As we have previously written, the Texas comprehensive privacy law, known as the Texas Data Privacy and Security Act (TDPSA), goes into effect on Monday, July 1, 2024. As a reminder, unlike other states’ comprehensive privacy laws that are currently in effect, Texas does not include a minimum number of residents for applicability. Instead, the three criteria for applicability of the TDPSA are that the company:
- conducts business in this state or produces a product or service consumed by residents of this state;
- processes or engages in the sale of personal data; and
- is not a small business as defined by the United States Small Business Administration, . . . . [Note: That definition varies by industry and typically is based upon annual revenue, number of employees, or both.]
Consequently, many companies that do not meet the thresholds for other states’ laws can be subject to Texas’ requirements. It’s common for companies to be subject only to the California and Texas requirements but not any of the other states’ current comprehensive privacy laws.
Like other states except California, TDPSA includes an “employee” exception, for “data processed or maintained in the course of an individual applying to, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role.” Unlike other states, however, the law requires the controller to offer opt-outs from solely automated “profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.” The law defines those “significant effects” to include “the provision or denial by the controller” of “employment opportunities.” Consequently, uses of artificial intelligence with respect to recruiting or promotion decisions, as well as using the data to train AI systems, may raise issues under TDPSA, which are not raised under the other states’ laws currently in effect. As a result, companies should review their uses of artificial intelligence in recruiting processes as well as whether they are using employee data in training AI or other ways.
Unlike California’s current requirements, organizations that are “controllers” under TDPSA must also conduct and document a data protection assessment with respect to certain uses of “personal data.” Those uses include the processing of “sensitive data” (which includes precise geolocation data) or “any processing activities involving personal data that present a heightened risk of harm to consumers” or “processing of personal data for purposes of profiling,” if the profiling presents certain reasonably foreseeable risks of various harms to consumers, including financial or reputation harm.
The law requires that the data protection assessment must identify and balance the benefits “to the controller, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with that processing” of the data. The assessment must also take into account certain factors, including the context of the processing and the reasonable expectations of the consumer. The controller must make the assessment available to the Texas Attorney General upon a civil investigative demand. Fortunately for the controllers, the law states that the assessment “is confidential and exempt from public inspection” and disclosure in response to the Attorney General’s request “does not constitute a waiver of attorney-client privilege or work product protection.”
There is no private right of action. Only the Attorney General may enforce the TDPSA. In addition, the law includes a 30-day notice and cure period before the Attorney General may bring an action. Violations can result in civil penalties not to exceed $7,500 per violation.
Our Take
If you are subject to the TDPSA, have you reviewed the law and taken the necessary actions to comply?
1. Is your company using artificial intelligence in recruiting or in other ways that may be “profiling” relating to “employment opportunities”? You may need to give the individuals a right to opt-out of that use.
2. Is your company using employee data in training artificial intelligence? That use may not be within the context of employment, so the “employee” exception may not apply and your company may need to comply with TDPSA with respect to this data.
3. Does your company process any “sensitive data” of Texas residents in a way that is in-scope for the law? Is your company doing “any processing activities involving personal data that present a heightened risk of harm to consumers”? If so, have you begun drafting the data privacy assessment? Texas has provided only a general description of the requirements, so it may take longer than you expect. Remember, TDPSA goes into effect on July 1.