Texas is joining a growing number of states in passing comprehensive privacy legislation intended to safeguard consumer personal data.[1] Specifically, the Texas Data Privacy and Security Act (the “Act”) adds protections for consumers[2] and their personal data, which includes any information that is linked or reasonably linkable to an identified or identifiable individual.[3]
Applicability
The Act operationalizes its core goals by empowering consumers with certain rights while also imposing a number of significant duties on parties controlling or otherwise processing consumer personal data, including persons and entities which:
- Conduct business in the State of Texas or produce a product or service that is consumed by residents of Texas;
- Process or sell personal data; and
- Do not qualify as a “small business” as defined by the U.S. Small Business Administration.[4]
It is important to note that although the Act expressly exempts covered entities and business associates which are governed by HIPAA,[5] the Act may still be pertinent to players within the healthcare space which are not subject to HIPAA.
Duties of Controllers and Processors
The Act imposes a number of specific duties on qualifying controllers[6] of personal data, including by way of example that they:
- Limit collection of personal data to data which is adequate, relevant, and reasonably necessary for the purposes for which such personal data is being processed;[7]
- Implement and maintain reasonable administrative, technical, and physical data security practices as appropriate in light of the volume and nature of the personal data at issue;[8]
- Establish two (2) or more “secure and reliable” methods for consumers to submit requests regarding their personal data;[9]
- Provide consumers with notices regarding how their data is being processed as well as of their rights, as more particularly detailed below;[10]
- Disclose to consumers the fact that the controller sells personal data to third parties (to the extent applicable) and explain how a consumer can opt out;[11]
- Disclose to consumers processing of personal data for targeted advertising (to the extent applicable) and explain how a consumer can opt out;[12] and
- Take certain steps to protect and preserve deidentified data to the extent the controller maintains such data.[13]
The Act also requires that each controller complete a data protection assessment[14] which, in many respects, mimics a security risks analysis required by HIPAA with a more consumer-oriented focus. In particular, an assessment must address the sale of personal data, processing of personal data for targeted advertising purposes, processing of sensitive data, or processing which presents a reasonably foreseeable risk of harm to consumers, among other items.[15]
In addition, the Act also imposes a number of duties on processors.[16]
Consumer Rights
The Act further empowers consumers by allowing them to request certain actions or information from controllers and by requiring that controllers comply with such requests.[17] For example, controllers must:
- Confirm whether the controller is processing the consumer’s personal data;
- Provide access to the personal data pertinent to the requesting consumer being processed by such controller;
- Correct inaccuracies in the consumer’s personal data;
- Delete personal data provided by or otherwise obtained from the consumer;
- Provide a copy of certain of the consumer’s personal data if such personal data is in a digital format and it is technically feasible to provide a copy; and
- Allow the consumer to opt out of the processing of the consumer’s personal data for purposes of targeted advertising, sale of personal data, or certain profiling-related activities.[18]
Additional Considerations
The Act includes a number of additional provisions that are worthy of note, including:
- Contractual provisions seeking to waive or otherwise limit a consumer’s rights under the Act are considered to be void as against public policy.[19]
- The Act provides the Texas Attorney General with exclusive jurisdiction to enforce the Act as there is currently no private cause of action for consumers.[20]
- The Act authorizes civil penalties not to exceed $7,500 per violation.[21]
Putting it Into Practice
Businesses operating in Texas should assess whether the Act will apply to their activities. If the Act is applicable, businesses should begin assessing whether their current (or intended) operations are compatible with the Act’s limitations and should begin conducting a data protection assessment to identify any vulnerabilities. In addition, businesses should begin preparing policies, procedures, and other systems to ensure they are ready to respond to consumer requests.
FOOTNOTES
[1] As of this writing, the legislation in question is currently awaiting final signature by the Governor of Texas.
[2] A “consumer” is defined as “an individual who is a resident of this state acting only in an individual or household context.” Section 541.001(7). It is worth noting that the Act expressly excludes “an individual acting in a commercial or employment context.” Section 541.001(7).
[3] Section 541.001(19). It is worth noting that the Act expressly excludes deidentified data or publicly available information. Section 541.001(19). In addition, Interestingly, the Act exempts sixteen (16) categories of information, including by way of example, protected health information under HIPAA, health records, patient identifying information, personal data regulated by the Family Educational Rights and Privacy Act, and information connected with certain qualifying research. Section 541.003.
[4] Section 541.002(a). The Act notably excludes state agencies and other political subdivisions of the state, certain financial institutions, nonprofit organizations, and institutions of higher education. Section 541.002(b).
[5] Section 541.002(b).
[6] Specifically, the Act defines “controller” as include “an individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data.” Section 541.001(8).
[7] Section 541.101(a)(1).
[8] Section 541.101(a)(2).
[9] Section 541.055(a). It is worth noting that the Act prohibits a controller from requiring a consumer to create a new account to exercise his/her rights under the Act, but allows a controller to require use of an existing account. Section 541.055(b). In addition, if the controller maintains an internet website, the controller is obligated to make its website available to consumers to facilitate requests. Section 541.055(c).
[10] Section 541.102.
[11] Section 541.103.
[12] Id.
[13] Section 541.106.
[14] Section 541.105.
[15] Section 541.105(a).
[16] Section 541.104. The Act defines a “processor” as “a person that processes personal data on behalf of a controller.” Section 541.001(23). Processors effectively function as the equivalents of business associates in the HIPAA universe.
[17] Section 541.051. The Act does, however, provided that if the controller is unable to authenticate a request after using commercially reasonable efforts, the controller is not obligated to comply with the specific request. Section 541.052(e). In addition, the controller may request additional information from the consumer to assist in the authentication process. Section 541.052(e).
[18] Section 541.051(b).
[19] Section 541.054.
[20] Section 541.151; Section 541.156.
[21] Section 541.155(a).