On June 18, 2023, Texas Governor Greg Abbott signed the Texas Data Privacy and Security Act (HB 4) (“TDPSA”) into law, making Texas the latest contributor to the growing patchwork of comprehensive U.S. state privacy laws. TDPSA takes effect July 1, 2024, except for provisions that enable consumers to designate authorized agents to exercise on the consumers’ behalf rights to opt out of data sales and targeted advertising, which take effect on January 1, 2025.
TDPSA appears to be based on Virginia’s Consumer Data Protection Act. However, TDPSA’s scope is relatively broad and unique compared to Virginia and other state comprehensive privacy laws. TDPSA applies to entities that:
- Conduct business in Texas or produce a product or service consumed by Texas residents;
- Process or engage in the sale of personal data; and
- Are not a “small business” as defined by the US Small Business Administration (“SBA”).
TDPSA differs from other state comprehensive privacy laws in that the law applies, in part, to businesses that produce a product or service “consumed” by Texas residents even if the businesses do not produce a product or service “targeted to” Texas residents. TDPSA also differs from other state comprehensive privacy laws in that its applicability does not include a revenue threshold or number of consumers impacted (i.e., whose personal data is processed, controlled, or sold). Instead, TDPSA exempts “small businesses” as defined by the SBA. Generally, a small business under the SBA is one with fewer than 500 employees, however the SBA also has industry-specific definitions to consider. TDPSA could exempt fewer businesses than under other state laws because of the employee count threshold and industry-specific requirements.
Similar to other state comprehensive privacy laws, TDPSA requires data “controllers” to allow consumers the right to opt-out of the processing of personal data for profiling “in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.” Texas is amongst several states that limit the right to opt out of such profiling to “solely automated processing” of personal data. The other states are Connecticut, Indiana, Tennessee, Delaware and Montana.
As with most state comprehensive privacy laws, TDPSA does not include a private right of action. California remains the only state that provides consumers a private right of action, which is limited to certain security incidents. Under TDPSA, the Texas Attorney General has the exclusive right to enforce the law. Yet, before the Attorney General files an enforcement action, it must provide notice of the alleged violation to the entity and allow for a 30-day cure period. Enforcement penalties include $7,500 per violation and injunctive relief. The TDPSA does not authorize the Attorney General to issue regulations.
Please contact our Privacy, Cyber & Data Strategy Team for questions about TDPSA or other state comprehensive privacy laws.