Texas Enacts Data Privacy and Security Act and Laws on Data Brokers and Genetic Data Privacy | Practical Law

Texas Enacts Data Privacy and Security Act and Laws on Data Brokers and Genetic Data Privacy | Practical Law

Texas has enacted the Texas Data Privacy and Security Act, which provides Texas residents with personal data rights and imposes obligations on controllers. The state also enacted two other data privacy laws to regulate data brokers and direct-to-consumer genetic testing companies.

Texas Enacts Data Privacy and Security Act and Laws on Data Brokers and Genetic Data Privacy

by Practical Law Data Privacy & Cybersecurity
Published on 21 Jun 2023Texas
Texas has enacted the Texas Data Privacy and Security Act, which provides Texas residents with personal data rights and imposes obligations on controllers. The state also enacted two other data privacy laws to regulate data brokers and direct-to-consumer genetic testing companies.
On June 18, 2023, Texas Governor Greg Abbott signed:
  • The Texas Data Privacy and Security Act (HB 4).
  • SB 2105, creating requirements for data brokers.
  • HB 2545, regulating direct-to-consumer genetic testing companies.

Texas Data Privacy and Security Act

The Texas Data Privacy and Security Act (TDPSA) takes effect July 1, 2024, and grants Texas residents more control over their personal data. The law does not cover residents acting in the commercial or employment context, or residents' personal or household activities.
TDPSA applies to persons who:
  • Conduct business in Texas or produce products or services used by Texas residents.
  • Process or sell personal data.
  • Do not qualify as a small business, as that term is defined by the US Small Business Administration.
Though exempt from most TDPSA requirements, small businesses must obtain consent to sell sensitive personal data.
TDPSA defines personal data as any information that is linked or reasonably linkable to an identified or identifiable individual, including pseudonymous data when used in combination with other identifying information. It excludes deidentified or publicly available information. Under the statute, sensitive data is a category of personal data that includes:
  • Personal data that reveals an individual's race or ethnic origin, religion, mental or physical health condition, sexuality, or immigration status.
  • Genetic or biometric data processed to uniquely identify an individual.
  • Personal data collected from a known child, defined as an individual under 13.
  • Precise geolocation data.
The statute exempts many types of entities and data, including:
  • Financial institutions and personal data regulated under the Gramm-Leach-Bliley Act.
  • HIPAA covered entities and business associates, HIPAA-defined personal health data, and other specified health data and derivatives.
  • State and local government entities.
  • Nonprofits and higher education institutions.
  • Electric utilities, power generation companies, or retail electric providers, as defined by the Texas Utilities Code.
  • Data processed within the employment context.
  • Data processing by an individual in a purely personal or household activity.
  • Personal data and activities regulated under other enumerated federal laws.
TDPSA grants consumers rights to:
  • Know whether a controller is processing their personal data.
  • Access their personal data.
  • Correct inaccuracies in their personal data, considering the nature of the personal data and the processing purposes.
  • Obtain deletion of their personal data.
  • Obtain a copy of their personal data in a portable and readily usable format.
  • Opt out of personal data processing for purposes of:
    • personal data sales;
    • targeted advertising; or
    • profiling in furtherance of a decision that produces legal or similarly significant effects for the consumer.
The law requires controllers to:
  • Limit personal data collection to what is adequate, relevant, and reasonably necessary for the disclosed processing purpose.
  • Establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data collected.
  • Obtain consent to process:
    • personal data for a purpose not reasonably necessary to or compatible with those already disclosed to the consumer; and
    • sensitive data.
  • Process personal data of an individual known to be under age 13 in accordance with the federal Children's Online Privacy Protection Act.
  • Respond to consumer requests to exercise their rights within 45 days of receipt, with a possible extension for an additional 45 days.
  • Refrain from processing personal data in violation of state and federal laws that prohibit unlawful discrimination or discriminating against a consumer for exercising their personal data rights.
  • Comply with specified privacy notice posting and content requirements, including additional requirements for sensitive or biometric data.
  • Clearly disclose processing for targeted advertising or third-party sales, and indicate how a consumer can opt out.
  • Provide at least the following two methods for consumers to exercise rights:
    • a rights request mechanism on the controller's website, if it maintains one;
    • by January 1, 2025, comply with opt-out preference signals that meet certain requirements.
  • Enter into contracts with their processors that include specified instructions and duties.
  • Conduct data protection assessments for:
    • personal data sales;
    • processing for targeted advertising;
    • processing for profiling, if it presents reasonably foreseeable risks of certain harms;
    • sensitive data processing; and
    • any personal data processing that presents a heightened risk of harm to consumers.
The TDPSA does not directly impose data privacy requirements on processors, but it does require processors to adhere to controllers' instructions and help controllers meet their TDPSA obligations, including responding to consumer rights requests, data security obligations, and conducting data protection assessments.
The Texas Attorney General (AG) has exclusive TDPSA enforcement authority. The statute gives controllers a 30-day right to cure notified violations by taking corrective action and sending the Texas AG a written statement with supporting documentation that describes how the controller cured the violation, whether it told the complaining consumer about the correction, and what policy changes it made to prevent future violations. Breach of the controller's written statement to the AG or violations after the cure period are subject to civil penalties up to $7,500 per violation.

Data Broker Requirements

SB 2105 creates registration, data security, and disclosure requirements for data brokers meeting certain annual revenue or processing thresholds around personal data not directly collected from the individual to whom it relates.
SB 2105 largely adopts the TDPSA's personal data definition, but contains a more detailed sensitive data definition. It also adds exclusions for certain types of entities, such as nonprofits, and for certain types of data, for example, inferences made from multiple independent sources of publicly available data that do not reveal sensitive data.
The statute requires covered data brokers to:
  • Register with the Texas Secretary of State, which includes paying a registration fee and providing information such as the categories of data processed, any purchaser credentialing processes, children's data policies, and data breach history.
  • Post a conspicuous, clear, readily accessible notice on its website or mobile app that identifies itself as a data broker and includes language to be issued by the Secretary of State.
  • Implement and maintain a comprehensive written information security program that includes:
    • administrative, technical, and physical safeguards appropriate to characteristics of the data broker and the personal data at issue;
    • safeguards similar to those required for data under other laws to which the broker is subject;
    • designating one or more employees to maintain the program;
    • identifying and assessing risks, and risk mitigation processes;
    • ongoing employee and contractor training and compliance policies;
    • policies for selecting and managing third-party service providers;
    • monitoring performance and regularly reassessing the plan;
    • to the extent technically feasible, implementing measures like multi-factor authentication, access controls, encryption at rest and in transit, and security software.
The Texas AG is charged with enforcing SB 2105. Violations of the notice and registration requirements are subject to civil penalties of at least $100 per day of violation and the amount of unpaid registration fees. Penalties against a single data broker cannot exceed $10,000 in one year. Violations of the data security requirements are deceptive trade practices enforceable under the Texas Deceptive Trade Practices Act.
The statute becomes effective September 1, 2023, and applies to collection, processing, and transfers made on or after December 1, 2023.

Genetic Data Privacy

HB 2545 regulates direct-to-consumer genetic testing companies that either:
  • Offer genetic testing products or services directly to Texas residents.
  • Collect, use, or analyze genetic data that:
    • results from genetic testing products or services; and
    • a Texas resident, not a health care provider, directly provided.
It grants individuals an exclusive property right in the biological sample provided to or used by a direct-to-consumer genetic testing company and protects the confidentiality of their genetic data, including:
  • Raw sequence data from sequencing all or a portion of a consumer's extracted DNA.
  • Genotypic and phenotypic information from analyzing a consumer's raw sequence data.
  • Self-reported health conditions information that a company:
    • uses for scientific research or product development; and
    • analyzes in connection with the consumer's raw sequence data.
Under HB 2545, direct-to-consumer genetic testing companies must:
  • Develop, implement, and maintain a comprehensive security program to protect consumers' genetic data against unauthorized access, use, or disclosure.
  • Make publicly available:
    • a privacy policy overview that includes basic, essential information about their collection, use, or disclosure of genetic data; and
    • a prominent privacy notice that includes information about their collection, consent, use, access, disclosure, transfer, security, retention, and deletion practices.
  • Before collecting, using, or disclosing genetic data, provide individuals with essential information, including:
    • a description of how the company uses the data;
    • who has access to the data; and
    • how the company may share the data.
  • Create a process for individuals to:
    • access their data;
    • deleted their account and genetic data; and
    • destroy their biological sample.
  • Obtain various forms of individual consent for certain activities.
The law's individual consent requirements include:
  • Separate express consent for:
    • transferring or disclosing individuals' genetic data, except to their vendors and service providers;
    • using genetic data beyond their genetic testing products' or services' primary purpose; or
    • retaining an individual's biological sample following completion of the initial individual-requested testing service.
  • Informed consent according to the Federal Policy for the Protection of Human Subjects to transfer or disclose individuals' genetic data to a third party for:
    • research purposes; or
    • research conducted under the company's control for publication or generalizable knowledge.
  • Express written consent to disclose genetic data to law enforcement or government entities without a warrant or compliance with other valid legal process.
  • Written consent before disclosing individuals' genetic data to:
    • entities that offer health insurance, life insurance, or long-term care insurance; or
    • an individual's employer.
  • Express consent for marketing:
    • to an individual based on their genetic data; or
    • by a third party to an individual based on the individual's ordering or purchasing of a genetic testing product or service.
However, direct-to-consumer genetic testing companies need not obtain express consent to provide customized content or offers through their websites, apps, or services to consumers with whom they have a first-party relationship.
Direct-to-consumer genetic companies that possess de-identified data must also:
  • Implement administrative and technical measures to ensure the data is not associated with an individual.
  • Publicly commit to maintaining and using data in de-identified form.
  • Refrain from making any attempt to identify an individual using de-identified data.
  • Prohibit, through legally enforceable contracts, anyone they share de-identified data with from attempting to identify an individual.
HB 2545 does not apply to:
  • Protected health information collected by a covered entity or business associate as defined under HIPAA regulations.
  • Entities when they are engaged in collecting, using, or analyzing genetic data or biological samples in the context of research, as defined under the HIPAA Privacy Rule.
  • Public, private, or independent higher education institutions, as defined under state law.
  • Entities offering genetic testing products or services through a health care provider.
  • The collection, use, or analysis of genetic data by a health care provider.
The Texas AG may investigate potential violations and seek recovery of actual consumer damages and civil penalties up to $2,500 for each violation, plus fees and costs. The law takes effect September 1, 2023 and does not include a private right of action.