Kayla Tran is a co-author of this post and is a Summer Associate at Bradley.
In recent years, the Lone Star State has been vigilant in enacting cybersecurity and data privacy laws to protect individuals and businesses from the disastrous effects of a data breach. Here is a timeline of previous cybersecurity and data privacy legislation enacted by the Texas Legislature:
- 2007: Identity Theft Enforcement and Protection Act – requires businesses to “implement and maintain reasonable procedures” to protect consumers from the unlawful use of personal information.
- 2009: Biometric Privacy Act – requires businesses to obtain consent from consumers before capturing any biometric identifiers.
- 2012: Medical Records Privacy Act – protects patients from the disclosure of their information without consent.
- 2017: Student Data Privacy Act – further protects students by restricting school websites from “engaging in targeted advertising based on personally identifiable student information.”
- 2017: Texas Cybercrime Act – assesses criminal penalties for the intentional interruption or suspension of another person’s access to a computer system or network without consent.
- 2017: Texas Cybersecurity Act – sets forth “specific measures to protect sensitive and confidential data [to] maintain cyberattack readiness.”
- 2019: Texas Privacy Protection Act (HB 4390) – amends existing data breach notification obligations and creates an advisory council to study and evaluate privacy laws in the state.
Now, the Texas Data Privacy and Security Act has just made Texas one of almost a dozen states to pass a comprehensive privacy legislation. On May 28, 2023, the act passed in the Texas State House and Senate. On June 18, 2023, Gov. Greg Abbott signed the law into effect. The act is set to take effect on July 1, 2024.
The purpose of the act is to protect the personal data of “consumers who [are] residents of the state of Texas acting in an individual or household context.” The act will provide consumers with stronger individual rights to (1) confirm whether a controller is processing their personal data; (2) correct any discrepancies in their personal data; (3) delete personal data provided or obtained; (4) receive a copy of their personal data previously given to a consumer in a portable and readily usable format so long as it is available digitally and technically feasible; (5) opt-out of the process of their personal data for targeted advertising; and (6) appeal a controller’s refusal to respond to such requests.
Personal data in the act includes any information, including sensitive data, that is linked or can be reasonably linked to an identified or identifiable person. Personal data includes pseudonymous data when the data “is used by a controller in conjunction with additional information that reasonably links the data to an identified or identifiable individual.” Personal data specifically does not include “deidentified data or publicly available information.”
Who does the act apply to?
The act has a broad scope of application as it applies to organizations that (1) conduct business in Texas or produce products or services that are consumed by the residents of Texas; (2) process or engage in the sale of personal data; and (3) are not defined by the United States Small Business Administration (SBA) as a small business. However, if an organization meets the first two requirements, but is defined as a small business, it must still comply with a section of the act that requires small businesses to first obtain consumer consent for the sale of sensitive personal data.
The act will not apply to individuals acting in a commercial or employment context as it only protects consumers acting in an individual or household capacity. As a result, it is not triggered in the business-to-business or employment context. The bill also includes a list of exceptions and exemptions, including state agencies, higher education institutions, nonprofit organizations, and entities governed by the Health Information Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act.
One problem with the act is its use of the SBA’s definition of a small business. The SBA uses a variety of definitions to define a small business. These definitions change depending on the specific industry a company is in. Therefore, the act leaves open the uncertainty of what businesses are actually covered. Additionally, the act applies to businesses that provide services that are “consumed by” rather than “targeted at,” so many organizations will be surprised to learn that the act may apply to them.
It is important to note that the act does not create a private right of action for individuals. The act is enforced and governed solely by the Texas attorney general. The act includes an initial 30-day cure period to remedy such violations, but after the 30 days with no remedy, a civil fine of up to $7,500 can be prescribed for each violation. On top of that, the cure period does not sunset, and the attorney general’s office is entitled to recover reasonable attorneys’ fees and other reasonable expenses resulting from the investigation and bringing such enforcement action under the act.
So, what does all of this mean for businesses operating in Texas?
With almost every new law comes new obligations. Here are a few things that businesses (controllers) should pay close attention to:
- Sensitive data or personal data obtained by a controller for a purpose that is not reasonably necessary or compatible with the disclosed purpose can only be processed with a consumer’s consent. This consent must be a clear affirmative act, signaling that the consumer is freely giving specific, informed, and unambiguous consent to process their personal data. It is undetermined whether consent by a consumer can be withdrawn.
- In certain scenarios, a business must include a “reasonably accessible and clear” privacy notice to its consumers. This notice must include “(1) the categories of personal data processed by the controller; (2) the purpose for processing personal data; (3) how consumers may exercise their consumer rights, including the appeal process; (4) the categories of personal data shared with third parties; (5) the categories of third parties with whom the data is shared; and (6) a description of the methods through which consumers can submit requests to exercise their consumer rights.” Additionally, if any of the shared personal data is sensitive, the following notice must be included: “We may sell your sensitive personal data.”
- Businesses must conduct and document a data protection assessment for data with a higher risk of harm. This assessment must weigh the potential risks to consumer rights against any direct/indirect benefit, mitigated by safeguards, and must consider the use of deidentified data, processing context, and most importantly, reasonable consumer expectation.
- If a business is able to show that the data needed to identify pseudonymous personal data of a consumer is kept separately and subject to technical and organizational controls that prevent the business from accessing the information, then that business has no obligation to the consumer regarding such pseudonymous data.
- A business can choose to authenticate a consumer’s requests to exercise their rights under the act. If the business cannot authenticate a consumer’s request, then the business is not required to comply with the consumer’s request.
While Texas is is just one of many states that have now enacted a bill to further protect consumers’ personal data, it is clear that things are changing, and state legislative bodies are recognizing the importance of consumer privacy. With this in mind, Texas businesses need to ensure that they are in compliance with this bill. We’re just here to spread the message: Failure to comply with this bill, can result in civil penalties assessed by the attorney general of Texas.
For more information and other updates and alerts regarding privacy law developments, subscribe to Bradley’s privacy blog, Online and On Point.