On May 28, 2023, the Texas legislature reached an agreement (by conference committee) on the Texas Data Privacy and Security Act (the Act), setting the stage for Texas to become the tenth state with a comprehensive privacy law. The Act will soon be presented to the Texas governor’s desk for signature (but is set to become law as long as it is not vetoed). Assuming it makes it through the process, the Act will go into effect on March 1, 2024.

With passage of the Act, Texas becomes the fifth state in 2023 to pass “comprehensive” privacy legislation (joining Iowa, Indiana, Montana, and Tennessee) and the seventh to pass some form of privacy law governing health data or sensitive data (joining Washington and Florida). Though the Texas law includes many of the same provisions as the laws in effect in the other states, the number of US residents covered under some form of a privacy law significantly increases with Texas joining the group (given the state’s large population). Businesses that have previously adopted a piecemeal approach to US privacy compliance (as opposed to adopting a national approach) may rethink this strategy in light of the Texas law.

Additionally, Congress has already been holding hearings this year on the need for federal privacy legislation. The addition of a tenth state with its own privacy law (especially a state as large as Texas) may increase the momentum for Congress to reconsider the American Data Privacy and Protection Act during this legislative session. 

In this post, we have summarized the key takeaways from the Act, including how the law’s relevant provisions compare to the laws that have previously passed or been enacted in other states. We are happy to answer any questions you have about the Act and its implications for your company’s privacy compliance program. For additional updates, please subscribe to the WilmerHale Privacy and Cybersecurity Law Blog.

KEY TAKEAWAYS

• Broad Definition of “Personal Data.” Similar to the other state laws, “personal data” under the Act is defined broadly to include any information that is linkable or reasonably linkable to an identified or identifiable individual. The definition of “personal data” also includes “pseudonymous” data when the data is used in conjunction with additional information that can be reasonably linked to an identified or identifiable individual.
• Applicability Thresholds. The Act applies to entities that (1) conduct business in Texas or produce a product or service consumed by Texas residents; (2) process or engage in the sale of personal data; and (3) are not a small business as defined by the US Small Business Administration. (However, small businesses are still prohibited from selling sensitive personal data without obtaining consumer consent (despite the rest of the law not being applicable to them).) Notably, the applicability threshold in Texas is broader than the applicability threshold in other states (because it does not have a revenue or data processing minimum). 
• Broad Exemptions. Notably, the Act does not apply to nonprofits or institutions of higher education. Further, like many of the other comprehensive privacy laws, the Act creates an entity-wide exemption for financial institutions governed by the Gramm-Leach-Bliley Act (GLBA), as well as covered entities or business associates governed by the Health Insurance Portability and Accountability Act (HIPAA). 
• Consumer Data Rights. Like all of the other state privacy laws, the Act creates individual rights for consumers, including the right to confirm whether a controller is processing personal data; the right to access personal data; the right to correct inaccuracies; the right to delete personal data; the right to obtain a portable copy of personal data; and the right to opt out of the processing of data for purposes of targeted advertising, sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects. Controllers are also required to establish a process for consumers to appeal a controller’s potential refusal to take action on a data rights request. 
• Obligations Regarding Opt-Out Signals. The Act requires controllers that sell personal data or use personal data for targeted advertising purposes to respond to universal opt-out signals, similar to what is required under the California, Colorado, Connecticut, and Montana laws. The Texas requirement, however, is not as broadly applicable as the opt-out signal requirement in these other states. For example, the Texas law requires that an opt-out signal not be the default setting (i.e., a consumer must instead be required to affirmatively select the opt-out option) in order for it to be covered under the law.  
• Consent for the Processing of Sensitive Data. Like the laws in several other states, the Texas law requires controllers to obtain consent for the processing of sensitive data. The Act’s definition of “sensitive data,” however, is slightly different compared to other states’ definitions. For example, instead of protecting sexual orientation data, the Act only protects information about “sexuality.” The Act also limits its protection of health information to information that specifically relates to a “mental or physical health diagnosis” (as opposed to applying to additional categories of health information).
• Dark Patterns. The Act explicitly notes that consent acquired through the use of dark patterns – defined broadly as any user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision-making, or choice, including any practice the Federal Trade Commission refers to as a dark pattern – is not sufficient to comply with the consent requirements of the Act.
• Prescriptive Notice Requirements for the Sale of Personal Data. With regard to the sale of sensitive personal data, the law explicitly requires controllers to provide consumers with the following information in their privacy policy: “NOTICE: We may sell your sensitive personal data.” With regard to the sale of biometric information specifically, the Act requires the following disclosure: “NOTICE: We may sell your biometric personal data.” These notice requirements are notably more prescriptive than what is required under most of the other comprehensive privacy laws. 
• Privacy by Design. The Act incorporates privacy by design principles, such as purpose limitation and reasonable security practices. Further, controllers cannot collect additional categories of personal information or use collected information for additional purposes (other than the purposes previously disclosed to consumers) without obtaining consumer consent.
• Data Protection Assessments. The Act requires data protection assessments for the following activities: (1) the processing of data for purposes of targeted advertising; (2) the sale of personal data; (3) the processing of data for purposes of profiling if certain risk factors are met; (4) the processing of sensitive data; and (5) any processing activities that present a heightened risk of harm to consumers.
• Enforcement. Violations are only enforceable by the Texas attorney general’s (AG) office, which can impose civil penalties of up to $7,500 for each violation. The AG may recover reasonable attorney’s fees and other reasonable expenses incurred in investigating and bringing an action under the Act. However, the Act does create a 30-day cure period for violators before the AG may bring an enforcement action.
• Implementation. The Department of Information Resources (the Department), under the management of the chief privacy officer, shall review the implementation of this legislation and provide the public an online portal for feedback for 90 days, no later than September 1, 2024. The Department shall also make available a public report by January 1, 2025, detailing the status of the implementation of the requirements. This provision will sunset on September 1, 2025.
• Effective Date. The vast majority of the Act will go into effect on March 1, 2024, except for the provisions related to opt-out signals (which will take effect on January 1, 2025).