Everything’s Bigger in Texas – Including Privacy Protections

Texas Governor Greg Abbott recently signed the latest comprehensive state privacy law.  The Texas Data Privacy and Security Act (TDPSA) grants Texas consumers new data privacy rights, effective July 1, 2024.

The TDPSA is based largely upon the Virginia Consumer Data Protection Act, but borrows concepts from California and Colorado’s privacy laws as well.  The TDPSA grants Texas consumers the right to confirm whether a controller is processing their personal data, obtain access to their personal data, correct inaccuracies in their personal data, delete their personal data, access portable copies of their personal data and opt out of the processing of their personal data used for targeted advertising, sales or profiling.  The TDPSA also considers agreements obtained through the use of dark patterns to be non-consensual, similar to California, Colorado and Connecticut’s laws.

Under the TDPSA, “sensitive personal data” is defined as data “revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status.”  Like Virginia’s privacy law, “sensitive personal data” also includes genetic or biometric data, personal data from a known child and precise geolocation data.  The TDPSA defines the sale of personal data as the sharing of data for “monetary or other valuable consideration” joining Colorado, California and Connecticut’s privacy laws to acknowledge sales beyond monetary consideration.

Despite its similarity to other state privacy laws, the TDSPA has some unique provisions.  The TDSPA does not have a minimum data processing volume threshold and therefore applies to a much broader range of businesses that: (1) conduct business in Texas, or generate products or services consumed by Texas residents, (2) process or sell personal data, and (3) are not considered a small business as defined by the U.S. Small Business Administration (e.g. over 500 employees).  Nevertheless, all businesses regardless of size are prohibited from the sale of sensitive personal data unless they first obtain consumer consent.  Additionally, businesses must recognize universal opt-out mechanisms (effective January 1, 2025).

Like most other state privacy laws, the TDSPA exempts state agencies, financial institutions governed by the Gramm-Leach-Bliley Act (GLBA) and entities or business associates governed by the Health Insurance Portability and Accountability Act (HIPAA).  However, the TDSPA also specifically exempts nonprofit organizations, institutions of higher education and electric utility companies.

Another notable feature of the TDSPA is its 30-day cure period.  Fortunately for Texas businesses, this cure period does not sunset.  Like most other state privacy laws, the TDPSA does not contain a private right of action for consumers.  Instead, the Texas Attorney General will enforce the law and can impose up to a $7,500 civil penalty for each violation.

For further information about the Texas Data Privacy and Security Act or privacy laws in general, please contact John Landolfi, Chris Ingram, Chris LaRocco, Gretchen Rutz Leist, or your Vorys attorney.