To Louisiana Businesses: New Texas Privacy Sheriff Taking Aim At You
The new Texas Data Privacy and Security Act “kicks-in” on July 1, 2024. Is your Louisiana business ready to bear the “aim” of the new Texas “Privacy” Sheriff a/k/a the Texas Attorney General?
Generally, if you are not a “small business”, your Louisiana business will soon face compliance issues, and risk Texas-sized noncompliance fines, for collecting personal data on Texas residents if your business (1) conducts business in Texas or (2) “produce[s] a product or service consumed by residents of [Texas]”.
As to the first category, if your business has a “brick-and-mortar” operation in Texas, or if your business in Louisiana engages in commerce with a Texas resident while that Texas resident is in Texas, the new Texas “Privacy” Sheriff is “aiming” for your compliance. As to the second category, the “aim” at your Louisiana business is, at least from a literal reading of the statute, independent of whether your Louisiana business “conducts business in [Texas]”. Under this second category, if your product is consumed by a Texas resident, compliance is said to apply. Read literally, if a Texan visits your Louisiana business and buys goods at your store, or you provide any services to that Texan at your establishment in Louisiana (restaurant, bar, hotel, apartment rental, concert, tour, beauty salon, parking lot, etc.), any personal data that you collect on that Texas resident literally appears to trigger compliance.
Given the broad definition of “personal data”, it is perhaps best to at least assume that, as to a Texas resident on which you are collecting data, you are collecting data that “triggers the aim” of the statute (assuming that the statute otherwise applies to your Louisiana business).
Also, if you collect “sensitive data” from that Texan, the “small business” exemption, which appears to apply to the collection of that “sensitive data”, does not extend to you engaging in the “sale” of that “sensitive data”. Unless you are otherwise exempt, even a “small business” will need to obtain a clear, specific, informed and unambiguous consent from that Texas consumer prior to any such “sale”. The definition of “sale” is broad, and beyond the typical understanding, of the term “sale”.
Compliance Burdens
The compliance burdens are several, including:
- Conducting a “data protection assessment”
- Providing many new data “rights” to Texas consumers
- Preparing a significantly revised and compliant Privacy Policy . . . and living by it!
- Limiting your data collection
- Not collecting “sensitive data” without the consent of that Texas consumer
- Implementing universal “Opt-Out” (Global Privacy Control) in your systems (JAN 1, 2025)
- Amending your IT contracts with your IT service providers
. . . that’s a lot of bullets in the Texas “Privacy” Sheriff’s holster.
If you have been complying with the California comprehensive consumer data privacy laws (CCPA/CA Consumer Privacy Act and CPRA/CA Privacy Rights Act), you are likely very close to being ready for the Texas “Privacy” Sheriff. However, there are some differences that should be considered (and not discussed in this article).
If your business is banking and financial services (industry governed by GLB) or health care (industry governed by HIPAA), or you are a nonprofit, you enjoy a special exemption under this new Texas statute.
New “Data Rights” Of The Texas Consumer
If you are not a “small business” (and do not enjoy one of those special exemptions), a Texan could ask you (BTW, twice a year) if you have any personal data on that Texan. In addition to answering that question, you need to do all of the following, and “for free”, allowing the Texan:
- to access the Texan’s personal data in your system
- to correct that data
- to delete that data
- to provide a digital copy of that data to the Texan (portability)
- to “opt out” of:
- targeted advertising
- the sale of personal data
- profiling for decision making (even if not ADM – Automated Decision Making)
“Personal Data” is very broadly defined as any info linked OR reasonably linkable to an identified OR identifiable individual. Given the acceleration in technology for aggregating datasets, and in the size of those datasets, the “reasonably linkable to an identifiable individual” captures much.
“Sensitive Data” and Consent
If you are not a “small business” (and, again, do not enjoy one of those special exemptions noted above), you are also prohibited from collecting “sensitive data” on that Texas consumer without their clear, specific, informed and unambiguous consent. “Sensitive Data” is:
- racial, ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, citizenship or immigration status;
- genetic or biometric data that is processed for the purpose of uniquely identifying an individual;
- personal data collected from a known child, defined as a child under 13 years of age
- precise geolocation data, defined as “accuracy within a radius of 1,750 feet”.
Issues and concerns with each of the above four categories are beyond the scope of this article.
And recall that even a “small business” (not otherwise exempt) engaging in the “sale” of “sensitive data” is prohibited without the clear, specific, informed and unambiguous consent of the Texas consumer.
Texas “Privacy” Sheriff and Fines
Per the express terms of the statute, only the Texas Attorney General can police you. The AG can levy fines up to $7,500 for each violation. While the statute does not further define “violation” or “each violation”, there exists the potential risk for a multiplying factor (e.g., that a violation that impacts more than one Texan is considered separate violations for each Texan; or that continuous, day-by-day, noncompliance or repeated failures to comply with consumer requests, might each be a “violation”). Again, as of now we have no further specific guidance from the statute or the Texas AG on the meaning of “each violation”.
The Texas AG, in addition to the fines, can also collect reasonable attorneys’ fees and other expenses.
No Private Right of Action and “Cure”
If you are looking for any good news for your Louisiana business in this new statute, it might be found in two provisions: (1) there is no “private right of action” under this new Texas statute (so only the Texas AG, and not the Texas resident, can enforce it); and, (2) the Texas AG must first give you notice of, and a chance to cure, the violation. You have thirty (30) days to cure; and, if you timely “cure”, you avoid the fines.
While thirty (30) days might not be enough time to “cure” many of the violations, hopefully the Texas AG will grant extensions (although there is nothing in the statute that allows it; but, likewise, there is nothing in the statute that mandates that the Texas AG must assess a fine or the max fine).
However, “curing” requires you to put yourself on the line with the Texas AG by providing a written statement:
- you FIXED IT (“cured the alleged violation”);
- you NOTIFIED THE CONSUMER (“notified the consumer that the consumer's privacy violation was addressed, if the consumer's contact information has been made available to [you]”;
- PROVING YOU FIXED IT – (“provided supportive documentation to show how the privacy violation was cured”); and,
- COMMITTING TO MAKING SURE IT DOES NOT HAPPEN AGAIN – (“made changes to internal policies, if necessary, to ensure that no such further violations will occur”).
Signing such a statement, if not true, is also a “violation” of the statute. Also, providing notice to consumers as a predicate for “cure” might cause some unintended consequences, notwithstanding the salutary purpose for doing so.
“Small Business”
All of that said: are you a “small business” and thus exempt from this new Texas statute?
Unlike the other states with new comprehensive consumer privacy laws, Texas did not establish a single fixed annual revenue threshold or processing threshold (number of consumers from the state processed annually). Rather, Texas embraced the unique approach of using the varying definitions, by industry and type, of a “small business” established by the SBA (Small Business Administration) in the Table of Size Standards. https://www.sba.gov/document/support-table-size-standards.
Notably, while the California privacy laws (CCPA/CPRA) generally exempt businesses with less than $25 Million in annual revenue, many of the business types in the SBA lose their “small business” designation at lower, sometimes much lower, revenue thresholds (although, for some businesses, the revenue threshold is higher). The below is only a small subset of the SBA classifications.
|
Annual Rev |
NAICS |
Description |
|
$9.0M |
722410 |
Drinking Places (Alcoholic Beverages) |
|
$11.5M |
722511 |
Full-Service Restaurants |
|
$13.5M |
722513 |
Limited-Service Restaurants |
|
$22.5M |
722515 |
Snack and Nonalcoholic Beverage Bars |
|
$13.5M |
459420 |
Gift, Novelty and Souvenir Retailers |
|
$9.0M |
722320 |
Caterers |
|
$34.0M |
713210 |
Casinos (except Casino Hotels) |
|
$40.0M |
721120 |
Casino Hotels |
|
|
|
|
|
$25.0M |
561520 |
Tour Operators |
|
$14.0M |
487120 |
Scenic and Sightseeing Transportation, Water |
|
$20.5M |
487110 |
Scenic and Sightseeing Transportation, Land |
|
$19.0M |
485320 |
Limousine Service |
|
$19.0M |
485510 |
Charter Bus Industry |
|
|
|
|
|
$40.0M |
721110 |
Hotels and Motels |
|
$9.0M |
721191 |
Bed and Breakfast Inns |
|
$34M |
531110 |
Lessors of Residential Buildings and Dwellings |
|
|
|
|
|
$40M |
445110 |
Supermarkets & other Grocery Retailers (except Convenience Retailers) |
|
$16.0M |
445291 |
Baked Goods Retailers |
|
$10.0M |
445320 |
Beer, Wine and Liquor Retailers |
|
$20.5M |
458310 |
Jewelry Retailers |
|
$25.5M |
541330 |
Engineering Services |
|
$12.5M |
541310 |
Architectural Services |
|
$9.0M |
541320 |
Landscape Architectural Services |
|
$9.5M |
561730 |
Landscaping Services |
|
$15.5M |
541110 |
Offices of Lawyers |
|
$9.0M |
621210 |
Offices of Dentists |
|
$47.0M |
812930 |
Parking Lots and Garages |
|
$9.5M |
812112 |
Beauty Salons |
|
$9.0M |
811111 |
General Automotive Repair |
|
$19.0M |
238210 |
Electrical Contractors and Other Wiring Installation Contractors |
|
$19.0M |
238220 |
Plumbing, Heating and Air Conditioning Contractors |
|
$21.5M |
444240 |
Nursery, Garden Center and Farm Supply Retailers |
Whether now, or a later time when the Texas AG initiates an investigation, many businesses in Louisiana may be surprised that their business is not a “small business” and must bear, or potentially bear, the “aim” of a new privacy compliance burden. Also, recall that even a “small business” (not otherwise exempt) must obtain clear, specific, informed and unambiguous consent from the Texas consumer to engage in a “sale” of their “sensitive data”; and, again, the definition of “sale” is very broad and beyond the typical understanding of that term.
Challenge to Scope of Texas Authority
The new Texas law expressly states that it applies if that business or person conducts business in Texas or if that business or person “produces a product or service consumed by residents of [Texas]”. Notably, the latter does not end with “while in Texas”. Whether the Texas AG will enforce that latter category literally remains to be seen.
In contrast, a business regulated by the California comprehensive consumer privacy laws (CCPA/CPRA) is a business (after meeting certain minimum size thresholds) “that does business in the State of California” 1798.140(d). The CCPA also does not impose certain obligations on businesses where the transaction takes place wholly outside of California. Specifically:
the obligations imposed on businesses . . . shall not restrict a business’s ability to . . . collect, sell, or share a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California is sold.
Perhaps we may see a Louisiana business stand up to the authority of the new Texas “Privacy” Sheriff to regulate, investigate or fine that Louisiana business where the Louisiana business does not “conduct business” in Texas. Also, will the Texas AG claim authority to regulate where a Louisiana business, with only “brick-and-mortar” operations at a location in Louisiana, engaged in a transaction with a Texas resident where the transaction, and data collection, wholly occurred at that location in Louisiana? Whether, or to what extent, such challenges might have any merit, or are a good strategy, for any particular Louisiana business is not the subject of this article. It may also be helpful to consider that, even for a “brick-and-mortar” operation only in Louisiana, it might be atypical for that business to not thereafter continue to “touch” that Texas patron for or through marketing, or engage in other communications, after that Texas patron returns to Texas. Whether, or to what extent, such additional or other activity may contribute to, or impact, a requirement to comply with this new Texas privacy statute is beyond the scope of this article.
Next Steps
Do you collect any “personal data” on any Texas residents? If so, and with only three months to comply, now might be a good time to pivot to determine whether, or what extent, to make plans and align resources for any needed compliance. Otherwise, a Louisiana business might find themselves in a tight pinch and, perhaps, with risk of fines. It might also be best, via prompt compliance now, to avoid providing the new Texas “Privacy” Sheriff with cause to bring on the posse to chase you and pry into your business. An investigation by the Texas AG would seem to be an unwelcomed disruption to any business. While the thirty (30) day cure period is helpful, avoiding a situation of noncompliance, and of thus having to notify the consumer in order to “cure”, may be quite appealing.
On the other hand, if your business is not required to comply, you might want to avoid the expense and burden of the compliance obligations. Creating and posting a new Privacy Policy that provides additional “data rights” to Texas residents is but one example of a compliance item that could be avoided if not required.
“Follow The Data”
“Follow The Data” is my (hopefully helpful) construct when assessing compliance requirements for most privacy laws. If your business collects personal data on Texas residents, it might be prudent to engage counsel to assist you in deciding whether, or to what extent, this comprehensive Texas consumer privacy law is aimed at you and requires your compliance.
Raymond G. Areaux
Member
REGISTERED PATENT ATTORNEY
Chair, and Founder, Intellectual Property Practice Group
Loyola College of Law: Adjunct Professor - “Information Privacy” and “Trademarks and Unfair Competition"
T: (504) 585.3803
areaux@carverdarden.com
DISCLAIMER:
- This article is for educational purposes only. Nothing in this article is offered as, or to be considered, legal or other professional advice whatsoever. Legal and other professional advice is prudently rendered only after appropriate factual development and related consultation; and, this article by Ray Areaux is neither provided, nor intended as, any kind of legal or professional service or advice whatsoever by Ray Areaux or the firm of Carver, Darden, Koretzky, Tessier, Finn, Blossman & Areaux, LLC or any of its attorneys.
- No attorney‐client relationship is offered or formed with Ray Areaux or the firm of Carver, Darden, Koretzky, Tessier, Finn, Blossman & Areaux, LLC or any of its attorneys by or through the delivery of this article to you.