Press "Enter" to skip to content

Texas Enacts Data Privacy and Security Act with Small Business Exception

Texas Data PrivacyTexas Gov. Greg Abbott on June 18 signed into law House Bill 4, the Texas Data Privacy and Security Act.  This makes Texas the 10th state to enact a comprehensive consumer data privacy law, following California, Virginia, Colorado, Utah, Connecticut,  Iowa, Indiana, Tennessee, and Montana.

The Act will go into effect July 1, 2024, except for a section related to authorized agents which will go into effect Jan. 1, 2025.


The Act applies to a person that:

  1. conducts business in Texas or produces a product or service consumed by residents of Texas;
  2. processes or engages in the sale of personal data; and
  3. is not a small business as defined by the United States Small Business Administration, except to the extent it sells sensitive data which requires consumer consent.

Exemptions include:

  1. financial institutions or data subject to the Gramm-Leach-Bliley Act;
  2. covered entities or business associates governed by the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act;
  3. nonprofit organizations;
  4. institutions of higher education;
  5. protected health information under HIPAA;
  6. personal information to the extent its collection, maintenance, disclosure, sale, communication, or use is regulated and authorized by the Fair Credit Reporting Act.

Consumers have the right to:

  1. confirm processing of their personal data and access such data;
  2. correct inaccuracies;
  3. delete personal data;
  4. obtain personal data provided by the consumer in a portable and readily usable format, if stored digitally;
  5. opt out of processing if for the purpose of targeted advertising, sale, or profiling.

Sensitive personal data may not be processed without the consumer’s consent or, in the case of a known child, pursuant to the Children’s Online Privacy Protection Act.

Sensitive Data includes:

  1. personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
  2. genetic or biometric data that is processed for the purpose of uniquely identifying an individual;
  3. personal data collected from a known child; or
  4. precise geolocation data.

A contract between a controller and processor must include:

  1. clear instructions for processing data;
  2. the nature and purpose of processing;
  3. the type of data subject to processing;
  4. the duration of processing;
  5. the rights and obligations of both parties;
  6. a requirement the processor will ensure the confidentiality of the data;
  7. a requirement the processor delete or return all personal data to the controller as requested after the provision of the service is completed;
  8. a requirement the processor make available all information in the processor’s possession necessary to demonstrate compliance;
  9. a requirement the processor will allow and cooperate with reasonable assessments by the controller; and
  10. a requirement subcontractors be engaged pursuant to a written contract mirroring the processor’s requirements.

Controllers must conduct and document a data protection assessment of each of the following processing activities:

  1. the processing of personal data for purposes of targeted advertising;
  2. the sale of personal data;
  3. the processing of personal data for purposes of certain profiling;
  4. the processing of sensitive data; and
  5. any processing that presents a heightened risk of harm.

There is no private right of action. Provided a person cannot cure a violation within 30 days, the attorney general may seek injunctive relief and a civil penalty not to exceed $7,500 for each violation.


This Act is similar to the non-California data privacy laws recently enacted but is unique in that its scope is not defined by volume thresholds, instead simply exempting small businesses except to the extent they sell sensitive data.

For a chart comparing the state comprehensive data privacy acts, and more information and insight from Maurice Wutscher on data privacy and security laws and legislation, click here.

Photo: Brandon Seidel/

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.