Texas is poised to become the tenth US state to pass a comprehensive data protection law, after its legislature unanimously passed a bill to adopt the “Texas Data Privacy and Security Act” (“the Bill“). The legislature is now heading to Texas’ governor, who is expected to approve it to become into law.

The newly Bill mirrors the privacy laws of several other US states (most notably Virginia, Colorado and Connecticut), and once enacted it will take effect on 1 July 2024.

Below are some of the Bill’s key features and requirements:

Unique scope of application

In contrast to other state privacy laws that set specific thresholds tied to annual turnover from the sale of personal data or the volume of processed personal data for the applicability of their laws, the Bill takes a more expansive approach and would apply to all entities that:

1. Conduct business in Texas or produce a product or service that is consumed by Texas’ residents;
2. Process or engage in the sale of personal data; and
3. Do not act as a “small business” as defined by the United States Small Business Administration.

Certain financial and health institutions as well as non-profit organizations and institutions of higher education are exempted from the Bill. In addition, the Bill would also exclude certain categories of data, inter alia, health information protected by the Health Insurance Portability and Accountability Act (HIPAA) and data covered by specific federal legislation such as the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, or the Family Educational Rights and Privacy Act (1974).

Controllers’ obligations

The Bill imposes common obligations on data controllers, similar to those found in recently enacted US state privacy laws, including: a) ensuring data minimization and purpose limitation; b) not discriminating against consumer who exercise their rights; c) implementing industry-standard administrative, technical and physical data security practices; d) conducting and documenting a data protection impact assessment; e) obtaining opt-in consent from consumers for the processing of sensitive data; f) entering into data protection agreements; and g) providing consumers with a clear and meaningful privacy notice.

Another nuance of the Bill is that it would require data controllers to include, where appropriate, the following statement in their privacy notice: “We may sell your sensitive personal data“, or “We may sell your biometric personal data“.

Consumer rights

The Bill empowers consumers with the classic wide range of rights over their personal data, including the right to access, correct, delete, data portability, opt-out of certain uses of their personal data, including targeted advertising, the sale of personal data and certain automated profiling. Additionally, the Bill would provide consumers with a right to appeal the controller’s decision to reject their request.

Requirements to recognize universal opt-out mechanisms

Among other requirements, the Bill requires data controllers to recognize universal opt-out mechanisms for consumers, akin to provisions in Colorado, Connecticut, California and Montana, which allow consumers to express their privacy preferences across multiple websites, apps or online services at once. This requirement would go into effect on 1 January 2025.

Enforcement

Unlike California’s privacy law, for example, the residents of the “Lone Star State” will not be provided with a private right of action, and the Texas Attorney General will have the sole authority to enforce violations of the Bill. Prior to initiating any enforcement action, the Attorney General will provide a 30 days’ notice identifying the specific alleged violations of the Bill. If the violations are not cured within these 30 days, the Attorney General may impose a civil penalty of up to $7,500 for each violation.

For your convenience, following is a list of all state privacy laws which have passed so far, the effective dates of each respective act, as well as links for our previous updates regarding each:

• California’s Consumer Privacy Act (CCPA) is already in force, after being further amended by the California Privacy Rights Act which was entered into force on 1 January 2023. In our CPRA vs. CCPA playbook we provided some comparative practical guidance on the changes.
• Virginia‘s Consumer Data Protection Act is also in force since 1 January 2023.
• Colorado’s Privacy Act will enter into force on 1 July 2023.
• Connecticut’s Act Concerning Personal Data Privacy’s effective date is also 1 July 2023.
• Utah’s Consumer Privacy Act will enter into force on 31 December 2023.
• As mentioned, Texas‘s new act would enter into force on 1 July 2024.
• Montana’s Consumer Privacy Act new act will apply from 1 October 2024.
• Iowa’s Act Relating to Consumer Data Protection in  will take effect on 1 January 2025.
• Tennessee’s Information Protection Act will start to apply on  1 July 2025; and
• Indiana’s Consumer Data Protection Act will start to apply on 1 January 2026.

Companies providing services to consumers in the United States should evaluate their exposure to this additional data protection regulatory regime in Texas. Feel free to contact us if you have any questions regarding the Bill ‎and its practical implications.