On June 13, 2023, the Texas Governor signed HB4, making Texas the tenth state to have a comprehensive privacy law, joining California, Colorado, Connecticut, Montana, Virginia, and Utah (all in effect or going into effect in 2023), Montana and Tennessee (which, like Texas, go into effect in 2024), Iowa (effective 2025) and Indiana (effective 2026).  The new Texas law goes into effect on July 1, 2024, except for one subsection relating to opt-outs, which goes into effect January 1, 2025.

The new law will affect many more companies than the laws of the other states listed above because, unlike those laws, Texas does not include a minimum number of residents for applicability.  Instead, the three criteria for applicability of the Texas law are that the company:

(1)  conducts business in this state or produces a product or service consumed by residents of this state;

(2)  processes or engages in the sale of personal data; and

(3)  is not a small business as defined by the United States Small Business Administration, . . . .

The new law is similar to Virginia’s and uses the “controller” and “processor” terms found in most of the laws listed above.  The new law also has exceptions for individuals acting in the employee and commercial context.  The new law has exclusions for Gramm-Leach-Bliley-covered financial institutions, HIPAA-covered covered entities and business associates, non-profits, institutes of higher education, and electric utilities, power generation companies, and retail electric providers.  The new law also has exemptions for certain types of data:  the first ten exemptions relate to health data (including test subjects), plus FCRA- or FERPA-covered data, and a few others.

The new law also gives controllers certain rights to use the data, including to “prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity” as well as to “conduct internal research to develop, improve, or repair products, services, or technology.”

The new law gives consumers the now-familiar rights of

  • Access
  • Correction
  • Deletion
  • Obtaining a copy of the personal data
  • Opting out of (a) targeted advertising; (b) sale of personal data; and (c) profiling “in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer”

The new law requires controllers to provide “two or more secure and reliable” methods to enable consumers to submit those requests.  The controller has 45 days to respond to these requests, which can be extended for an additional 45 days when reasonably necessary and provision of notice and an explanation to the consumer.  Note that the controller “shall provide information in response to a consumer request free of charge, at least twice annually per consumer.”  If the consumer request is “manifestly unfounded, excessive, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or may decline to act on the request.”  The new law also requires that “appeal process must be conspicuously available and similar to the process for initiating action to exercise consumer rights by submitting a request.”  If the controller denies the consumer’s appeal, the new law requires the controller to provide the consumer with an online mechanism through which the consumer may contact the attorney general to submit a complaint.  Note that these consumer rights do not apply to pseudonymized data, provided certain conditions are met.

With respect to the opt-out right, as of January 1, 2025, a consumer may designate an agent to opt-out, which includes browser extension and Internet links to technologies.  Note, however, that the technology “may not make use of a default setting, but must require the consumer to make an affirmative, freely given, and unambiguous choice to indicate the consumer’s intent to opt out of any processing of a consumer’s personal data.”

If the controller “sells” sensitive personal data—and Texas uses a California-type definition of “sell” by including “other valuable consideration”—the new law requires the controller to post a notice:  “NOTICE: We may sell your sensitive personal data.”  The notice must be posted in the same location and in the same manner as the privacy notice.  “If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose that process and the manner in which a consumer may exercise the right to opt out of that process.”  A similar requirement applies with respect to the sale of biometric data.

Similar to the other states listed above, the new Texas law has specific requirements relating to the privacy notice and the written contracts with processors.

Like Colorado, the new Texas law requires controllers to conduct “data protection assessments.”  The assessments must be made available to the Texas Attorney General upon a civil investigative demand.  The new law specifically states that the assessment provided to the Attorney General  is exempt from public disclosure and providing it does not waive attorney-client privilege.

There is no private right of action.  Only the Attorney General may enforce this new law.  In addition, the law includes a 30-day notice and cure period before the Attorney General may bring an action.  Violations can result in civil penalties not to exceed $7,500 per violation.

Our Take

Many companies are subject to California’s law, but did not meet the number of residents required for applicability of the other states’ laws.  The breadth of the Texas law likely means that many of those previously exempt companies will be subject to its requirements.  Doing a “gap analysis” with your current compliance efforts would be a good way to begin.