After passing the Texas Senate on May 10, 2023, the Texas Data Privacy and Security Act (the “TDPSA”)[1] awaits final approval from Governor Greg Abbott. The TDPSA is intended to be a comprehensive regime for how consumers and companies interact with personal data, maximizing “both the utility of the rights provided to consumers and interoperability with other states to minimize compliance costs for businesses.”[2] However, as we have seen with many other state consumer privacy statutes to date, the law is not consistent and defines terms in a different manner than other state comprehensive privacy regimes.
In the event that the Texas Attorney General identifies a violation of the TDPSA, they must notify the individual or entity in violation at least 30 days before bringing an enforcement action. Upon receiving notice, the person has a 30-day cure period to resolve the violation and provide a written statement attesting that the both the present violation and all potential future violations have been cured.
If a violation is not cured within 30 days, the offending individual or entity may face penalties including: civil penalties of up to $7,500 for each violation and/or injunctive relief to restrain or enjoin the person’s operations. Additionally, the person will be liable for reasonable attorney’s fees and other expenses incurred from investigating and bringing an action under the TDPSA.
Recommended Compliance Steps
Individuals and entities subject to the TDPSA, should take the following measures to ensure compliance:
Revise or draft a consumer-facing privacy policy that describes any collection of biometric and other sensitive data and that clearly articulates the TDPSA’s five consumer rights. For businesses subject to other state privacy laws, existing policies may be able to be leveraged.
---
[3] The Office of Advocacy defines a small business as an independent business having fewer than 500 employees.
[4] The TDPSA exempts: (i) nonprofits organized under Chapters 20 and 22, Texas Business Organizations Code, and the provisions of Title 1, Texas Business Organizations Code; (ii) 501(c)(3), 501(c)(6), and 501(c)(12) entities; (iii) 501(c)(4) entity that is also described by Section 701.052(a) of the Texas Insurance Code; (iv) political organizations; (v) a subsidiary or affiliate of an entity organized under Chapter 11, Texas Utilities Code.
[5] Texas law defines “transacting business” in the negative, stipulating that transacting business does not include: 1) maintaining, defending, or settling any proceeding; 2) holding meetings of officials or members or carrying on the internal affairs of the entity; 3) maintaining bank accounts; 4) maintaining an office or agency for the transfer, exchange, or registration of interests of the entity; 5) voting the interest of an entity the foreign entity has acquired; 6) making sales through independent contractors; 7) creating, as borrower or lender, or acquiring an indebtedness or security interest in real or personal property; 8) securing or collecting debts; 9) transacting business in interstate commerce; 10) conducting an isolated transaction; 11) exercising a power of executor of a will of a non-resident, as administrator of a will of a non-resident decedent, or as trustee of a trust created by non-residents or foreign entity; 12) acquiring a debt on property inside the state by a transaction outside of the state; 13) investing or acquiring a royalty or non-operating mineral interest in a transaction outside of the state; 14) executing a division order, contract of sale, or other instrument incidental to ownership of a non-operational mineral interest; 15) owing, without more, property in the state; or 16) acting as a governing person of a domestic or foreign entity registered to transact business in the state. Tex. Business Organizations Code § 9.251
[7] “Dark pattern" means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making or choice, and includes, but is not limited to, any practice the Federal Trade Commission refers to as a "dark pattern". H.B. 4 Sec. 541.002 (10).
[8] "Trade secret" means all forms and types of information, including business, scientific, technical, economic, or engineering information, and any formula, design, prototype, pattern, plan, compilation, program device, program, code, device, method, technique, process, procedure, financial data, or list of actual or potential customers or suppliers, whether tangible or intangible and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if: (A) the owner of the trade secret has taken reasonable measures under the circumstances to keep the information secret; and (B) the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, another person who can obtain economic value from the disclosure or use of the information H.B. 4 Sec. 541.002 (33).
[9] Types of data that must be assessed are: (1) the processing of personal data for purposes of targeted advertising; (2) the sale of personal data; (3) the processing of personal data for purposes of profiling, if the profiling presents a reasonably foreseeable risk of: (A) unfair or deceptive treatment of or unlawful disparate impact on consumers; (B) financial, physical, or reputational injury to consumers; (C) a physical or other intrusion on the solitude or seclusion, or the private affairs or concerns, of consumers, if the intrusion would be offensive to a reasonable person; or (D) other substantial injury to consumers; (4) the processing of sensitive data; and (5) any processing activities involving personal data that present a heightened risk of harm to consumers.
Sign up for our newsletter and get the latest to your inbox.