Keypoint: Texas is the fifth legislature to pass a broad consumer data privacy bill this year with a bill that is a more consumer-friendly version of the Virginia law.

On May 28, 2023, the Texas legislature passed Republican Representative Giovanni Capriglione’s Texas Data Privacy and Security Act (HB 4). Subject to the procedural formalities, the bill will move to Texas Governor Greg Abbott who will then have twenty days from final adjournment to sign in, veto it, or allow it to become law without his signature.

Assuming the bill becomes law, Texas will become the tenth state – and fifth state this year – to pass a consumer data privacy bill. With a population of over thirty million people, Texas will be the second largest state (after California) to pass such legislation.

Importantly, the Texas bill passed the legislature after a conference committee process that reconciled differences between the versions that passed the House and Senate. The conference committee made changes to the bill such that reports or summaries of the bill before it passed the legislature on May 28 may be outdated.

The bill generally follows the Virginia model with some notable variations discussed below. Click here if you would like to see a more detailed comparison of the Texas bill against the nine other state laws enacted to date.

Modified Applicability Standard

The most significant difference between the Texas bill and the nine laws passed to date is the bill’s unique applicability standard. The bill applies to persons that (1) conduct business in Texas or produce products or services consumed by Texas residents, (2) process or engage in the sale of personal data, and (3) are not small businesses as defined by the United States Small Business Administration (SBA).

In that respect, the bill does not track what has become the traditional approach to applicability for Virginia variant laws where the laws apply to entities that (1) control or process the personal data of at least 100,000 consumers in a calendar year (or higher or lower numbers as found in Tennessee and Montana) or (2) derive some revenue (typically 25% or 50% of gross revenue) from the sale of personal data and process or control the personal data of at least 25,000 consumers.

With respect to the second requirement, the bill defines “sale of personal” data as “the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.” That definition is similar to the CCPA’s definition of sale. Given that the selling of personal data is a requirement for the Texas law to apply, companies will no doubt be carefully focusing on whether any of their processing activities qualify as sales.

With respect to the third factor, there are various resources available for determining whether an entity is a small business, including the SBA’s Office of Advocacy’s Frequently Asked Questions, the SBA’s Table of Small Business Size Standards, and the SBA’s Size Standard Tools. For reference, the Frequently Asked Questions document published by the SBA’s Office of Advocacy in March 2023 states that “[t]here are 20,868 large businesses.”

Notably, if a person satisfies the first two requirements but is a small business under the third requirement, it still needs to comply with section 541.107 of the act, which requires small businesses to obtain consumer consent for the sale of sensitive personal data.

Finally, the bill contains a number of data and entity level exemptions, including exemptions for data and entities subject to the Gramm-Leach-Bliley Act and HIPAA covered entities and protected health information.

Additional “Sell” Disclosures

The bill’s privacy policy provisions largely track the Virginia model with the exception that controllers that sell sensitive personal data must include the following statement in their notice: “We may sell your sensitive personal data” and controllers that sell biometric data must include the following statement in their notice: “We may sell your biometric personal data.”

Requirement to Recognize Universal Opt-Out Mechanisms

The bill requires controllers to recognize universal opt-out mechanisms to opt out of the sale of personal data and targeted advertising. In doing so, Texas becomes the fifth state to require controllers to recognize such signals – i.e., California (through rulemaking), Colorado, Connecticut and, most recently, Montana. This requirement goes into effect on January 1, 2025.

Differences from Connecticut, Colorado, and Montana

The Texas bill contains some key differences from the more consumer-friendly Virginia variant data privacy bills passed to date:

  • Children. The Texas bill does not contain the additional protections for children’s data found in the Connecticut and Montana laws. Those laws require consumer consent to engage in the sale of personal data or for targeted advertising for children ages 13 to 15.
  • Revocation of Consent. The Texas bill does not specify that consent can be revoked as do the laws in Connecticut and Montana (and which right was added in Colorado through the rule making process).
  • Authentication of Opt-Out Requests. The Texas bill states that controllers can authenticate opt-out requests. The Connecticut and Montana laws do not require opt out requests to be authenticated.
  • Biometric Data. The Texas bill’s definition of biometric data tracks the definition found in the Virginia law, making it narrower than the definitions found in Connecticut, Montana and, through rule making, Colorado.
  • Non-profits. The Texas bill does not cover non-profits, leaving Colorado as the only law to cover non-profits to date.
  • Rulemaking. The bill does not require interpretative rulemaking. Colorado remains the only Virginia variant to require rulemaking to date.

Enforcement

The bill will be enforced by the Attorney General’s office. There is no private right of action. Prior to bringing an enforcement action, the Texas Attorney General must provide a violation notice and allow the person thirty days to cure the violation. The right to cure provision does not sunset.

In the Fiscal Note published with the conference committee report, the Attorney General’s office estimated that it will need twelve additional full time equivalents to handle the increase in workload resulting from the bill.

Effective Date

If enacted into law, the bill will go into effect on July 1, 2024. In a prior version of the bill, the effective date was March 1, 2024. The additional four months were added during the conference committee process.

Although Texas is the fifth state to pass a consumer data privacy bill this year, the bill will go into effect prior to any of the other laws passed this year:

  • October 1, 2024 – Montana
  • January 1, 2025 – Iowa
  • July 1, 2025 – Tennessee
  • January 1, 2026 – Indiana