The Texas Data Privacy and Security Act: What Small Businesses Need To Know
by: Max Landaw
On June 18, Texas became the tenth state to pass a comprehensive privacy statute with the Texas Data Privacy and Security Act (TDPSA). Most of the law goes into effect on July 1, 2024. In many respects, the TDPSA is not much different from other state privacy statutes such as Colorado’s or Virginia’s and for large businesses already subject to other state comprehensive privacy laws such as California’s, Texas’s law does not add too much that is new. However, small businesses which have been able to avoid privacy compliance with some of the larger threshold states (such as California) may find themselves in a position of needing to comply with the TDPSA.
One of the characteristics of US state privacy laws has been the higher thresholds of compliance. This goes all the way back to the passage of the California Consumer Privacy Act (CCPA) in 2018, which was a break from EU and UK GDPR by making privacy compliance applicable only for larger businesses, such as ones with annual revenues in the tens of millions of dollars or who process the personal data of tens of thousands of state residents.
Criteria for complying with the TDPSA
In lone star fashion, Texas added its novel spin in the TDPSA by using the following three threshold criteria:
Conducting business in Texas or producing a product or service consumed by residents of the state;
Processing or engaging in the sale of personal data; and
Is not a small business as defined by the United States Small Business Administration (SBA).
The first two criteria are going to be generally applicable to any business that offers products and services to Texas residents. Any business that offers its products or services broadly to the US market is probably collecting the personal data of Texas residents as Texas is the second most populous state after California.
The third criterion is the one that stands out, specifically because it makes it appear as if all small businesses are exempt. However, the SBA’s definition of a small business is more intricate than one might think.
How does the SBA define a small business?
In 2016, the SBA put out an FAQ which states that a small business is an independent business having fewer than 500 employees. However, the SBA defines small businesses for federal contracting purposes differently depending on industry. Based upon a business’s North American Industry Classification System (NAICS) code, a business can determine if they meet either the annual revenue or number of employee thresholds. In fact, the SBA has a tool to help businesses determine if they are a small business for federal contracting purposes.
The point is that the SBA’s definition of “small business” is somewhat ambiguous. It will be obvious that larger businesses are not small businesses and that a newly formed one-member LLC is a small business, but what about the many businesses in between? On top of that, one thing that is for certain is that the definition of “small business” is dynamic, meaning that if and when the SBA updates its definitions for small businesses, that will be the new definition used by the TDPSA.
Small business compliance with the TDPSA
But this is not the end of the story. Small businesses (by any SBA definition) that process personal data and offer services/products to Texas residents still have to comply with one provision of the TDPSA: which is that they “may not engage in the sale of personal data that is sensitive data without receiving prior consent from the consumer.” [emphasis added]
Again for larger businesses subject to prior state privacy laws and well aware of concepts such as “sales”, “sensitive data”, and “consent”, this will not look that different from prior state statutes such as Colorado’s. However, for small businesses, this requirement will be new and will appear deceptively simple.
Let’s start with the “sale of personal data”. That just means small businesses should not sell sensitive data for money, right? As many larger businesses already know, it’s more complex than that. Texas defines a “sale of personal data” similar to the California CCPA definition as the “sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.” Note that a controller is the business that determines the purpose and means of processing the personal data. As larger businesses are well aware, the concept of what is considered “other valuable consideration” is notoriously vague. The speculation over what this term means has been beaten to death since the passage of California’s CCPA but for small businesses previously unaware of the concept, there is always a concern that a “sale of personal data” has occurred any time personal data is disclosed or transferred to a third party. Note however, that the TDPSA like other privacy statutes, lists out specific scenarios which are not considered “sales of personal data”, namely:
The disclosure of personal data to a processor that processes the personal data on the controller’s behalf;
The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
The disclosure of information that the consumer intentionally made available to the general public through a mass media channel and did not restrict to a specific audience; and
The disclosure or transfer of personal data to a third party as an asset that is part of a merger or acquisition.
So a “sale” is not as simple as one might think, but what about “sensitive data”? The TDPSA defines “sensitive data” as:
Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
Genetic or biometric data that is processed for the purpose of uniquely identifying an individual;
Personal data collected from a known child; or
Precise geolocation data.
Some of these subcategories of sensitive data are further defined but now we can get a clearer picture of what all businesses (small and large) need to do. Any time a business discloses sensitive data to a third party which is considered a sale of personal data under the TDPSA, the business must receive the consumer’s consent. For example, a mobile application developer (even a newly formed small business) that collects precise geolocation data of its Texas users would likely have to get consent to give that data to a vendor that uses such data for behavioral advertising.
Collecting consumer consent en masse is a notoriously difficult process and small businesses will want to ensure, if possible, that any such disclosure of sensitive personal data is not considered a “sale” under the TDPSA.
The most common way to avoid the “sale of personal data” is for a business to contractually designate its vendors who process personal data on their behalf as processors. This will mean that small businesses will want to include language in their contracts with their vendors limiting the vendors in using personal data only in providing the services to the business. Note that for some vendors which use sensitive data for their own purposes such as our example of behavioral advertising above, this solution will not be possible and small businesses will have to look to other exceptions to the “sale of personal data” or bite the bullet and request consumer consent.
What happens if the small business does not comply with the TDPSA?
The TDPSA is similar to the other state comprehensive privacy statutes by granting enforcement authority solely to the attorney general. There is no private right of action, which means consumers cannot directly sue a business for violation of the TDPSA. However, the penalty for noncompliance is $7500 per violation. This means the Texas attorney general could interpret each time a small business does not get consent to the sale of sensitive personal data as a separate violation.
Since the TDPSA has fairly narrow applicability to small businesses, at the very least, small businesses will want create a data map of what personal data they have that is considered sensitive. This will help avoid unintended “sales”, which will in turn ward off a gunfight with the Texas attorney general.