Texas becomes Tenth State to Enact Comprehensive Privacy Law

On June 18, Texas enacted the Texas Data Privacy and Security Act (TDPSA), becoming the tenth U.S. state to enact a comprehensive consumer data privacy law. Businesses regulated by the TDPSA have until July 1, 2024 to come into compliance with the law. The other states with comprehensive consumer privacy laws currently in effect are California, Virginia, Colorado, and Connecticut. They will soon be joined by Utah (December 31, 2023), Tennessee (July 1, 2024), Montana (October 1, 2024), Iowa (January 1, 2025), and Indiana (January 1, 2026).  

While modeled on the Virginia/Colorado/Connecticut framework, the TDPSA does include some notable differences distinguishing it from other state general privacy laws, and potentially applies to a broader range of businesses (known as “controllers”) inside and outside of the state. Starting January 1, 2025, the TDPSA will also require all controllers to recognize universal opt-outs (e.g., web browser privacy settings like Global Privacy Control or the use of designated electronic agents), aligning with California, Colorado, and Connecticut. 

Scope of Applicability

A unique element of the TDPSA is the statute’s scope of applicability. Unlike other state general privacy laws – which generally apply to entities that (i) conduct business in the applicable state or target their products or services to residents of the applicable state and (ii) process the personal data of a threshold number of consumers¹ and/or derive a threshold percentage of revenue from the sale of personal data – the TDPSA applies more broadly to individuals or entities that:

• Conduct business in Texas or produce a product or service consumed by residents of Texas;
• Process or engage in the sale of “personal data”; and
• Do not qualify as a “small business” (as defined by the United States Small Business Administration (SBA)).²

In addition to the absence of minimum data processing thresholds for applicability, the TDPSA is also notable in that:

• The TDPSA’s applicability does not require that an entity “target” its products or services to Texas residents; rather, the relevant prong is satisfied if Texas residents “consume” such products or services, even if the business did not target the Texas market; and
• Among states with laws currently in effect, the TDPSA’s definition of a sale of personal data follows the broader “monetary or other valuable consideration” formulation of California, Colorado, and Connecticut, rather than the more narrow “monetary consideration” standard of Virginia.

Universal Opt-Out Mechanisms

Among states with laws currently in effect, Texas joins California, Colorado, and Connecticut in requiring controllers to comply with opt-out requests submitted via a universal opt-out mechanism such as an “Internet browser setting or extension” or a “global setting on an electronic device”. This requirement will become effective on January 1, 2025.³

The TDPSA’s requirement with respect to a universal opt-out mechanism represents an increase in the percentage of the U.S. population that will have the right to implement such a signal for opt-out purposes from slightly less than 15% to approximately 24%, based on current population numbers.

Sensitive Data

Like the Virginia, Colorado, and Connecticut laws already in effect, the TDPSA requires affirmative “opt-in” consent for the processing of “sensitive data”⁴. However, while other state law definitions set forth apparently exhaustive lists of elements that render personal data as “sensitive”, the TDPSA’s definition is drafted as follows: 

“Sensitive data” means a category of personal data. The term includes: 

1. personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status;
2. genetic or biometric data that is processed for the purpose of uniquely identifying an individual;
3. personal data collected from a known child; or
4. precise geolocation data.

While the elements generally track those of other state privacy laws already in effect: (i) the drafting may suggest that the list is inclusive, rather than exhaustive, even if that was not the intent; and (ii) there are a few notable differences in the underlying elements, in particular (a) the narrower use of “health diagnosis” rather than the broader “health condition or diagnosis” and (b) the use of “sexuality” rather than the seemingly broader “sex life [or] sexual orientation”.

Additional Privacy Notices

In addition to the general privacy notice required by the TDPSA, the statute imposes additional disclosure requirement(s) on controllers that sell “sensitive data” or “biometric data”. Such required notice(s) (i) must be posted in the same location and in the same manner as the general privacy notice and (ii) must consist of the following standardized language: “NOTICE: We may sell your sensitive personal data” and/or “NOTICE: We may sell your biometric personal data”, as applicable.

Cure

The TDPSA includes a 30-day cure period. However, in order for the Texas attorney general not to bring an action for the alleged violation, the TDPSA requires not only that (i) the alleged violator must cure the violation within the 30-day cure period, but also that (ii) within such cure period, the alleged violator must provide the attorney general a written statement that it: 

• Cured the alleged violation;
• Notified the consumer that the consumer’s privacy violation was addressed (if the consumer’s contact information had been made available to the alleged violator);
• Provided supportive documentation to show how the privacy violation was cured; and
• Made changes to internal policies, if necessary, to ensure that no such further violations will occur.

While there may be some ambiguity in the wording of such requirements, it seems to be the intent of the statute that the alleged violator must demonstrate with specificity to the attorney general that the violation has been cured.

Conclusion

With a population of more than thirty million people – more than nine percent of the U.S. population – Texas may prove to be a tipping point with respect to state general privacy legislation. Following passage of the TDPSA, almost one-third of the U.S. population is now protected by an effective or forthcoming state general privacy law, and such legal patchwork is becoming increasingly complex.

Linklaters has extensive experience helping clients navigate different data protection laws, rules, and regulations in the United States and globally. We are available to assist if you’d like to discuss creating a streamlined compliance program to manage the multijurisdictional patchwork of data privacy obligations.

¹ For example, the CCPA, as amended by the CPRA, doesn’t apply until a business processes the personal data of at least 100,000 California residents (or gross annual revenue in excess of $25 million).  Virginia and Colorado set their minimum thresholds at 100,000 state residents, respectively, and Connecticut sets its threshold at 75,000 state residents.  

² Despite this general exemption, the TDPSA’s prohibition on the “sale” of “sensitive data” does apply to entities that qualify as small businesses. Currently, the SBA generally defines a small business as “an independent business having fewer than 500 employees”. 

³ California’s requirement for a universal opt-out mechanism is already in effect, and this featured prominently in the Attorney General’s August 2022 fine against Sephora, Inc. Universal opt-out mechanism requirements will phase in for Colorado (July 1, 2024) and Connecticut (January 1, 2025).

⁴ The CCPA, as amended by the CPRA, instead offers a limited opt-out right for the use and sharing of sensitive personal information.