Texas has now become the 11th state, following Florida, to have a “comprehensive” privacy law. HB 4 was signed by the governor on June 18, 2023. This caps off a busy spring for state lawmakers not only in Texas, but Florida, Iowa, Indiana, Tennessee, and Montana. The law goes into effect on July 1, 2024 (the ability for agents to submit rights requests is not effective until January 1, 2025 however). For a round-up of state laws’ effective dates, visit here.
Like other states, there is no private right of action. The Texas AG is required under the law to maintain an online portal where consumers can lodge complaints. Companies will have 30 days to cure potential violations (provided they meet certain requirements, like providing supporting documentation showing the violation was cured). The law provides for civil penalties of up to $7,500 per violation.
Key provisions include:
-
Applicability. The law will apply to those who do business in Texas (or sell products/services to Texans). Like others, it covers consumer information but exempts health care providers, financial institutions, and several others. There are no thresholds under the law, but “small businesses” have fewer obligations. Namely, they may not sell sensitive personal information without first getting consent. Sensitive information includes not only racial or ethnic information, mental diagnosis and biometric information, but also children’s information and precise geolocation information.
-
Data minimization. Like Colorado, Connecticut, and Montana, businesses will need to limit their collection of personal data to what is adequate, relevant, and reasonably necessary for the purposes it was collected.
-
Consumer rights. Texans will have the right to access, correct, and delete information, rights that exist under other state laws. The law also gives a right of data portability. Like California, consumers in Texas must have two or more methods for submitting rights requests. Also like most other states, companies will need to respond to these requests within 45 days, with an additional 45 day extension available.
-
Targeted advertising, selling and profiling. Like other states, consumers will need to be able to opt-out of targeted advertising, sale of personal data, and profiling. Also, if a company is going to engage in profiling, sale of personal data, or targeted advertising in a way that could create risks to consumer rights a data protection assessment must be conducted. “Sale” is defined similarly to California, Connecticut, Colorado, Florida, Montana: it includes both monetary consideration and “other valuable consideration.”
-
Privacy notice content. Privacy notices will not likely need to change much. The law will require that they outline the categories of data being processed, the purpose, categories of data being sold or shared, and provide consumers with information about exercising their consumer rights. Like California, Texas will also requires a clear, conspicuous statement if the company sells sensitive or biometric data. The language to use is proscribed, namely: “we may sell your sensitive personal data” or “we may sell your biometric personal data.”
-
Sensitive data. Before processing sensitive data, companies must obtain consumer consent (as in Colorado, Connecticut, Montana, and Virginia).
Putting it Into Practice: This latest US state law is (another!) reminder for companies to review their information collection and use practices, as well as their third party contracts. Having a scalable privacy program will make dealing with these laws easier, as they continue to go into effect over the coming months and years.
Kathryn Smith contributed to this article. She is a Fellow in the SheppardMullin Chicago office.