On May 28, Texas became the sixth state this year to pass a comprehensive data protection law.  Although the Texas Data Privacy and Security Act (“TDPSA”) is largely in line with the Virginia Consumer Data Protection Act and other recently passed state privacy laws, it has a few key distinctions that may cause headaches for larger businesses.  The TDPSA becomes effective July 1, 2024.

Applicability: The TDPSA eschews the revenue and volume criteria implemented by other comprehensive state privacy laws.  Instead, the TDPSA applies to any person that:

  • Conducts business in Texas or produces products or services consumed by Texas residents;
  • Processes or engages in the sale of personal data; and
  • Does not qualify as a “Small Business” as defined by the United States Small Business Administration (“SBA”).

This final prong is unique to the TDPSA.  Whether a business qualifies as a small business may depend on its number of employees, average annual revenue, and industry.  The SBA has provided guidance that “most manufacturing companies with 500 employees or fewer, and most non-manufacturing businesses with average annual receipts under $7.5, will qualify as a small business.” However, each business will have to review relevant industry standards to determine applicability. 

One important compliance point is that the carve-out for small businesses is not total. Companies that qualify as small businesses are prohibited under the TDPSA from selling sensitive personal data without receiving prior consent from the relevant consumer regardless of their size, revenue, or the volume of information processed. Sensitive data means a category of personal data that:

  • Reveals racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status;
  • Genetic or biometric data that is processed for the purpose of uniquely identifying an individual;
  • Personal data collected from a known child (under 13); or
  • Precise geolocation data.

The TDPSA specifically exempts financial institutions covered under the GLBA, covered entities and business associates covered under HIPAA, nonprofit organizations, and institutions of higher education. It also exempts data subject to the GLBA and HIPAA—a key distinction for potential processors under the law.

Data Subject Rights and Impact Assessments: The data subject rights and impact assessment requirements provided under the TDPSA are in line with those provided under Virginia law.  Namely, the TDPSA provides the rights to;

  • Access and portability;
  • Correction;
  • Deletion; and
  • Opt-out of:
    • The sale of personal information for monetary or other valuable consideration;
    • Targeted advertising; and
    • Profiling in furtherance of significant decision-making.

Additionally, like Virginia, the TDPSA requires that controllers conduct impact assessments prior to processing personal data in a manner that could pose a heightened risk of harm to consumers. This includes the sale of personal data and the processing of personal data for targeted advertising or profiling.

Enforcement: The TDPSA does not include a private right of action.  Instead, it is enforced exclusively by the Texas Attorney General.  The TDPSA does provide for a 30-day cure period, which is not scheduled to expire.

In sum, while the TDPSA is largely in line with its contemporaries, its novel applicability criteria are likely to cause compliance headaches.  Businesses will have to review relevant industry standards to determine the scope of their obligations under the law.