?
On May 29, H.B. 4, also known as the Texas Data Privacy and Security Act, passed in the Texas legislature. The bill will now land on the desk of Gov. Greg Abbott for signature.
Texas joins the growing number of states that have passed or enacted legislation in 2023, including Iowa, Indiana, Tennessee and Montana, and more are expected in the coming months. Five states already have comprehensive privacy laws in place or set to become effective soon: California, Virginia, Colorado, Connecticut, and Utah. This profusion of new data privacy legislation has engendered an increasingly challenging compliance landscape, with businesses having to account for new requirements of each successive law. If enacted, businesses will have less than a year to prepare for the Texas Data Privacy and Security Act before it goes into effect on March 1, 2024.
Covered Employers
The scope of the Texas bill is drawn somewhat differently, and more broadly, than existing state privacy laws. Unlike those laws, which generally apply to businesses that exceed certain revenue or data processing thresholds, the Texas bill applies to corporations and people who:
- Conduct business in Texas or produce a product or service consumed by Texas residents.
- Process personal data of Texas residents.
- Are not a small business as defined by the U.S. Small Business Administration (SBA).
The Texas bill has no data-processing volume threshold. While the SBA currently defines a small business as one having 500 or fewer employees, this definition may be subject to adjustment, and there are myriad exceptions to the current SBA definition. For example, depending on the business’s sector, the SBA may instead look to its revenue or utilize a different employee headcount limit in determining whether it is a small business.
These factors introduce some degree of uncertainty regarding the extent and applicability of the Texas bill, but it will likely apply to most Texas businesses. Organizations of all sizes should take note that the bill’s prohibition against selling sensitive data without consent applies to all businesses that operate in Texas, regardless of size.
The bill features a familiar list of exceptions and exemptions. It does not apply to state agencies, nonprofit organizations, higher education institutions, or entities governed by the Health Information Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act.
The bill only protects consumers acting in an individual or household capacity, and therefore it’s not applicable to employment or business-to-business (B2B) contexts.
Consumer Rights
One of the cornerstones of the Texas bill is a set of rights that a consumer may exercise in respect of their data, including the right to:
- Confirm that the data controller is processing their data.
- Access their personal data.
- Correct inaccuracies in their personal data.
- Delete their personal data.
- Obtain a copy of their data in a portable and readily usable format.
- Opt out of having their data processed for the purpose of targeted advertising, the sale of their data, or profiling that produces a legal or significant effect on the consumer.
Rules for Data Collection
A data controller may only collect data that is adequate, relevant, and reasonably necessary in relation to the disclosed purpose for which it is processed and may not process data for purposes that aren’t reasonably necessary to or compatible with that purpose, except with the consumer’s consent. Data controllers cannot discriminate against consumers who exercise their statutory rights, such as by denying goods or services or by charging them higher prices.
Sensitive data (defined as personal data revealing one’s racial or ethnic, origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, children’s data, or precise geolocation data) may only be processed with the consumer’s consent. Data controllers must establish administrative, technical and physical measures for safeguarding data. Interestingly, the bill prohibits a data controller from using “dark patterns,” which is defined as “a user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision-making, or choice, to obtain consent for processing.
The bill requires data controllers to display an accessible and clear privacy notice outlining how it uses personal data. In particular this notice should address:
- The categories of personal data being processed, including whether sensitive data is processed.
- The purposes of the processing.
- How consumers may exercise their rights.
- The categories of data that are shared with third parties, as well as the categories of third parties with whom data is shared.
A data controller must disclose the process by which a consumer can opt out of the sale of their data for targeted advertising, if the controller sells personal data for that purpose.
Before undertaking certain types of data processing associated with higher risks of harm — including processing for targeted advertising, the sale of personal data, profiling that presents a risk of unfair or deceptive treatment, financial, physical or reputational injury, or physical or other intrusion, and the processing of sensitive data — a data controller must complete a data protection assessment.
The data protection assessment should weigh the benefits of the contemplated processing to the consumer, controller and other stakeholders against the risks posed to the consumer. The assessment should account for the possibility of using de-identified data, reasonable consumer expectations, the context of the processing, and the relationship between the controller and the processor. A single assessment may be used to fulfill the obligations with respect to different laws or processing, as long as requirements and activities respectively are comparable. Although the assessment does not need to be submitted upon completion, it must be retained by the controller and may need to be produced in response to a civil investigative demand by the Attorney General.
Enforcement and Penalties
There is no private right of action under the Texas bill, but there is an established cure period. The Texas Attorney General is the sole enforcement and investigative authority for the Texas Data Privacy and Security Act. The Attorney General will establish an online mechanism for consumers to submit complaints. Before bringing an action alleging a violation of the law, the Attorney General must first notify the alleged offender and provide 30 days to cure the alleged violation. After the expiration of the cure period, the Attorney General may bring an action seeking up to $7,500 for each violation, as well as injunctive relief and attorney’s fees and other expenses.
Cynthia J. Cole, Rachel Ehlers, Jonathan Tam, Helena J. Engfeldt and Brittney Justice are attorneys with Baker McKenzie. © 2023 Baker McKenzie. All rights reserved. Reprinted with permission via Lexology.