On June 18, 2023, House Bill 4 for the Texas Data Privacy and Security Act was signed by the Governor of Texas. The bill enters into effect on July 1, 2024, although provisions on the ability of consumers to direct a third party to opt-out of the processing of personal data on their behalf do not enter into effect until January 1, 2025.

In particular, the bill defines terms including 'biometric data,' 'consent,' 'consumer,' 'controller,' 'deidentified data,' 'personal data,' 'processing,' 'pseudonymous data,' 'sensitive data,' 'sale of personal data,' and 'decision that produces a legal or similarly significant effect concerning a consumer.'

Scope

The bill applies to persons that:

• conduct business in Texas or produce a product or service consumed by residents in Texas;
• process or engage in the sale of personal data; and
• are not a small business as defined by the United States Small Business Administration, except to the extent that organizations are exempt as provided for under the bill. 

Notably, the bill does not apply to the processing of personal data by a person in the course of a purely personal or household activity. Organizations including those subject to the Gramm-Leach Bliley Act (GLBA), entities subject to the Health Insurance Portability and Accountability Act (HIPAA), non-profit organizations, and institutions of higher education, among others, are also not subject to the bill. 

Data subject rights

Further, the bill provides for consumers' rights including the right to be informed, correct inaccuracies, delete personal data about the consumer, data portability where technically feasible, and to opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling where the decision produces a legal or significant effect.

Data controllers must comply with consumer requests without undue delay, which may not be later than 45 days after receipt of the request but may also extend the response period by another 45 days where reasonably necessary. Data controllers must also inform consumers when declining to comply with consumer requests and must provide information free of charge when applicable, except when requests are manifestly unfounded, excessive, or repetitive.

Obligations

The bill provides data processing principles including purpose limitation, alongside confidentiality, integrity, and accessibility of personal data. Regarding sensitive data, controllers must not process sensitive data without obtaining consumer consent, or in the case of a known child, without processing data in accordance with the Children's Online Privacy Protection Act (COPPA).

The bill outlines that data controllers must provide a privacy notice, with required information such as the categories of personal data to be processed, the purpose of processing, how consumers can exercise their data subject rights, the categories of data shared with third parties, and a description of whether the controller sells sensitive personal data or biometric data with a particular notice for each type of data that must be included.

Controller's and processor's relationships must also be governed by a contract between them, with the bill detailing the required contents of such a contract. Further, the bill details the steps that controllers must take when in possession of deidentified data. 

The bill specifically prescribes that small businesses must not engage in the sale of sensitive personal data without receiving prior consent from the consumer. 

Assessments 

Controllers must conduct a Data Protection Assessment (DPA) for activities involving personal data, including where:

• the processing is for targeted advertising;
• the processing involves the sale of personal data;
• the processing is for the purpose of profiling, and the profiling presents reasonably foreseeable risks;
• the processing involves sensitive data; and
• the processing activities involve personal data that presents a heightened risk of harm to consumers.

DPAs must aim to identify and weigh the direct or indirect benefits that may flow from the processing to the controller, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with that processing, as mitigated by safeguards that can be employed by the controller to reduce the risks. DPAs must also be made available to the Texas Attorney General (AG) on demand. 

Enforcement

The AG has exclusive authority to enforce the bill and may issue a civil investigative demand where they have reasonable cause to believe that a person has engaged or is engaging in violation of the bill. The bill establishes that persons may be liable to a penalty not exceeding $7,500 for each violation under the bill.

You can read the bill here and track its progress here.