The Lone Star State Joins the Herd with a New Data Privacy Law

With the signing of the Texas Data Privacy and Security Act (TDPSA) on June 18, Texas became the 10^th state to adopt a consumer privacy law.

Texas joined nine other states with the new law, and others are going in the same direction in the absence of a comprehensive federal law. The TDPSA will go into effect on July 1, 2024—the same day as the newly passed Florida Digital Bill of Rights.

California started the trend with the California Consumer Privacy Act in 2020. By June 2023, eleven other states had passed data privacy laws, including Virginia, Connecticut, Colorado, Utah, Iowa, Tennessee, and Montana. During the 2022–2023 legislative session, 16 additional states introduced privacy bills addressing a range of issues from biometric identifiers to health data.

Don’t Mess with Texas Data

The TDPSA provides individual or household residents of Texas (Texas consumers) with information about how their personal data is collected, used, and sold. The TDPSA aims to protect Texas consumers’ personal data by limiting the collection of it to what is adequate, relevant, and reasonably necessary to the purpose for which the personal data is being used.

The act allows Texas consumers access to how their personal data is being used and provides them the right to correct inaccuracies in the data collected or to delete it. It also allows consumers the right to opt out of the processing of their data for targeted advertising, the sale of their data, and the use of their data for other similar purposes.

The TDPSA applies to organizations that engage in the following:

• Conduct business in Texas or produce products or services that are consumed by the residents of Texas
• Process or engage in the sale of personal data
• Are not defined by the United States Small Business Administration (SBA) as a small business.

However, if an organization meets the first two requirements but is defined as a small business, it must still comply with a section of the act that requires small businesses to first obtain consumer consent for the sale of sensitive personal data. The act does not apply in the business-to-business or employment context, and it exempts state agencies, higher education institutions, nonprofit organizations, and entities governed by the Health Information Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act.

The TDPSA has a wide and perhaps somewhat confusing reach. For example, the SBA has several definitions of small business that can vary depending on the organization’s industry. The act also applies to organizations with services “consumed by” Texans, so some organizations may be surprised to learn they are subject to the act’s requirements even though the organization never “targeted” Texas consumers.

The failure to comply with the act’s requirements can result in an action by the Texas attorney general, and not a private right of action that is found in the California Privacy Rights Act (CPRA) and other state privacy laws. Violators will have 30 days to cure any violation or face a civil fine of up to $7,500 for each violation by the Texas attorney general.

The cure period has no expiration, and the attorney general can collect attorneys’ fees and other expenses incurred in investigating and bringing an enforcement action. The TDPSA does allow companies some leeway in how consumers submit opt-out requests, but the method must be consistent with how the consumers typically interact with the company and cannot require the consumer to create a new account. It is also important to note that the TDPSA does not create a private right of action for individuals.

What Does the New Law Mean for Organizations Operating in Texas?

With every new state privacy law comes new obligations that impact how organizations collect, use, and manage data and new implications for those organizations’ cyber liability insurance coverage.

Five operational items that Texas organizations should focus on to comply with the act are:

1. Texas consumer consent is needed to process data collected that is not reasonably necessary or compatible with the disclosed purpose of collecting the data.
2. The organization may be required to include a privacy notice to Texas consumers, including a notice that the organization may sell their sensitive personal data.
3. Organizations must conduct and document a data protection assessment for data with a greater risk of harm if exposed, including a cost-benefit analysis to the Texas consumer and organization.
4. Organizations can authenticate opt-out requests and do not have to comply with opt-out requests that are not authenticated.
5. Organizations that are processors, which are like “service providers” under the CPRA, will need to have a written data protection agreement (DPA) in place with the data controller.

What Are the Cyber Liability Insurance Implications?

With the passing of the TDPSA, there is yet another intricate privacy law going into effect that adds new burdens and liabilities for organizations regarding compliance with data privacy. This evolving patchwork of state laws will continue to push the boundary of privacy liabilities that companies face and how cyber insurance policies provide coverage for these risks.

There are two key coverage items that need to be highlighted. 

1. Make sure the cyber insurance policy includes coverage for the variety of data privacy violations that are being addressed by the state privacy law. Not all cyber policies are created equal and non-breach-related privacy violations (typically called “wrongful collection”) are part of a coverage expansion that is often not included in a standard cyber insurance policy form. But many of these laws go beyond just consumer rights around the “collection” of data. A well-brokered cyber insurance policy should acknowledge all the consumer rights granted in these laws.
2. Know who is allowed to bring a claim against you under your cyber insurance policy. Does the policy’s coverage allow for the claim to come from consumers, regulators or both? Cyber policies provide coverage for liability claims from consumers after a network security and privacy incident. There is also regulatory coverage included to respond to fines and penalties assessed by regulators like a state attorney general. Many of these state laws allow violations to be enforced by a state regulator, such as the state attorney general.  Fewer allow a private right of action to be brought directly by consumers.

Both coverage items can have a place in cyber policy form but will require companies to demonstrate effective controls to respond to the requirements being imposed by state legislatures. Organizations will also need to have an insurance broker trained in the nuances of this line of insurance and who can provide valuable partnership when approaching cyber insurance providers.

The Need for a Federal Solution

Each state that passes cyber legislation highlights the need for a uniform federal solution that ensures the security of consumer data and provides protections on how consumer data is collected, used, and stored.

As more states pass their own privacy laws, each law creates its own set of requirements on what businesses must do to comply, as well as a myriad of enforcement schemes including private right of actions and attorney general enforcement actions.

This confusing situation has the potential to hinder businesses that operate across state lines, which includes almost every business that operates online.