Legal Tech • July/August 2024
Protecting Consumer Data Privacy
A look at the Texas Data Privacy and Security Act.
Written by Pierre Grosdidier
Texas is the latest state to protect consumer data privacy with the Texas Data Privacy with the Texas Data Privacy and Security Act.1 The act protects the personal data, including the sensitive data, of Texas residents. Personal data is “information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual.” Sensitive data includes racial, ethnic, religious, health, sexual, and nationality information; genetic or biometric data; children’s data; and precise geolocation data. The act also protects pseudonymous data when it can be used with additional information to identify individuals2
The act applies broadly to a person who conducts business in Texas or “produces a product or service consumed by [Texas] residents,” and “processes or engages in the sale of personal data.” There is no threshold for revenue or data volume. The act does not apply to small businesses (unless they process sensitive data), Texas state agencies and political subdivisions, covered entities under HIPAA and the Gramm-Leach-Bliley Act, nonprofits, higher education institutions, electric utilities, power generation companies, and retail electric providers. The act also does not apply to certain categories of personal data, including those processed in the employment context and those that are regulated by various federal statutes, such as HIPAA.3
Importantly, the act adopts the European Union’s General Data Protection Regulation’s controllers and processors framework. A controller “determines the purpose and means of processing personal data,” and a processor “processes personal data on behalf of a controller.” Controllers “shall limit the collection of personal data” to what is reasonably necessary for the controller’s purposes, as disclosed to the consumer, and protect the data with measures “appropriate to the volume and nature of the personal data at issue.” Controllers cannot process personal data in a manner that is discriminatory, and they cannot discriminate against consumers who exercise their rights under the act by, for example, denying them goods or services or pricing them differently. Controllers also cannot process sensitive data without the consumer’s consent. Processors “shall adhere to the instructions of a controller” and assist the controller in meeting its duties under the act. The act requires that a controller and a processor operate under a contract, and it specifies some of the terms the contract must include, such as the type of data to be processed and the nature, purpose, and duration of the processing.4
The act grants consumers certain unwaivable rights regarding their personal data and that of children under 13 under their care. Consumers can ask that a controller confirm that it is processing the consumer’s personal data and request to access and copy the data. Consumers can also ask that the controller correct or delete their personal data. They can also opt out of processing for targeted advertisement, sale of personal data, and “profiling in furtherance” of decisions of legal import to them. These decisions are those that result in the provision or denial by the controller of financial, housing, insurance, or health care services; education enrollment; and employment opportunities; among others. A controller must respond to a consumer request within 45 days, extendable another 45 days with a reason and notice to the consumer. A controller can decline a consumer’s request but must provide an appeal process. Controllers must provide consumers with a privacy notice that describes the personal data processed, the purpose of the processing, and how consumers may exercise their rights, including their appeal and opt-out rights.5
The Texas attorney general can fine transgressors of the act $7,500 per violation if they fail to cure a notice of violation within 30 days. Aggrieved consumers can file online complaints with the attorney general, but the act expressly denies them a private cause of action.6
PIERRE GROSDIDIER is a litigation attorney in Houston. He is certified in construction law by the Texas Board of Legal Specialization. Grosdidier’s practice also includes data privacy and unauthorized computer access issues and litigation. Prior to practicing law, he worked in the process control industry. Grosdidier holds a Ph.D. from Caltech and a J.D. from the University of Texas. He is a member of the State Bar of Texas, a registered P.E. in Texas (inactive), a member of the Texas Bar Foundation, and a fellow of the American Bar Foundation. Grosdidier was the State Bar of Texas Computer & Technology Section chair for 2022-2023 and was elected medium section representative to the State Bar of Texas for the 2023-2026 term.