Hello TCPAWorld, another week another state consumer data privacy law or two! That’s right two more states join the masses of states rolling out consumer data privacy regulations. It is a club now, right?
I brought you word of Oregon’s bill growing momentum back at the end of June, the bill passed and was signed into law by the governor last week on July 18th. The new law will go into effect on July 1, 2024.
Check out the Oregon blog for all the need-to-know information.
On to the Lone Star state, Texas also signed into law its own Consumer data privacy law last month with an effective date of July 1, 2024. Lots to look forward to next summer.
Let’s wrangle up the new Texas data privacy law with all the need to know, also know as Texas Data Privacy and Security Act.
Whom will this affect, in Texas the new law is broader than some of the other states that have been passing similar laws. It applies to a person who conducts business in TX or produces a product or service consumed by a resident of TX; process or engages in the sale of personal data; and is not a small business as defined by the US small business administration, except for the requirements outlined in sec 541.107 for small businesses. Be sure to read through HB4 to see if you may be exempt.
Consumers have the following rights:
- Right to know and access
- Right to correct
- Right to delete
- Right to data portability
- Opt-out of
- Targeted Advertisements
- Sale of personal data
- Decision profiling
Businesses will have 45 days to respond to consumer requests and may take up to an additional 45 days if reasonably necessary for complex requests. Businesses who observe the extension must notify the customer within the initial 45 days and provide the reason for the extension.
If a business declines to process a consumer request, it must notify the consumer of the denial without undue delay and within 45 days. The notification must provide the reason for the denial and instructions on how to appeal the decision.
Consumers’ requests for information must be provided free of charge at least twice annually. Businesses may charge a reasonable fee for additional excessive requests or can decline to act on the request. However, the burden will be placed on the business to prove the request are unfounded or excessive.
Businesses must establish an appeal process for consumers whose requests are not handled within a reasonable period. The appeal process must be conspicuously available and similar to the process of exercising a request. Businesses must notify the consumer in writing within 60 days of any action taken or not taken with a written explanation. If an appeal is denied a business shall provide a consumer with an online option to contact the stats AG to submit a complaint.
Business is required to establish two or more secure methods for consumers to submit a request and need to take into account ways in which a consumer would typically interact with the business, a secure manner to make a request, the ability for the business to authenticate the identity of the consumer making the request. Cannot force the consumer to create an account to exercise rights but can require them to use an existing account.
Businesses must comply with the following:
- Limit the collection of personal data to what is reasonably necessary for the purpose and disclose it to the consumer.
- Establish security measures that are appropriate to the volume and nature of the personal data collected.
A business cannot:
- Process data for any other reason other than what has been disclosed to the consumer unless consumer consent is obtained.
- Process data in a discriminatory manner which would violate state and federal laws.
- Discriminate again a consumer for exercising consumer rights, including denying, charging different prices, or providing different levels of quality for goods and services.
- Process sensitive data without consumer consent.
Privacy notice shall include:
- Categories of personal data processed, including, any sensitive data processed
- Purpose for processing personal data
- How consumers may exercise their consumer rights under Subchapter B, including the process by which a consumer may appeal a controller’s decision
- Categories of personal data shared with third parties
- Categories of third parties with whom personal data is shared
- Description of methods by which a consumer can submit a request to exercise their rights
If a business engages in the sale of personal data that is sensitive or biometric data it must include the following notices in the same location and manner as their privacy notice.
“NOTICE: We may sell your sensitive personal data.” and “NOTICE: We may sell your biometric personal data.”
Businesses must conduct and document data protection assessments for the following involving personal data. This list is high-level, be sure to review the requirements in its entirety or seek consultation.
- Processing personal data for the purpose of targeted advertising
- Sale of personal data
- Processing personal data for the purpose of profiling, if profiling creates foreseeable risks.
- Unfair or deceptive treatment of or unlawful disparate impact
- Financial, physical, or reputational injury
- Physical or other intrusion on the solitude or seclusion, or the private affairs or concerns, of consumers, if the intrusion would be offensive to a reasonable person; or
- Other substantial injury to consumers
- Processing of sensitive data; and
- Processing personal data that presents a heightened risk of harm
The state’s Attorney General will exclusively enforce and investigate violations. AG to provide businesses with written notice of specific sections they believe the business to be in violation of and provide 30 days to cure. Each violation is liable for up to $7,500 civil penalty. However, there is no private right of action provided.