ADCG’S EXPLAINER: TEXAS LEGISLATURE SENDS DATA PRIVACY ACT TO GOVERNOR

Data PrivacyTexasUSA Privacy
Written By Jason Shoup

On May 10, the Texas Senate approved the Texas Data Privacy and Security Act (HB 4) by a vote of 30-0. The bill was amended by the Senate and will not be sent to the Texas House of Representatives to review these amendments, after it passed the earlier version of the bill in April by a vote of 146-0.

If passed, Texas will become one of many states to enact its own data privacy legislation, including California (California Consumer Privacy Act or CCPA), Virginia (Virginia Consumer Data Protection Act or VCDPA), Colorado (Colorado Privacy Act or CPA), and Connecticut (Connecticut Data Privacy Act or CTDPA). These are the law’s key provisions, as amended by the Senate, and ADCG’s compliance guide:

Scope and Exemptions

HB 4 would apply to any entity that conducts business in Texas (without regard to revenue), produces a product or service that is consumed by Texas residents, or processes or engages in the sale of personal data.

HB 4 would not apply to: 

  • A small business as defined by the United States Small Business Administration (SBA)

    • The exemption for small business within the definition of the SBA has been a point of concern for compliance with the bill as other state privacy laws have relied on revenue and processing thresholds to determine the applicability of their provisions. Basing application on the size of the business will vastly impact the application of this bill as compared to other state legislations.

  • A state agency or a political subdivision of this state

  • A financial institution or data subject to the GrammLeach-Bliley Act (GBLA)

  • A covered entity or business associate governed by the privacy, security, and breach notification rules prescribed in Health Insurance Portability and Accountability Act (HIPAA)

  • A nonprofit organization

  • Any institution of higher education

Consumer Rights

Under HB 4, consumers would have the right to:

  • Request a data controller to confirm whether they are processing their personal data

  • Request a data controller to correct inaccuracies found in their personal data

  • Request a data controller to delete personal data provided by or obtained about them

  • Obtain a copy of their personal data that they previously provided to a data controller “in a portable and, to the extent technically feasible, readily usable format that allows the consume to transmit the data to another controller without hindrance”

  • Opt-out of the data controller’s processing of their personal data “for purposes of:

    • (A) targeted advertising

    • (B) the sale of personal data

    • (C) profiling in furtherance of a decision that produces legal or similarly significant legal effects concerning the consumer.”

When a data controller receives a consumer request made pursuant to HB 4, they would be required to respond with the necessary action without “undue delay,” but no later than 45 days after the request is received. This 45-day period may be extended for an additional 45-day period when reasonably necessary considering the complexity and number of the consumer’s requests. If the data controller deems it necessary to extend the initial response timeframe, they are required to notify the consumer within that initial response timeframe of their decision and the basis for that decision.

Controller Obligations

Under HB 4, data controllers would be required to:

  • Limit their data collection to what is “adequate, relevant, and reasonably necessary” to achieve the purposes of their collection, as disclosed to a consumer at the outset of the engagement

  • Obtain consent prior to processing a consumer’s data in any way that is not “adequate, relevant, and reasonably necessary” in accordance with the previous requirement

  • Prohibit any discrimination against a consumer who is exercising their rights under HB 4, included, but not limited to, “denying goods or services, charging different prices or rates for goods or services, or providing a different levels of quality of goods or services to the consumer”

  • Obtain consumer consent prior to processing sensitive data, which is defined to include: “(A) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, or citizenship or immigration status; (B) genetic or biometric data that is processed for the purpose of uniquely identifying an individual; (C) personal data collected from a known child; or (D) precise geolocation data”

    • Notably, the Senate’s amended version of the bill excludes “sexual orientation” from the categories of sensitive information, which differs from the terms of the CCPA, VCDPA, CPA and CTDPA

  • Provide consumers with a privacy notice that addresses the categories of personal data being collected, the purpose for processing personal data, instructions for how a consumer can exercise their rights under HB 4 and a method for submitting a request to do so, and the categories of personal data being shared with third parties and the category of third parties who receive their personal data

  • If the data controller engages in the sale of personal data for targeted advertising, it must “clearly and conspicuously disclose” to a consumer the process and manner in which a consumer may opt-out of this sale.

Data Protection Assessments

HB 4 would require data controllers to conduct data protection assessments for those processing activities which pose heightened consumer risks, such as processing personal data for targeted advertising, selling personal data, processing personal data to profile customers, or processing sensitive data. These assessments must “identify and weigh the direct or indirect benefits that may flow from the processing to the controller, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with that processing, as mitigated by safeguards that can be employed by the controller to reduce the risks.” This assessment will include consideration of the use of the deidentified data, the reasonable expectations of the consumer, the context of the processing and the relationship between the data controller and the consumer.

Universal Opt-Out Mechanism

HB 4 would require covered businesses to recognize a universal opt-out mechanism for consumers. This requirement is similar to the CCPA, CPA and CTDPA.

Enforcement 

The Texas Attorney General (AG) would have the exclusive right to enforce HB 4. A violation of HB 4 may result in the assessment of civil penalties of up to $7,500 per violation. However, a violating data controller would have a 30-day period to cure the violation after receipt of written notice from the AG that the violation has been assessed. This right to cure is a permanent right afforded to covered businesses — as opposed to this right expiring at a pre-determined date following enactment, such as the CPA.

If HB 4 is passed by the Texas House of Representatives and signed into law by Governor Abbott, the majority of the HB 4 provisions will go into effect July 1, 2024. However, the provision permitting consumers to designate an authorized agent to act on their behalf in requesting to opt-out of a data controller’s processing of their personal data, which will not go into effect until January 1, 2025.

With the high approval rates of HB 4 in the Texas Senate and Texas House of Representatives, businesses should begin consideration of if the bill will apply to their organization and should begin a review of their policies and procedures to ensure that they are able to achieve compliance within the effective timeline.

* * * * * * *

To read our news alerts discussing Denmark’s proposed data privacy changes for children, privacy experts weighing in on generative AI, and Montana’s new data privacy law, click here.

This week’s breach report covers the following organizations: Zacks Investment Research, Minnesota Department of Education, Pearland ISD, and TST BOCES. Click here to find out more.

Jody Westby hosts our podcast, ADCG on Privacy & Cybersecurity, bringing together leaders in the privacy and cybersecurity arenas to discuss a wide range of issues ranging from the proposed federal and state regulations to best practices and standards for compliance. Episodes can be enjoyed on many platforms including Spotify and Apple Podcasts. Don’t forget to subscribe!

Our most recently released episodes:

92 | Interview With Tom Kemp, Silicon Valley Privacy Advocate and Author of Containing Big Tech

91 | Managed Detection & Response; The Path Forward

90 | AdTech Meets Privacy Laws

To browse our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.

Jason Shoup
Previous

News Alerts and Breach Report for Week of July 10, 2023
Next

News and Alerts for Week of June 12, 2023