Technologies like built-in navigation, driver-assistance systems and integral telematics, and mobile device synchronization increasingly bring data privacy to the forefront in the auto industry. While the EU has taken a top-down approach, individual states on this side of the pond continue to pass legislation in this space. The latest effort comes from Texas. And it should come as no surprise that it’s Texas-sized.
In between impeaching an Attorney General and creating a new type of business court, the 88th Texas Legislature passed the Texas Data Privacy and Security Act (TDPSA) (H.B. 4), which, once signed by Governor Abbott, will take effect July 1, 2024. State data privacy statutes generally track concepts in Europe’s General Data Protection Regulation (GDPR), including notices of data collection, data subject rights (knowing what data a business has, correcting it, deleting it, opting out of certain uses of personal data, etc.), and restrictions on use or transfer of personal data. Texas, which would join nine other states in enacting “comprehensive” data privacy regulations, has added some twists and traps for the unwary, particularly midsized businesses engaging in interstate commerce. Here are three notable features of the TDPSA.
1. Unusual Ambiguity in Application
Like most similar state statutes, the TDPSA excludes state agencies, non-profits, educational organizations, public utilities, and entities subject to GLBA and HIPAA as well as HR data, B2B data, and trade secrets. Under Section 541.002, a business is subject to TDPSA when it:
- conducts business in Texas or “produces a product or service consumed by [Texas] residents;”
- processes consumer personal data; and
- is not a “small business” as defined by the U.S. Small Business Administration (“SBA”).
TDPSA regulates the business’ activities when acting as a “controller”; serving as the party that decides what is done with data. The application is tricky, but here are the takeaways:
First, premising applicability on incidental consumption, rather than “doing business,” treads new (and potentially unconstitutional) ground. Even Europe’s notoriously strict GDPR requires active targeting of the EU market absent a physical presence (the equivalent in the US of “doing business”). State laws in the US typically require “doing business” plus other qualifications such as revenue, the quantity of personal data handled, or the nature of the business.
Second, the “small businesses” exemption has latent ambiguities because the SBA defines a “small business” according to purpose and context. Accordingly, it is unclear, at least to date, whether small affiliates of big businesses could take advantage of this exemption.
Finally, under Section 541.107, even otherwise-exempt “small businesses” may not sell “sensitive” personal data (defined to include information such as race, religious beliefs, biometric data, sexuality, and precise geolocation) without first obtaining the consumer’s affirmative consent.
2. A Social Media Loophole?
Interestingly, in section 541.001(28), the TDPSA states that if an individual intentionally makes information available “to the mass media” via a public channel or an unrestricted audience, a company’s subsequent transfer of that data is not a “sale.” This would implicate (a) scraping public social media profiles and (b) allowing social media companies to monetize personal data contained in public posts. It would not prevent individuals from making data subject requests, but individuals may not know where to direct those requests.
3. A Steeper Road to Remedies
There is a high bar to enforcing data subject rights, and the TDPSA provides no private cause of action. A data subject must seek to exercise a statutory data subject right, and may do so through an authorized agent starting January 1, 2025. If a business refuses to comply, the consumer may (a) appeal to the controller, (b) receive written notice and explanation of the action taken in response to the consumer’s appeal, and (c) inform the Attorney General of any such failure. If the AG takes up the matter, it may take one of a few actions, including civil investigative demand, a notice of violation (with 30 days to cure), civil penalties up to $7,500 per violation, and other civil actions.
Preparing for Compliance
Businesses—especially those unfamiliar with data privacy compliance—should not wait to get started on compliance with TDPSA. Here is how to get started today:
- Analyze geographic applicability: Even companies that do not target Texas consumers in-state must still assess exposure in case their products/services are ultimately “consumed by” Texas consumers.
- Assess the small business exemption: Even “small businesses” will need to analyze whether they qualify for the exemption and the extent of that exemption.
- Determine whether you are “selling” data: To understand the degree to which you are regulated, it is important to examine whether data transfers are “selling” under the TDPSA.
- Build a privacy infrastructure: A privacy infrastructure makes it possible to assess compliance and execute obligations. It includes, for example:
- An accurate inventory of personal data;
- A new or revised privacy policy, based on the inventory, showing among other things what personal data is collected, where it comes from, how it is used, how long it is retained, and who sees it;
- Website enhancements, such as Global Privacy Control, cookie/pixel controls, and the ability to submit data subject requests;
- Internal mechanisms for fielding, executing, and documenting data subject requests; and
- Developing standards for evaluating proposed vendor contracts.