Texas is likely to become the tenth state to enact comprehensive privacy legislation after the Texas Senate approved HB 4, the Texas Data Privacy and Security Act, by a vote of 30-0 on May 10, 2023. The bill was amended in the Senate and now returns for conference in the House, which passed an earlier version of HB 4 in April by a vote of 146-0. Although the House has not yet accepted the Senate’s amendments (which both strengthen and weaken various aspects of the bill), it appears increasingly likely that the legislature will soon pass a privacy law for Governor Abbott’s signature.
Like many of the state privacy laws enacted this year, the Texas bill is largely modeled on the Virginia Consumer Data Protection Act. However, the law contains several unique differences and more closely resembles recently enacted laws in Colorado and Connecticut, which generally include “stronger” provisions than the more “business-friendly” laws passed in states like Utah and Iowa. Some of the more notable provisions of the bill are described below:
Scope and Exemptions
- The Texas law would apply to all businesses that (1) conduct business in Texas (or produce goods or services consumed in Texas) and (2) process or sell personal data (both of which are defined broadly).
- Uniquely, the Texas bill’s carveout for “small businesses” only excludes those entities that are “a small business as defined by the United States Small Business Administration.” This is notably broader than other state privacy laws, all of which establish threshold requirements based on revenues or the amount of personal data that a business processes. It will also make it more difficult to know what businesses are covered under the bill because SBA definitions vary significantly from one industry vertical to another.
- The law requires all covered businesses regardless of size to obtain opt-in consent before processing sensitive personal data (described in more detail below).
- It excludes state agencies or political subdivisions of Texas, financial institutions subject to Title V of the Gramm-Leach-Bliley Act, covered entities and business associates governed by HIPAA, nonprofit organizations, and institutions of higher education.
- Notably, the Senate version of the bill further excludes electric utilities, power generation companies, and retail electric providers, as defined under Section 31.002 of the Texas Utilities Code.
- The bill would exclude certain categories of information, including health information protected by HIPAA or used in connection with human clinical trials, and information covered by the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act of 1974, the Farm Credit Act of 1971, emergency contact information used for emergency contact purposes, and data necessary to administer benefits.
The Texas law would provide consumers with strong individual rights, including the right to:
- Confirm whether a controller is processing the consumer’s personal data;
- Correct inaccuracies in the consumer’s personal data, taking into account the nature of the data and the purposes of the processing;
- Delete personal data provided by or obtained about the consumer;
- Obtain a copy of the consumer’s personal data that the consumer previously provided to a controller in a portable and readily usable format, if the data is available digitally and it is technically feasible; and
- Opt-out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces legal or similarly significant legal effects concerning the consumer.
Data controllers would be required to respond to consumer requests within 45 days, which may be extended by 45 days when reasonably necessary. The bill would also give consumers a right to appeal a controller’s refusal to respond to a request
The Texas bill would impose a number of obligations on data controllers, most of which are similar to other recently enacted state laws:
- Data Minimization – Controllers should limit data collection to what is “adequate, relevant, and reasonably necessary” to achieve the purposes of collection disclosed to a consumer.Consent is required before processing information in ways that are not reasonably necessary or not compatible with the purposes disclosed to a consumer.
- Nondiscrimination – Controllers may not discriminate against a consumer for exercising individual rights under the Act, including by denying goods or services, charging different rates, or providing different levels of quality.
- Sensitive Data – Consent is required before processing sensitive data, which includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, citizenship or immigration status, genetic or biometric data processed for purposes of uniquely identifying an individual; personal data collected from a known child under 13, and precise geolocation data.
- The Senate version of the bill excludes data revealing “sexual orientation” from the categories of sensitive information, which differs from all other state privacy laws.
- Privacy Notice – Controllers must provide a privacy notice that includes (1) the categories of personal data processed by the controller (including any sensitive data), (2) the purposes for the processing, (3) how consumers may exercise their individual rights under the Act, including the right of appeal, (4) any categories of personal data that the controller shares with third parties and the categories of those third parties, and (5) a description of the methods available to consumers to exercise their rights.
- Targeted Advertising – A controller that sells personal data to third parties for purposes of targeted advertising must clearly and conspicuously disclose to consumers their right to opt out.
Data Protection Assessments
Unlike some of the “business-friendly” privacy laws in Utah and Iowa, the Texas bill would require controllers to conduct data protection assessments for certain types of processing that pose heightened risks to consumers. The assessments must identify and weigh the benefits of the processing to the controller, the consumer, other stakeholders, and the public, against the potential risks to the consumer as mitigated by any safeguards that could reduce those risks. The categories that require assessments are identical to those required by the Connecticut Data Privacy Act and include:
- Processing personal data for targeted advertising;
- The sale of personal data;
- Processing personal data for profiling consumers, if such profiling presents a reasonably foreseeable risk to consumers of unfair or deceptive treatment, disparate impact, financial, physical or reputational injury, physical or other intrusion upon seclusion of private affairs, or “other substantial injury;”
- Processing of sensitive data; and
- Any processing activities involving personal data that present a “heightened risk of harm to consumers.”
Universal Opt-Out Mechanism
The Senate version of the bill would require businesses to recognize a universal opt-out mechanism for consumers, similar to provisions required in Colorado, Connecticut, California and Montana, but it would also allow businesses more leeway to ignore those signals if it cannot verify the consumers’ identity or lacks the technical ability to receive it. The House version of the bill currently does not include a similar provision.
The bill would give the Attorney General the exclusive right to enforce the law, punishable by civil penalties of up to $7,500 per violation. Businesses would have a 30-day right to cure violations upon written notice from the Attorney General. Unlike several other laws, the right to cure has no sunset provision and would remain a permanent part of the law.” The law does not include a private right of action.
We will continue to closely monitor this legislation and other state comprehensive privacy laws. If you have questions about this or any other privacy or cybersecurity matter, please contact Ben Rossen or Matthew Baker, or any other member of the Baker Botts privacy and cybersecurity team.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.