The number of U.S. states with comprehensive privacy legislation is a step away from double digits. The Texas Legislature passed HB 4, the Texas Data Privacy and Security Act, via conference committee 28 May and the bill now awaits action from Gov. Greg Abbott, R-Texas.

While Texas is poised to be the 10th state to join the state privacy law ranks, the bill is slated to take effect before a number of laws passed before it this year with an effective date of 1 July 2024. HB 4 brings wrinkles not previously seen from other states' bills while also presenting likeness to existing statutes — Virginia's framework being the foundation for the bill.

The most notable difference is HB 4's coverage thresholds, which do not include common monetary stipulations other states adopted and rely instead on a unique three-factor applicability standard. But the bill's familiar provisions will be equally impactful, including requirements for recognition of universal opt-out mechanisms by 1 Jan. 2025.

HB 4 also contains requirements for opt-in consent for sensitive data collection and use, opt-outs for targeted advertising and data sales, data protection assessments, language concerning "dark patterns," and a 30-day cure provision.

The Texas House and Senate unanimously passed different versions of the bill, which necessitated a conference committee to reconcile differences outside of a string time-consuming chamber floor votes. The bill was then sent to Abbott's desk 30 May and will become law in 10 days without an explicit veto.

"Each and every moment of every single day, information about you and your family is collected, stored, analyzed, processed and sold," State Rep. Giovanni Capriglione, R-Texas, told KVUE Austin when the bill passed the House 5 April. "Every day, hundreds of companies gather facts about you, make predictions about your behavior and offer your personal data to advertisers, researchers, bad actors and even foreign countries."

Examining scope

Coverage thresholds are no doubt the most intriguing part of HB 4. According to the bill, entities are required to comply with requirements if they meet the following standards:

  • Conducts business in Texas or generates products or services consumed by Texas residents.
  • Processes or engages in the sale of personal data.
  • Do not identify as a small business as defined by the U.S. Small Business Administration.

All three thresholds are fresh concepts for the U.S. privacy community, as all other state laws base coverage on how much data a company holds and what kind of revenue data collection, use and sale generates on an annual basis.

 The SBA identification is the true outlier among Texas' coverage standards. The SBA defines a small business as "an independent business having fewer than 500 employees."

With that in mind, Holland & Knight Partner Bart Huffman, CIPP/E, CIPP/US, said he wouldn't put too much stock into the SBA-related threshold given it will ultimately apply to a majority of businesses without a second thought.

"Small businesses are not really all that small. Most good-sized companies should plan to comply unless they are exempt for another reason," Huffman said. HB 4 includes exemptions that have become common among state privacy frameworks, including exemptions for data already covered by federal health and financial privacy laws.

What else is new?

There are subtle yet important nuances sprinkled throughout the language of the Texas bill. Certain provisions require a second read to find potential impacts based on different language Texas lawmakers used compared to other state laws.

One tweak comes within the applicability standards as the law calls out businesses that provide services that are "consumed by" Texas residents rather than "targeted at" them. Latham & Watkins Counsel Robert Brown, CIPP/US, CIPM, PLS, said the language likely "aims to sweep in out-of-state businesses" and will catch some organizations by surprise.

"This may incentivize businesses that don’t specifically target the Texas market to take steps to actively exclude Texans from using their products or services to avoid triggering the TDPSA," Brown said.

HB 4 also contains requirements for additional disclosures when a company plans to sell sensitive and biometric information. Companies doing such business must provide "reasonably accessible and clear" disclaimers in privacy notices to notify customers that they "may sell" sensitive or biometric data.

Despite questions as to which businesses besides data brokers would be bound to such sale disclosures, Huffman supports the law asking companies "not to mince words" while detailing data practices to consumers.

"I've long thought that more of the language within privacy notices should be standardized, so that consumers might be able to actually understand the significance of what is being conveyed. And at least these disclosures do that for those two topics," Huffman said.

The 30-day cure period also brings some originality. The provision in Texas' bill mostly resembles cures provided in other states, but HB 4 also asks alleged violators to bring tangible evidence that a cure has been completed and, according to Brown, simple cure notification to the attorney general is not enough.

"The law says that companies will also have to notify the relevant consumer that the alleged privacy violation has been addressed, provide the attorney general supportive documentation to show how the violation was cured, and if necessary, make changes to internal policies," Brown said. "This is a much higher burden of proving violations have been cured, and businesses that have established practices for responding to notices of violations will need to adapt their procedures accordingly."