This week, we are shifting our focus back to privacy law. Although our most recent blogs focused on A.I.-specific laws, which are still in their nascent stage, privacy laws actually play an outsized role in how AI usage is policed. This week our focus is on the Texas privacy law. Texas is the second largest state, both by population and land size, and thus can move the needle when it comes to privacy compliance. The Texas Data Privacy and Security Act (“TDPSA” or the “Act”), the nation’s 11th comprehensive consumer data privacy law, has an enormous impact on at least 30 million people.
The TDPSA has been in force since July 1, 2024, but just last month, a global opt-out technology provision became effective, allowing users to opt-out of processing personal data for the purposes of targeted advertising, as well as the sale of personal data. Aside from this specific provision, as a comprehensive privacy law, there are other unique and notable sections.
Who is affected?
First and most importantly, the “persons” to which the TDPSA applies must: (i) conduct business in Texas or produce products or services consumed by Texas residents; (ii) process or engage in the scale of personal data; and (iii) is not a “small business” as defined by the U.S. Small Business Administration. Despite this small business carve-out, the TDPSA makes a significant exception under Sec. 541.107, noting that a small business may not engage in the sale of sensitive personal data without receiving prior consent from the consumer. Note that “sale of personal data” is not taken in its literal or traditional meaning but is, instead, broadly defined to mean “sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.” Thus, a covered entity must obtain consent before processing sensitive personal data. This is in line with Colorado’s privacy law.
Consent
Like most other U.S. privacy laws, consent is a powerful tool to enable entities to process or sell personal, and even, sensitive data. The TDPSA defines “consent” similarly to most other state privacy laws. Under the Act consent means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Interestingly, the Act goes out of its way to identify three scenarios in which consent is not deemed to be given by the consumer: (a) acceptance of general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information; (b) hovering over, muting, pausing, or closing a given piece of content; or (c) agreement obtained through the use of dark patterns[1].
Processing of Children’s Data
When it comes to data of children, the TDPSA does not complicate or add more restrictions. Instead, legislators elected to incorporate by reference the Children’s Online Privacy Protection Act of 1998 (COPPA). Under COPPA, as long as a controller or processor complies with the verifiable parental consent requirements, they will be in compliance with the TDPSA. This approach is in contrast to Colorado, which has specific provisions that outright forbid processing of children’s data unless there is parental consent.
Privacy Notices
Similarly to most other omnibus privacy laws throughout the United States, under TDPSA controllers[2] in particular must include in their Privacy Policies the categories of personal data processed, the purpose, and how consumers can exercise their rights. In addition, when the controller engages in the sale of sensitive personal data, it is required to include the following notice: “NOTICE: We may sell your sensitive personal data.” If the sale of biometric data is involved, then an identical notice must be posted: “NOTICE: We may sell your biometric personal data.” Furthermore, if entities “sell” personal data to third parties or process such data for targeted ads, they must clearly and conspicuously disclose it, including the manner in which a consumer may exercise their right to opt out of that process.
Right of Action & Opportunity to Cure
Unlike California’s privacy law, under the TDPSA there is no private right of action for consumers when it comes violations under the TDPSA or “any other law.” Only the Texas Attorney General may enforce the TDPSA with up to $7,500 per violation. However, before the Attorney General’s office can commence an action, it must notify the violating entity of the specific provisions that have been violated, including a 30-day cure period to correct the violation. Here again, Texas sets itself apart from other states like California, Colorado, Connecticut, and Montana. Texas is clearly trying to be more business friendly. The absence of a private right of action, coupled with 30-day to cure notices, are much more business friendly than say California’s privacy law. California’s private right of action allows consumers to seek statutory or actual damages and other relief if their personal information is subject to unauthorized access or disclosure due to a business’s failure to implement reasonable security procedures.
Data Protection Assessments
Section 541.105 of the TDPSA again requires controllers in particular to conduct and document a data protection assessment for a broad range of categories of personal data being processed, like for targeted advertising, sale, profiling (if the profiling presents a reasonably foreseeable risk of substantial injury to consumers), sensitive data, and any other processing activities that present a heightened risk of harm to consumers. These assessments must identify and weigh the direct or indirect benefits that may flow from the processing to the controller, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with that processing.
Concluding Thoughts
Like many other States, Texas likely drew up the TDSPA from the previously enacted privacy laws that have been promogulated in the United States and even abroad, like Europe’s GDPR. Be that as it may, every state includes its own quirks, and Texas is no exception. That said, a company would have to be limited to operating only in that state, if the other privacy laws are to be ignored. This is simply not the case in the age of the Internet and multi-state or multi-national operations. What this means for companies is that they must determine the high-water mark for compliance, and design programs for compliance with the strictest standards. This may mean having to pluck and analyze the strictest requirements across the geographic footprint of the business to ensure the most protection and compliance.
The information you obtain at this site or this blog is not, nor is it intended to be, legal advice. You should consult an attorney for advice regarding your individual situation. We invite you to contact us through the website, email, phone, or through LinkedIn. Contacting us does not create an attorney-client relationship. Please do not send any confidential information to us until such time as an attorney-client relationship has been established.
[1] “Dark pattern” means a user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision-making, or choice, and includes any practice the Federal Trade Commission refers to as a dark pattern.
[2] A controller is defined as “an individual or other person who, alone or jointly with others, determines the purpose and means of processing data.” A controller is distinguished from a processor, defined as “a person or entity that processes personal data on behalf of a controller.” Though the TDPSA focuses on “controllers” for some of the provisions discussed here, the question of whether or not an entity is considered a controller or processor may depend on the circumstances and thus require further legal analysis.