Signed: Texas Added to the List of States Enacting a Comprehensive Privacy Law

On June 18, 2023, Governor Greg Abbott signed the Texas Data Privacy and Security Act (“TDPSA”) into law. The new law takes effect July 1, 2024 with limited provisions (mostly surrounding the use of authorized agents) not taking effect until January 1, 2025. 

The TDPSA closely follows the Virginia Consumer Data Protection Act in terms of the scope of consumer rights and business obligations, with data processing and protection principles clearly influenced by the EU’s and UK’s GDPR. There is also no private right of action, and the authority to enforce the statute remains with the Texas attorney general. However, the scope of the TDPSA’s applicability is unique compared to existing state privacy laws, foregoing common limits such as minimum thresholds for a company’s revenue and numbers of affected consumers in favor of much broader coverage. In addition, the compliance obligations with respect to data protection assessments and specific remedies in the event of an enforcement action make this law one for businesses to watch and start considering compliance measures well before next year. 

Scope and Exemptions

Under the TDPSA, personal data is defined as any information that is “linked or reasonably linkable to an identified or identifiable individual” and includes pseudonymous data when used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. But important exclusions exist for de-identified data or publicly available information. The scope of “publicly available information” goes beyond information made available through government records and also includes information a business “has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by a consumer, or by a person to whom the consumer has disclosed the information unless the consumer has restricted the information to a specific audience.” This new component of the definition of “publicly available information” is likely to directly impact businesses who gain information from social media profiles and other publicly available Internet sources. In addition, the TDPSA has explicit carveouts for certain employee and business contact data (i.e., data processed or maintained in the course of an individual applying to, being employed by, or acting as an agent or independent contractor to the extent the data is collected and used within the context of that role) unlike the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).

The TDPSA applies to any business that (a) conducts business in the state or produces a product or service consumed by residents of the state; (b) processes or engages in the sale of personal data; and (c) is not a small business as defined by the US. Small Business Administration (i.e., the company is not an independent business having fewer than 500 employees). The statute also exempts Texas agencies or political subdivisions, financial institutions or data subject to the GLBA, covered entities or business associates under HIPAA, nonprofits, institutions of higher education, (likely accounting for Texas’ unique connections to the energy industry) electric utilities, power generation companies, and retail electric providers. Unlike other US state privacy laws, the TDPSA’s applicability criteria does not include minimum company revenue thresholds or numbers of consumers whose data is processed by the business, highlighting the need for businesses of all sizes to evaluate compliance obligations under this statute. Furthermore, the statute applies to both controllers and processors, but certain provisions are limited to one or the other.

Data Controller Duties

Controllers, defined as an individual or other person that (alone or jointly with others) determines the purpose and means of processing personal data, must (a) limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed as disclosed to the consumer and (b) establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue. A controller must conduct data protection assessments for (1) processing personal data for targeted advertising, (2) the sale of personal data, (3) processing sensitive data, (4) processing activities involving personal data that present a heightened risk of harm to consumers, and (5) processing personal data for profiling if the profiling presents a reasonably foreseeable risk of (A) unfair or deceptive treatment of or unlawful disparate impact on consumers, (B) financial, physical, or reputational injury to consumers, (C) physical or other intrusion on the solitude or seclusion on the private affairs or concerns of consumers (if offensive to a reasonable person), or (D) other substantial injury to consumers. While the statute does not give substantial detail on the required content or form of such assessment, it requires the assessment identify and weigh the direct or indirect benefits from the processing against potential risks to the consumer and consider the use of de-identified data, reasonable expectations of consumers, the context of the processing, and the relationship between the controller and consumer.

Under the TDPSA, a controller must provide consumers with a reasonably accessible and clear privacy notice that includes the following:

• The categories of personal data (including sensitive data) processed by the controller;
• The purpose for processing personal data;
• How consumers may exercise their consumer rights (including a description of the methods for submitting requests);
• The categories of personal data that the controller shares with third parties, if any; and
• The categories of third parties, if any, with whom the controller shares personal data.

If a controller engages in the sale of sensitive data or biometric data (i.e., data generated by automatic measurements of biological characteristics), the controller must include a separate notice (i.e., “NOTICE: We may sell your sensitive/biometric personal data”) in the same location and same manner as the general privacy notice. Sensitive data is defined to include: (a) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, citizenship or immigration status; (b) genetic or biometric data processed for the purpose of uniquely identifying an individual; (c) personal data collected from a known child; or (d) precise geolocation data.

If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must also clearly and conspicuously disclose such process and the manner by which a consumer may opt-out.

In addition, controllers may not process personal data in violation of other state and federal laws that prohibit unlawful discrimination against a consumer. Further, controllers may not process sensitive data without consent or discriminate against consumers for exercising any of the consumer rights granted below.

Consumer Rights

Under the TDPSA, consumers have the following rights, which controllers must honor when responding to requests to exercise such rights:

• The right to confirm whether a controller is processing the consumer’s personal data and to access such personal data;
• The right to correct inaccuracies in the consumer’s personal data (taking into account the nature of the personal data and purposes of processing);
• The right to delete personal data provided by or obtained about the consumer;
• The right to obtain a copy of the consumer’s personal data in a portable and readily usable format; and
• The right to opt-out of the processing of personal data for the purposes of (1) targeted advertising, (2) the sale of personal data, or (3) profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

While these rights are common across US privacy laws, the opt-out right reflects current concerns surrounding potentially discriminatory uses of AI and machine learning and extends to automated processing (i.e., profiling) that results in the provision or denial of financial and lending services, housing, insurance or healthcare services, education enrollment, employment opportunities, criminal justice, or access to basic necessities.

The sale of personal data is defined as “the sharing, disclosing or transferring of personal data for monetary or other valuable consideration,” which follows the broad definition under California law. The sale of personal data does not include disclosures of personal data:

• To a processor that processes the personal data on behalf of the controller;
• To a third party for purposes of providing a product or service requested by the consumer;
• To an affiliate of the controller;
• That the consumer intentionally made available to the general public through a mass media channel and did not restrict to a specific audience; and
• To a third party as an asset that is part of a merger or acquisition.

If the controller maintains an Internet website, it must provide a mechanism on that website to submit requests and may only provide an email address for such requests if the controller is operating exclusively online and has a direct relationship with the consumer. The controller must respond to the request within 45 days but may extend such period when reasonably necessary as long as the consumer is informed of the extension with an explanation. The controller must also respond to an appeal for refusal to act on a request within 60 days of receipt and, if denied, must provide the consumer with an online mechanism by which the consumer may contact the attorney general to submit a complaint.

Enforcement and Penalties

Similar to other state privacy laws, the TDPSA does not provide for a private right of action, and the Texas attorney general has exclusive authority to enforce the statute. However, the TDPSA stands out from other US state privacy laws in terms of its enforcement procedures and remedies for violations. While the statute provides for a cure period (i.e., 30 days) that resembles that of the CCPA prior to the CPRA amendments, the business accused of non-compliance must also provide a written statement that (a) the violation has been cured, (b) the consumer has been notified that the privacy violation was addressed (if the consumer’s contact information has been made available to the business), (c) the business provided supportive documentation to show how the violation was cured, and (d) the business made changes to internal policies (if necessary) to ensure no such further violations will occur. Furthermore, fines can amount up to $7,500 per violation with no leniency for non-intentional violations.

Conclusion

The breadth of the TDPSA is a strong indicator that the momentum to adopt state privacy laws will not be slowing down any time soon. Although enforcement will not begin until next year, given the scope of applicability and obligations for businesses subject to the TDPSA, businesses with operations in or other connections to Texas should start evaluating necessary measures to fill gaps in compliance well in advance.

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Randall W. Edwards, an O’Melveny partner licensed to practice law in California, Sid Mody, an O’Melveny partner licensed to practice law in Texas, Scott W. Pink, an O’Melveny special counsel licensed to practice law in California and Illinois, Emily Losi, an O'Melveny associate licensed to practice law in New York, and Kayla Tanaka, an O'Melveny associate licensed to practice law in California, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2023 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.