “exchange” of personal data. Also, the VCDPA does not provide for the sale of personal data in exchange for non-monetary consideration. The CCPA’s definition is broader than the TDPSA’s and accounts for the sale of personal data for non-monetary consideration. In addition, the CCPA includes the concept of “sharing” personal data to encompass sharing with a “third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.”
- “Consent” – The TDPSA defines “consent” as a consumer’s clear affirmative act of agreement to process personal data relating to the consumer. The TDPSA further provides a list of what is not considered consent, including (1) the mere acceptance of a general or broad term of use; (2) hovering over, muting, pausing, or closing content; or (3) agreement procured by means of dark patterns.
The TDPSA prohibits the use of “dark patterns.” The purpose of this provision is to encourage businesses to refrain from using “a user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy.” The TDPSA also prohibits businesses from engaging in practices that the Federal Trade Commission (FTC) considers a dark pattern.
Finally, the TDPSA provides a definition for “sensitive data,” which includes data identifying a consumer’s:
- race or ethnicity, religious beliefs, mental or physical health diagnosis, sexuality, citizenship or immigration status;
- genetic or biometric composition; or
- precise geolocation.
A controller is not allowed to process sensitive data without a consumer’s consent. The CCPA’s list of sensitive data is broader, including information such as a consumer’s social security, driver’s license, state ID or passport number, and financial account log-in password.
Controller Response to Consumer Requests
Upon receiving a consumer rights request, a controller is required to respond to the request within 45 days of receipt. If reasonably necessary, the controller may extend the response window an additional 45 days, depending on the complexity and number of consumer requests submitted. If the controller requires the additional 45-day period, then the controller has to inform the consumer of the extension within the initial 45-day period and provide an explanation for the extension.
A controller is also required to establish a consumer appeals process to allow consumers to appeal the controller’s failure to respond to a request within a reasonable time. If the appeal is denied, then the controller must inform the consumer on how to contact the Texas Attorney General to file a complaint.
Will the TDPSA Apply to My Business?
While the new law will apply to many entities conducting business in Texas, the TDPSA does provide exemptions for (1) certain types of entities, such as state agencies, nonprofit or tax-exempt organizations, institutions of higher education, financial institutions subject to Title V of the Gramm-Leach-Bliley Act (GLBA), entities already subject to the Health Insurance Portability and Accountability Act (HIPAA), and other types of entities; and (2) certain types of data, such as protected health information under HIPAA, consumer credit information, information collected for public health activities, employment-related information and other types of data. Such exemptions are nuanced and based on the entities or data already being governed by other laws, so one should review the exemptions carefully to determine applicability to a particular business.
How Does the TDPSA Impact Your Business?
Entities conducting business in Texas should plan now for the law, including by (1) organizing the various categories of data collected by the business; (2) scrutinizing the business’s consumer consent requirements for the collection of personal consumer data to ensure compliance with the TDPSA; (3) considering potential revisions to internal and external policies and procedures, including but not limited to privacy policies and vendor agreements; (4) examining what updates may be required to existing technology and business processes to ensure compliance with the TDPSA; and (5) preparing for additional compliance budgets the business may incur as a result of the TDPSA’s enactment.