The Right to be Let a Lone Star State: Texas Passes Comprehensive Privacy Bill

Over Memorial Day weekend Texas lawmakers passed the Texas Data Privacy and Security Act (TDPSA) with unanimous votes in both the State House and Senate. If enacted by Governor Abbott, Texas will become the tenth U.S. state (and fifth in 2023) to enact broad-based data privacy legislation governing the collection, use, and transfer of consumer data. TDPSA contains several drafting innovations that drove backers of the bill to call it the “strongest data privacy law in the country.” While this is likely to be a controversial statement (especially to regulators in states such as California, Colorado, and Connecticut), TDPSA’s novel provisions deserve close attention by stakeholders:

1. Coverage thresholds are tied to the U.S. Small Business Administration’s standards;
2. Small businesses must obtain consent to sell sensitive personal data;
3. ‘Opt-Out Preference Signals’ are included (with caveats);
4. Standalone disclosures are required for certain data sales;
5. Pseudonymous data is explicitly treated as personal data under certain circumstances.

Despite these unique attributes, TDPSA shares a common underlying framework with every non-California state to enact comprehensive privacy legislation and contains many rights, obligations, and exceptions that will be familiar to stakeholders. For example, the bill includes consumer rights to access, correct, and delete personal information, opt-in requirements for the processing of sensitive data, and opt-out requirements for data sales (defined broadly), targeted advertising, and significant profiling decisions. TDPSA also contains routine business obligations including transparency, security, data protection assessments, non-retaliation, and contractual terms for service providers. Finally, TDPSA would be exclusively enforced by the Attorney General with a right-to-cure that does not expire.   

Below we examine the unique provisions of TDPSA in greater depth.

1. Coverage thresholds are tied to the U.S. Small Business Administration’s standards

To date, both state and federal data privacy framework laws and pending proposals have carved out certain small businesses from coverage. Typically, businesses will fall within the scope of a state privacy law based upon the number of in-state residents about whom it processes data, ranging between 50,000 individuals (Montana) to 175,000 (Tennessee). TDPSA breaks from this trend by exempting companies if they meet the United States Small Business Administration’s (SBA) definition of “small business.”

The SBA designates organizations as “small businesses” using an industry-specific model that incorporates both revenue and employee thresholds. While the typical small business carve outs in state privacy laws have long been recognized as inherently arbitrary and inconsistent between states of different populations, it is not clear whether TDPSA’s approach is inherently superior. For example, a company in a non-data intensive line of business may have a large number of employees, whereas a startup or other organization with very few employees could still process massive amounts of sensitive consumer data for privacy-diminishing purposes.

According to the SBA there are only just over 20,000 U.S. firms that do not meet its definition of “small business”. Given that the large population of Texas (nearly 30 million in 2021) would make it relatively easy for organizations to meet the typical consumer-data threshold if TDPSA used standard coverage provisions, the incorporation of the SBA definition means that TDPSA will likely apply to a far narrower range of organizations than it may have otherwise. 

2. Small businesses must obtain consent to sell sensitive personal data

Perhaps the most significant impact of TDPSA (which has already influenced Florida’s Digital Bill of Rights, passed on May 4) is a novel requirement that small businesses operating within the state obtain prior consent of an individual before selling their sensitive personal data. TDPSA defines “sale of personal data” broadly to include transfers for both monetary “or other valuable consideration” by a controller to a third party, likely implicating data transfers as part of the online advertising ecosystem. For ‘large businesses’ in scope of the full bill, TDPSA broadly requires consent for ‘processing’ sensitive personal data, consistent with several other state privacy laws.

3. ‘Opt-Out Preference Signals’ are included (with caveats)

TDPSA will be the fifth U.S. state privacy law that explicitly permits individuals to exercise certain rights on a default basis through technological signals, such as those sent by an Internet browser setting or extension. While these provisions should significantly ease the burdens of privacy self-management for individuals, TDPSA will also give businesses greater leeway to ignore these signals than other states if certain conditions are met. For example, TDPSA will not require a covered entity to respond to an otherwise valid signal if it “does not possess the ability to process the request” or “does not process similar or identical requests” for the purpose of complying with other state privacy laws.

4. Standalone disclosures are required for certain data sales

Like all other state privacy laws, TDPSA will require controllers to post a privacy notice that includes descriptions of the data that it collects, their processing purposes, and under what circumstances data may be transferred to third parties. However, TDPSA is unique in requiring that businesses, where applicable, post the following disclaimers, verbatim, in the same location and in the same manner as their privacy notices: “NOTICE: we may sell your [sensitive personal data / biometric personal data.]”

5. Pseudonymous data is explicitly treated as personal data under certain circumstances

The treatment of personal data that has been pseudonymized is a significant, but commonly overlooked aspect of state privacy laws. Like Virginia, Connecticut, and some other states, TDPSA’s individual rights of access, correction, and deletion do not extend to data that is demonstrably pseudonymized (though consumer opt-out rights are not included in this carveout). However, Texas is unique in explicitly including pseudonymous data in the definition of “personal data” in circumstances where such data is used “in conjunction with additional information that reasonably links the data to an identified or identifiable individual.” In practice, whether this addition proves to be a meaningless tautology or expands consumer protections is likely to depend on evolving interpretations, business practices, and enforcement priorities both in Texas and other states.