State Regulatory Developments

Texas Enacts Comprehensive Consumer Data Privacy Law

Texas recently enacted a comprehensive consumer state data privacy law, the Texas Data Privacy and Security Act (the Act), following multiple other states including: Virginia, California, Colorado, Utah, Connecticut, Iowa, Indiana, Montana, and Tennessee.  The majority of the Act goes into effect on July 1, 2024.

Scope

The Act applies to persons, (i) doing business in the state or producing a product or service that is consumed by Texas residents, (ii) processing or selling personal data, and (iii) (with one exception in the statute) is not a small business (under the U.S. Small Business Administration definition).  “Personal data” is defined as “any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual” and “includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.”  It excludes “deidentified data or publicly available information.”

Certain entities are exempt from the Act, including, but not limited to, (i) financial institutions or data subject to Title V of the Gramm-Leach-Bliley Act, (ii) entities or business associates governed by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act) rules, 45 CFR Parts 160 and 164, (iii) government entities, including state agencies or political subdivisions, (iv) electric utility or power generation company or electric providers, (v) higher education institutions, and (vi) non-profit organizations.  Certain information is also exempt, such as protected health information under HIPAA.

The Act differentiates a “controller,” which is an individual or entity that determines the means and purpose of processing personal data from a “processor,” which is the “person that processes personal data on behalf of the controller.” 

Consumer Rights

The Act grants Texas consumers certain rights with respect to their personal data.  Consumers may request, among other things, (i) confirmation from a controller of whether it is processing the consumer’s personal data and access to that data, (ii) correction of inaccuracies, (iii) deletion of the data obtained, (iv) a copy of that information in a portable and usable format so the consumer can transmit it to another controller, and (v) an ability to opt-out of any sale, targeted advertising, or certain types of profiling related to the processing of personal data.

Under the Act, with some exceptions, a controller must reply to a consumer’s request within 45 days of receipt, but can extend this time once by 45 days, if reasonably necessary and the consumer is informed of the extension and the reason for the extension within the original 45-day time period.  Responses to a consumer’s reasonable requests are provided up to twice a year for free.  If the controller cannot authenticate the consumer’s request, it is not required to comply with it.  A controller can decline to act on the request, but must inform the consumer within 45 days of receiving the request, explain why no action was taken, and provide instructions for how to appeal.  Along with other requirements, the appeal process must be conspicuous and similar to the original request process.  If the consumer was not the source of the consumer’s personal data, a controller complies with the Act by retaining the deletion request and the minimum data needed to ensure that the consumer’s data remains deleted, and opting the consumer out of non-exempt personal data processing.

Notice Requirements and Other Obligations

Among other duties and required notices, the controller must provide a privacy notice that includes certain information, including, but not limited to, the personal data categories that it processes, the reason it is processing personal data, any personal data categories that are shared between the controller and third parties, and information about how consumers can exercise the rights given under the Act.  Additionally, the Act requires that controllers conduct and document data protection assessments.

Penalties and Enforcement

There is no private right of action.  The Texas attorney general has exclusive enforcement authority.