United States: Lone Star State joins expanding consumer privacy constellation - Texas Data Privacy and Security Act passes legislature

In brief

On May 29, 2023, Texas's H.B. 4, also known as the Texas Data Privacy and Security Act ("Act"), passed in the Texas legislature. The bill will now land on the desk of Governor Greg Abbott for signature. The Texas Data Privacy and Security Act joins the growing number of states that have passed or enacted legislation in 2023, including Iowa, Indiana, Tennessee and Montana, and more are expected in the coming months. Five states already have comprehensive privacy laws in place or set to become effective soon - California, Virginia, Colorado, Connecticut, and Utah. This profusion of new data privacy legislation has engendered an increasingly challenging compliance landscape, with businesses having to account for new requirements of each successive law. If enacted, businesses will have barely a year to prepare for the Texas Data Privacy and Security Act before it goes into effect on July 1, 2024.


Contents

In depth

Scope: The scope of the Texas Data Privacy and Security Act is drawn somewhat differently, and more broadly, than existing state privacy laws. Unlike those laws, which generally apply to businesses that exceed certain revenue or data processing thresholds, the Texas Data Privacy and Security Act applies to persons (under Texas's Code Construction Act, a "[p]erson includes corporation, organization, government or governmental subdivision or agency, business trust, estate, trust, partnership, association, and any other legal entity") that:

  • Conduct business in Texas or produce a product or service consumed by Texas residents
  • Process personal data of Texas residents
  • Are not a small business as defined by the US Small Business Administration (SBA)

This final criterion, depending as it does on the SBA definition of a small business, may produce disparate outcomes from existing privacy laws. For one, the Act has no data processing volume threshold. Additionally, while the SBA currently defines a small business as one having 500 or fewer employees, this definition may be subject to adjustment and there are myriad exceptions to the current SBA definition. For example, depending on the business's sector, the SBA may instead look to its revenue or utilize a different employee headcount limit in determining whether it is a small business. These factors introduce some degree of uncertainty regarding the extent and applicability of the Texas Data Privacy and Security Act, but it will likely apply to most Texas businesses. Organizations of all sizes should take note that, while the Act generally does not extend to small businesses, its prohibition against selling sensitive data without consent applies to all businesses that conduct business in Texas regardless of their SBA designation (see below).

The Texas Data Privacy and Security Act also features a familiar list of exceptions and exemptions. It does not apply to state agencies, GLBA- or HIPAA-governed entities, nonprofit organizations or institutions of higher education. The Texas Data Privacy and Security Act also contains a limited public utility exemption, which applies on to electric utilities, power generation companies, and a retail electric providers. Additionally, the Act only protects consumers acting in an individual or household capacity, and therefore is not applicable to employment or business-to-business (B2B) contexts.

Data Subject Rights: One of the cornerstones of the Texas Data Privacy and Security Act is the establishment of a set of rights that a consumer may exercise in respect of their data. These rights include a right to request that a controller:

  • Confirms that the data controller is processing their data and to access their personal data
  • Correct inaccuracies in their personal data
  • Delete their personal data
  • Obtain a copy of their data in a portable and readily usable format, such that it may be transmitted to another controller.

A data subject may also opt out of having their data processed for the purpose of targeted advertising, the sale of their data, or profiling that produces a legal or significant effect on the data subject.

Processing: Under the Texas Data Privacy and Security Act, data controllers are subject to certain conditions and restrictions regarding the processing of personal data. A controller may only collect data that is adequate, relevant, and reasonably necessary in relation to the disclosed purpose for which it is processed and may not process data for purposes that aren't reasonably necessary to or compatible with that purpose, except with the consumer's consent. Controllers are also prohibited from discriminating against data subjects who exercise their statutory rights (see above), such as by denying goods or services to such customers or by charging them higher prices. Sensitive data (defined as personal data revealing one's racial or ethnic, origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, genetic or biometric data, children's data, or precise geolocation data) may only be processed with the consumer's consent. Moreover, controllers must establish administrative, technical and physical measures for safeguarding data, commensurate with the volume and nature of the personal data. As noted above, a controller—even if it meets the SBA definition of a small business—may not sell sensitive data without the data subject's prior consent (under the Act sale includes an exchange for nonmonetary consideration). Interestingly, the Act prohibits a controller from using "dark patterns" (which is defined as "a user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision-making, or choice") to obtain consent for processing.

Privacy Notice: As with many other privacy laws, the Texas Data Privacy and Security Act requires controllers to display an accessible and clear privacy notice outlining how it uses personal data. In particular this notice should address:

  • The categories of personal data being processed, including whether sensitive data is processed
  • The purposes of the processing
  • How consumers may exercise their rights
  • The categories of data that is shared with third parties, as well as the categories of third parties with whom data is shared

Moreover, the Act prescribes specific wording must be used in the notice if a controller sells sensitive data or biometric data, respectively:

  • "NOTICE: This website may sell your sensitive personal data."
  • "NOTICE: This website may sell your biometric personal data."

Given that biometric data is a subset of sensitive data as defined by the Act, it is unclear if controllers selling biometric data (and no other forms of sensitive data) would be required to post both notices or whether the latter notice alone would suffice.

A controller must also disclose the process by which a data subject can opt out of the sale of their data for targeted advertising, if the controller sells personal data for that purpose.

Processor Obligations: Processors, entities that process personal data on the behalf of a controller, are also subject to certain requirements. Specifically, they must assist controllers in responding to data subject requests, reporting data breaches, and must provide information necessary to conduct a data protection assessment (see below). Controller-processor contracts must also include terms requiring that personal data is subject to a duty of confidentiality, that data be deleted or returned at the completion of the service, and that the processor makes all information available to the controller to comply with the Act or to perform a reasonable assessment. If a processor engages a subcontractor, it must ensure that the subcontractor meets the same requirements as the processor with respect to the data.

Data Protection Assessments: Before undertaking certain types of processing associated with higher risks of harm — including processing for targeted advertising, the sale of personal data, processing for the purpose of profiling that presents a risk of unfair or deceptive treatment, financial, physical or reputational injury, or physical or other intrusion, and the processing of sensitive data — a controller must complete a data protection assessment.

The data protection assessment should weigh the benefits of the contemplated processing to the consumer, controller and other stakeholders against the risks posed to the consumer. The assessment should account for the possibility of using de-identified data, reasonable consumer expectations, the context of the processing, and the relationship between the controller and the processor. A single assessment may be used to fulfill the obligations with respect to different laws or processing, as long as requirements and activities respectively are comparable. Although the assessment does not need to be submitted upon completion, it must be retained by the controller and may need to be produced in response to a civil investigative demand by the Attorney General.

Enforcement and Penalties: There is no private right of action under the Texas Data Privacy and Security Act, and there is an established cure period. The Texas Attorney General is the sole enforcement and investigative authority for the Texas Data Privacy and Security Act. The Attorney General will establish an online mechanism for consumers to submit complaints. Before bringing an action alleging a violation of the Act, the Attorney General must first notify the alleged offender and provide 30 days to cure the alleged violation. After the expiration of the cure period, the Attorney General may bring an action seeking up to USD 7,500 for each violation, as well as injunctive relief and attorney's fees and other expenses. To benefit from the cure period, the person must not only cure the alleged violation but e.g. also notify the consumer that the consumer's privacy violation was addressed.

Key takeaways

Although its substantive provisions largely track prevailing trends in recent data privacy legislation, the Texas Data Privacy and Security Act's novel applicability provisions may mean that some organizations maybe be subject to the Act even if they are not caught by existing privacy laws. As a first step, businesses should work with counsel to determine which of the emerging privacy laws apply to them and to design a compliance program based on applicable requirements.


Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.