Client Alert: Texas and Tennessee Join the Cacophony of State Data Privacy Laws
Date: June 27, 2023
On June 18, 2023, Texas became the eleventh state to enact comprehensive privacy legislation after the recent passage of the Texas Data Privacy and Security Act (“TDPSA”). Texas now joins Tennessee as the latest entry into an increasingly complex web of state privacy laws. On May 11, Gov. Bill Lee signed into law the Tennessee Information Protection Act (“TIPA”), which itself follows recent enactments of data privacy laws in Iowa, Indiana, Florida, and Montana.
The other states with data privacy laws are California, Colorado, Connecticut, Utah, and Virginia.
Both TDPSA and TIPA are largely modeled on the Virginia Consumer Data Protection Act (“VCDPA”), which was enacted in March 2021, with an effective date of January 1, 2023. The good news is that the framework underlying the Texas, Tennessee and Virginia privacy laws share key definitions, business obligations, and core consumer rights governing the collection, use, and transfer of consumer data. However, there are some notable differences discussed below.
Unique Jurisdictional Threshold in Texas. The new Texas privacy law contains a unique carve-out that excludes from its coverage those entities that are “a small business as defined by the United States Small Business Administration.” The TDPSA otherwise broadly applies to all businesses that (a) conduct business in Texas or produce goods or services consumed in Texas, and (b) process or sell personal data. This creates a jurisdictional framework under the TDPSA that is potentially broader than other state privacy laws, all of which establish threshold requirements based on revenues or the amount of personal data (based on the number of consumers and/or households in a particular state) that a business processes annually. As the definitions under the applicable Small Business Administration regulations vary significantly from one industry to another, the TDPSA presents a unique challenge in terms of understanding which businesses may be covered.
Special Treatment of Sensitive Data. Both the new Texas and Tennessee privacy laws follow Virginia’s lead by requiring companies to obtain consent for the processing of sensitive personal data and allowing consumers to opt out of data sales, targeted advertising, and significant profiling decisions.
Consent is required before processing sensitive data, which includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, citizenship or immigration status, genetic or biometric data processed for purposes of uniquely identifying an individual, personal data collected from a known child under 13, and precise geolocation data. The Senate version of the new Texas law initially excluded data revealing “sexual orientation” from the categories of sensitive information, which differs from all other state privacy laws. However, the version of the new Texas privacy law that was signed into law reinserted personal data which reveals “sexuality” as a category of “sensitive data.”
Longer right to cure. The new Texas and Tennessee laws also follow Virginia in requiring the respective Attorney General offices to give a business an ‘opportunity to cure’ any alleged violation of the applicable state privacy act. While Tennessee provides a generous 60-day cure period, Texas and Virginia only allow for a 30-day cure period.
Voluntary Privacy Program as an Affirmative Defense in Tennessee. One unique feature of the new Tennessee privacy law is that it will allow both controllers and processors to assert an affirmative defense to a claim alleging violations of the law. Businesses will be entitled to the defense if they create, maintain, and comply with a written privacy policy that “reasonably conforms” to the National Institute of Standards Technology privacy framework or other documented policies, standards, and procedures designed to safeguard consumer privacy. A business claiming that defense must maintain ongoing compliance with such privacy frameworks, and at a minimum update their privacy policies to reasonably conform with any subsequent revisions to the NIST or comparable privacy framework within two years of the publication of the revision. In assessing whether a voluntary privacy program is appropriate in scale and scope, the new Tennessee law provides for consideration of the size and complexity of the business, the nature and scope of the activities of the controller or processor, the sensitivity of the personal information processed, the cost and availability of tools to improve privacy protections and data governance, and compliance with a comparable state or federal law. Given that the NIST framework is, by design, a flexible framework intended to identify and manage risks within diverse environments, it is unclear what “reasonable conformity” to such a framework may entail or how invoking this affirmative defense will practically play out in the event of an enforcement action under the Tennessee Information Privacy Act.
Enforcement and Penalties. There is no private right of action under the Tennessee or Texas laws, and California remains the only state whose privacy laws allow consumers to bring lawsuits for alleged violations. While the civil penalties available under the Tennessee and Texas privacy laws are generally in line with those set forth under Virginia law ($7,500 in civil penalties for each violation of the law), the Tennessee privacy law uniquely provides for an award of treble damages for willful or knowing violations.
Next Steps
Both the Tennessee and Texas laws will take effect on July 1, 2024, while potential new comprehensive privacy laws continue to simmer in a handful or other states. If you have questions about how these new laws in Tennessee, Texas or elsewhere may affect your organization, please contact a member of Whiteford’s Cyber Security, Data Management & Privacy practice group.
The information contained here is not intended to provide legal advice or opinion and should not be acted upon without consulting an attorney. Counsel should not be selected based on advertising materials, and we recommend that you conduct further investigation when seeking legal representation.