Texas’ New Privacy Law Goes Into Effect – And Attorney General Builds Enforcement Team

Since the passing of the California Consumer Privacy Act (CCPA) in 2018, California has led the nation in privacy regulation and enforcement. But, beginning July 1, 2024, Texas will be the new sheriff in town.

On July 1, Texas’ Data Privacy and Security Act goes into effect as one of the strongest state consumer privacy laws in the country. This will follow Texas Attorney General Ken Paxton’s announcement on June 4, 2024, of the formation of a special task force within the office’s Consumer Protection Division dedicated to the enforcement of Texas’ privacy laws. “Any entity abusing or exploiting Texans’ sensitive data will be met with the full force of the law,” promised Paxton. In addition to enforcing the new law, the attorney general’s privacy team will be responsible for enforcing the state’s Identify Theft Enforcement and Protection ActData Broker LawCapture or Use of Biometric Identifier Act, and Deceptive Trade Practices Act, as well as federal privacy laws, including the Children’s Online Privacy Protection Act (COPPA), and the Health Insurance Portability and Accountability Act (HIPAA).

In his announcement, the Texas attorney general emphasized that the new team will be focused on the “aggressive enforcement” of the state’s privacy laws. He added, “Companies that collect and sell data in an unauthorized manner, harm consumers financially, or use artificial intelligence irresponsibly present risks to our citizens that we take very seriously.”

This initiative is evidence of growing emphasis on privacy and cybersecurity enforcement at the state level. Through enforcement actions, rulemaking activities, participation in legislative reform, and, in California, the creation of a dedicated Privacy Protection Agency, state regulators are taking a leading role in shaping data practices and governance controls. While Texas has not followed California in creating a separate privacy agency, the special task force within the office of the Texas attorney general may allow Texas to develop similarly dedicated capabilities. Other states that also assign privacy enforcement responsibilities to their respective attorneys general offices are likely to take note.

In this article, we summarize the key Texas privacy and cybersecurity laws and highlight the potential scope of enforcement by the Texas attorney general’s special task force.

1. Texas Data Privacy and Security Act Enforcement

Once effective on July 1, 2024, the Texas Data Privacy and Security Act (TDPSA) will establish new obligations for a wide range of businesses that process personal information, including those that are exempt from other state privacy laws because they do not meet applicable thresholds.

Unlike other comprehensive state privacy laws, the TDPSA does not contain applicability thresholds based on the number of consumers whose personal information is collected. Instead, the TDPSA applies to any entity (“controllers”) that processes personal information and conducts business in the state of Texas or produces a product or service “consumed” by the residents of the state. Only “small businesses,” as defined by the U.S. Small Business Administration (SBA) according to the revenue-based or employee number thresholds that vary by industry, are exempt from most (but not all) requirements. For instance, even such defined “small businesses” are bound by the TDPSA’s requirement to obtain consumer consent for the sale of sensitive personal information.

The TDPSA contains entity-level and data-specific exemptions similar to those found in other consumer privacy laws, and the law does not apply to nonprofit organizations. Moreover, the TDPSA protects only consumers acting in a personal or household capacity, meaning that, unlike the CCPA, it does not apply in business-to-business (B2B) contexts and does not protect employee data.

Key provisions of the TDPSA require controllers to:

  • provide Texas residents with rights to access, delete, and correct their personal information
  • allow Texas residents to opt out of the sale of their personal information and opt out of the processing of personal information for targeted advertising or for “profiling” purposes
  • obtain consent to collect a consumer’s sensitive data, including data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexuality, citizenship or immigration status, genetic or biometric data, children’s data, and precise geolocation
  • establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal information that are “appropriate” to the volume and nature of the personal information
  • conduct data protection assessments for activities that involve targeted advertising, the selling of selling personal information, profiling, the processing of sensitive data, or that otherwise present a heightened risk of harm to consumers
  • provide a specific notice for selling sensitive data

The TDPSA also imposes certain requirement on “processors” (a person or entity that processes personal information on behalf of a controller). Processors must, by contract, agree to assist controllers in meeting their obligations under the TDPSA. For example, processors need to help controllers facilitate consumer rights requests, maintain appropriate security controls, and conduct data protection assessments.

The TDPSA’s requirements to recognize and respect universal opt-out mechanisms, such as the Global Privacy Control, will take effect on January 1, 2025.

Given the TDPSA’s nuances compared to other current state privacy laws, businesses should closely analyze how the new requirements apply to their products and services and adjust their compliance programs accordingly.

2. Texas Biometric Law

The Texas attorney general’s new privacy enforcement team will lead efforts to enforce the state’s Capture or Use of Biometric Identifier Act (CUBI). This law imposes obligations on any person who captures or possesses a biometric identifier for commercial purposes. “Biometric identifier” is defined as “retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry.” CUBI requires obtaining informed consent prior to the collection, sale, or disclosure of biometric identifiers and prohibits the sale, lease, or disclosure of the biometric identifier.

The Texas attorney general has exclusive authority to enforce the law and may impose a civil penalty up to $25,000 per violation. Unlike Illinois’ BIPA, the law does not grant a private right of action.

While CUBI was enacted as one of the first biometric privacy laws, in 2009, the Texas attorney general has only recently settled its first major enforcement action under the statute, in May 2024, for $650 million. We anticipate that the attorney general’s new privacy division will devote increasing attention to businesses’ use of biometric technology.

3. Texas Data Broker Law

On March 1, 2024, Texas’ data broker registry, implemented as part of a 2023 Data Broker Law, became operational, making Texas the fourth state to enact a data broker law after California, Vermont, and Oregon.

The law applies to businesses whose “principal source of revenue” derives from “collecting, processing, or transferring of personal data that the entity did not collect directly from the individual” and that either (i) derive more than 50% of their revenue from selling data about Texas residents or (ii) sell the personal data of more than 50,000 Texas residents.

The definition of a “data broker” is both broader and narrower than under other state data broker registration statutes. On the one hand, it is broader because it potentially captures businesses (other than “service providers,” as defined under the statute) that merely process data they obtain indirectly, rather than businesses that strictly “sell” such data. On the other hand, the statute is narrower because processing such data must be the business’s “principal source of revenue.” The statute also provides meaningful exceptions for “publicly available data” and “deidentified data.”

Data brokers must register with the Texas Secretary of State by filing a registration statement and paying a $300 fee. They must also post on their website or mobile application a conspicuous data broker disclosure and comply with specific security requirements.

The law allows for the state to impose fines but does not allow for a private right of action.

The Texas attorney general’s office has already sent notice letters to more than 100 businesses that are registered as data brokers in states other than Texas.

4. Texas Attorney General’s Investigation Into Car Manufacturers’ Data Practices

The Texas attorney general recently opened an investigation into several car manufacturers after prominent reports, including in the New York Times, that car manufacturers are secretly selling mass amounts of data about driving behavior to insurance providers and other third parties. The investigation is being conducted under the Texas Deceptive Trade Practices Act, which empowers the attorney general to investigate false, misleading, or deceptive acts or practices.

According to the Texas attorney general’s press release, the attorney general’s office instructed car manufacturers and the third parties to which they sold data to produce documents relevant to their conduct, including copies of the notices they provided to consumers to inform them about these practices.

Other regulators have turned their attention to the data processing practices of car manufacturers. Last year, the California Privacy Protection Agency announced a review of data privacy practices by connected vehicle manufacturers and related technologies, and the Connecticut attorney general’s office announced it sent a notice to cure to a popular car brand due to privacy concerns around the collection and sharing of drivers’ personal information by connected vehicles.

5. Implications

Texas is the next large state to join California in implementing general consumer privacy legislation. Businesses handling consumer data should be prepared for the potential of increased enforcement activity in Texas, making compliance with applicable consumer privacy laws essential. Further, Texas’ proactive stance may also inspire other states to establish specialized privacy enforcement teams, which may lead to increasing overall regulatory scrutiny across the United States.