The stringent law introduces several novel obligations and a unique approach to determining applicability that may broaden its reach.
On June 18, 2023, Texas enacted the Texas Data Privacy & Security Act (TDPSA), which will largely take effect in just over a year on July 1, 2024. The TDPSA follows in the footsteps of 10 other comprehensive US state privacy laws but sits decisively on the more stringent end of the spectrum.
While the TDPSA is generally modeled after the Virginia Consumer Data Protection Act (VCDPA), it adopts many of the more consumer-friendly components of more recently enacted laws. It also introduces several novel obligations and a unique approach to determining applicability that may broaden its reach.
In light of these factors and considering the size of the Texas economy and population, the TDPSA may prove to be the most impactful state privacy law since the California Consumer Privacy Act (CCPA), which was enacted in 2020.
Applicability and Scope
Rather than basing applicability on whether a business meets certain revenue thresholds or whether it processes or sells certain amounts of personal data (the general approach taken by other states), the TDPSA will apply to any business that:
- conducts business in Texas or produces products or services consumed by Texas residents;
- processes consumer personal data; and
- is not a “small business” as defined by the US Small Business Administration (SBA).
This applicability test is unique in two respects that will potentially expand the law’s scope. First, while the privacy laws in most other states only capture out-of-state companies that “target” their products or services to in-state individuals, under the TDPSA, the law will apply even if a company’s products or services are merely “consumed by” Texas residents, assuming the other applicability factors are met. This factor may incentivize businesses that do not specifically target the Texas market to take steps to actively exclude Texas residents from using their products or services to avoid triggering the TDPSA.
Second, the TDPSA’s use of small-business status as a determining factor for applicability, rather than revenue or scale of processing, may result in the TDPSA applying to businesses that are well below the applicability thresholds in other states. To wit, the SBA does not have a single definition for “small business” with general application. Rather, the label is extremely variable, and the factors that determine small-business status heavily depend on the context in which the status is claimed and the industry of the company claiming such status (as defined through the applicable North American Industry Classification System (NAICS) code and corresponding SBA size standard). The below points illustrate the complexities and nuances of determining small-business status:
- There are hundreds of NAICS codes, which align with industry types at a very granular level, and businesses can easily fall under multiple codes. But the TDPSA does not specify how businesses should determine which code (and the corresponding SBA size standard) applies for purposes of the law.
- SBA size standards matched to NAICS codes differ for services provided and goods produced, meaning a business that does both could qualify as a small business with respect to the services it provides, but not with respect to the products it manufacturers, or vice versa. Further, the primary factors considered in determining size — annual revenue and employee headcount — are assessed based on averages over time, meaning small-business status can easily change year to year.
- Context matters in determining small-business status. For example, a company could qualify as a small business for purposes of qualifying for a particular government loan program (where the business is often allowed to self-select a NAICS code, but may need to be prepared to defend its choice if selecting a code that is different than the code listed in the business’s tax returns), but not for purposes of bidding on a particular “small business set-aside” government contract (where the applicable NAICS code is typically specified for all bidders), or vice versa.
- The SBA has expansive “affiliation” rules that rely on a complicated factor-by-factor analysis for determining whether a company’s small-business status is undermined by its affiliations (corporate or otherwise). These rules consider a business’s direct affiliates as well as any affiliates of the business’s affiliates, such that, for example, a private equity firm’s portfolio companies are all considered affiliates of one another. As a result, startups and emerging companies may lose their small-business status upon receiving a substantial investment from a private equity firm, venture capital firm, or hedge fund.
Depending on how the state attorney general ultimately enforces the TDPSA, the small-business exemption may not be available to as many businesses as the Texas Legislature likely intended (remarkably, even where the exemption is available, there are certain obligations under the TDPSA that still apply, as discussed further below). This is one area where official guidance could add much-needed clarity. Fortunately, starting on September 1, 2024, the public will have at least 90 days to provide feedback and recommend changes to the TDPSA through an online portal on the Texas Department of Information Resources website.
The TDPSA largely recycles definitions for key terms from the privacy laws in other states. In some instances, however, the TDPSA further expands these definitions in ways that are without precedent, including the following examples:
- The definition of “personal data” includes pseudonymous data, but only when it is used in conjunction with additional information that reasonably links it to an identified or identifiable individual. While substantively, this treatment of pseudonymous data is notionally consistent with that of other states, the TDPSA is the first law to explicitly include pseudonymous data in the definition of “personal data.”
- The definition of “sensitive data” includes “sexuality” rather than “sexual orientation” and/or “sex life.” This change came about after the Texas Senate removed “sexual orientation” (which appears in all the other states’ definitions of “sensitive” personal data) from the version of the bill that passed the Texas House. While the Senate’s removal of “sexual orientation” appeared to be an effort to limit the scope of “sensitive data,” the subsequent addition of “sexuality” would appear to have actually broadened it.
- The definition of “sale” covers the exchange of personal data not only for money, but like the CCPA, also “other valuable consideration.” However, where the VCDPA broadly exempts from the definition of “sale” any transfers of personal data as an asset that is part of a “merger, acquisition, bankruptcy or other transaction in which the third party assumes control of all or part of the controller’s assets” (other states use similar language), the TDPSA simply exempts transfers of personal data as an asset that is part of a “merger or acquisition.” Whether this change was intended to narrow the scope of the exemption (e.g., by excluding transfers of personal data in the context of a bankruptcy or a transaction involving only part of the business’s assets) is unclear.
Like the VCDPA, the TDPSA gives consumers the right to access, correct, delete, and obtain a copy of their personal data, and to opt out of the sale of their data, the processing of their data for targeted advertising, and profiling in furtherance of a decision that produces a legal or similarly significant effect. The TDPSA follows the CCPA and several other states in allowing individuals to exercise their rights to opt out of the sale of their personal data or use of it for targeted advertising through an opt-out preference signal. But the TDPSA provides certain unique exceptions under which businesses are not obligated to comply with consumer requests submitted in this manner, including if the business does not possess the ability to process the request.
Texas is also the first state since California to require businesses to establish “two or more” methods for individuals to submit requests. However, like the CCPA, the TDPSA stipulates that businesses that operate exclusively online and have a direct relationship with individuals are only required to provide an email address. Businesses that maintain a website but do not fall into this “exclusively online” category must “provide a mechanism” on their website for individuals to submit requests. This language is similar to the CCPA’s requirement to “make the website available” for individuals to submit requests, though the TDPSA appears to more explicitly contemplate the implementation of a webform or portal (notably, it does not define “mechanism”).
The TDPSA requires businesses to provide individuals with a reasonably accessible and clear privacy notice that includes the same disclosures as required in Virginia — i.e., the categories of personal data processed, the purpose for processing, how individuals may exercise their rights and appeal decisions, the categories of personal data the business shares with third parties, and the categories of such third parties.
Additionally, the TDPSA requires businesses that sell sensitive or biometric data to post the following disclosure: “NOTICE: We may sell your [sensitive/biometric] personal data.” This notice must be posted “in the same location and in the same manner as the privacy notice,” which suggests that businesses must post this language alongside the link to the privacy notice, rather than including it as a disclosure within the privacy notice.
The TDPSA mirrors the VCDPA in prohibiting the processing of sensitive data without consent and the processing of personal data for incompatible secondary purposes. In defining “consent,” though, the TDPSA more closely aligns with the privacy laws of Connecticut and Colorado, as it lists specific scenarios that do not constitute valid consent, such as any agreement obtained through the use of dark patterns. Further, any processing of personal data collected from a “known child” must comply with the consent requirements set forth under the federal Children’s Online Privacy Protection Act. The TDPSA is the first state law to define “known child,” which means a person under 13 where the business has actual knowledge of “or wilfully disregards” the child’s age.
Notably, small businesses that are otherwise exempt from the TDPSA are expressly prohibited from selling sensitive data without first obtaining consent. This is the first instance of a comprehensive state privacy law imposing obligations on companies that do not otherwise meet its baseline applicability test.
Other Compliance Obligations
The TDPSA largely tracks with the VCDPA when it comes to various other categories of compliance obligations, such as:
- the obligations related to responding to requests and appeals, including timing requirements;
- the duties imposed on processors and the specific provisions that must be included in a contract between a controller and a processor; and
- the required components of a data protection assessment and the types of processing activities that trigger a data protection assessment.
The state attorney general will enforce the TDPSA, and violations can result in penalties of up to $7,500 per violation as well as injunctive relief. By July 1, 2024, the state attorney general is required to post information relating to the obligations and rights under the TDPSA on its website and provide an online mechanism through which individuals can submit complaints. All provisions of the TDPSA will be effective starting July 1, 2024, except for the provisions related to the use of authorized agents and opt-out preference signals, which will take effect on January 1, 2025.
The TDPSA includes a 30-day cure period in which noticed violations can be remedied; the cure period does not sunset as it does in some other states. Unlike other state privacy laws, though, under the TDPSA simply notifying the state attorney general that the violation has been cured will not be sufficient. Rather, businesses will be required to provide the state attorney general a written statement that not only confirms that the alleged violations have been cured, but also states that they have:
- notified the individual that their privacy violation was addressed (if the individual’s contact information has been made available to the company);
- provided supportive documentation to show how the privacy violation was cured (whether such documentation has to be provided to the individual or the state attorney general is unclear); and
- made changes to internal policies, if necessary, to ensure that no such further violations will occur.
Compared to the 10 other comprehensive state privacy laws enacted so far, the TDPSA unquestionably aligns more closely with the laws of California and Connecticut, which tend to be more onerous, and less so with the laws of Utah and Iowa, which take a more business-friendly approach. By adding entirely new requirements to the mix and establishing a unique applicability test that may broaden its scope, the TDPSA arguably sets a new bar for such laws — though its true impact will ultimately hinge on the degree to which it is enforced.
Businesses that are complying with the privacy laws of other states will need to reassess components of their privacy compliance programs to ensure compliance with the TDPSA. Businesses that are not yet subject to the privacy laws of other states should carefully consider the scope of the TDPSA and exercise caution when determining applicability.
 The SBA Office of Advocacy, an independent arm of the SBA that advocates for small businesses, annually releases a publication titled Frequently Asked Questions About Small Businesses that consistently states that the Office of Advocacy generally defines a small business as an independent business having fewer than 500 employees. While this is a common size standard found in the SBA Table of Size Standards and a standard used for some small business programs (such as the Small Business Innovation Research program and the Paycheck Protection Program), it should not be confused for a generally applicable SBA definition of “small business.”