Texas has joined the growing list of US states that have enacted comprehensive data privacy laws. On May 29, the Texas legislature passed the Texas Data Privacy and Security Act (TDPSA), also known as H.B. 4, that was signed into law on June 18 by Governor Greg Abbott.
The Act will take effect on July 1, 2024, giving businesses just over a year to prepare for compliance.
This article provides an overview of the key provisions of the Texas Data Privacy and Security Act and its implications for businesses and consumers.
The Texas Data Privacy and Security Act differs from existing state privacy laws in its broad scope, as it does not provide for any revenue or data processing volume thresholds. It applies to companies and individuals who:
Please note: As anticipated, the act does not include a data-processing volume and revenue threshold, making it applicable to most Texas businesses. However, small businesses*, as defined by the U.S. Small Business Administration (SBA), are exempted from certain provisions.
A small business, as defined by the Small Business Administration’s (SBA) Table of Size Standards, refers to a company that falls within specific criteria based on the North American Industry Classification System (NAICS) codes. These criteria vary significantly across industries, encompassing a range of firm revenues from $1 million to over $40 million and employing between 100 to over 1,500 employees.
The Texas Data Privacy and Security Act grants several rights to consumers regarding their personal data.
These rights provide consumers with greater control over their personal data and its use by businesses.
The act imposes restrictions on the collection and processing of personal data by controllers.
Sensitive data, including information such as race, ethnicity, religion, genetic or biometric data, and precise geolocation, can only be processed with the consumer’s consent.
The Texas Data Privacy and Security Act requires controllers to provide a reasonably accessible and clear privacy notice to consumers, outlining, among others:
If controllers perform the sale of sensitive data, they are required to provide an appropriate disclosure to consumers.
For certain types of data processing, data controllers must complete data protection assessments.
The Texas Attorney General is the sole enforcement and investigative authority for the Texas Data Privacy and Security Act.
Before bringing an action against an alleged violator, the Attorney General must provide a 30-day cure period for the violation. After the cure period, the Attorney General may impose penalties of up to $7,500 per violation, as well as seek injunctive relief and attorney’s fees.
