On June 1, 2023, Texas Governor Greg Abbot signed the Texas Data Privacy and Securities Act (TDPSA), a bill designed to protect consumer data and give consumers the right to choose how and when businesses use their data. The law takes effect on July 1, 2024, and could greatly impact how Texas businesses collect, use, and share consumer data.¹

It could also create liability and financial risk for businesses. In 2018, California passed a similar law called the California Consumer Privacy Act (CCPA). In 2022, the beauty brand Sephora became one of the most notable companies to be penalized under the CCPA, paying a $1.2 million settlement for illegally selling data via third-party trackers.² However, there have been several CCPA violations against privately-held companies dating back to 2020, impacting a diverse array of sectors from healthcare and manufacturing to technology, e-commerce, retail, and others.⁸

Since the passage of the CCPA, 14 other states have passed comprehensive privacy legislation.³ A federal data privacy law could also be on the horizon. In April 2024, the U.S. House Committee on Energy and Commerce and the U.S. Senate Committee on Commerce, Science, and Transportation released a discussion draft of such a bill entitled the American Privacy Rights Act of 2024 (APRA). It has not yet been sent to the full House and Senate floor for consideration.⁴ While the details and subtleties of a potential federal and each state law may vary, the goal remains to protect consumers’ control over how their data is used. While that goal is important, it also creates potential business liability and enhances the need for robust cyber risk protection.

DETAILS OF THE TEXAS DATA PRIVACY AND SECURITY ACT

Similar to Virginia’s data privacy law, the TDPSA protects the following five rights for Texas consumers:⁵

1. The right to identify that an organization uses a designated controller to process and access personal data.
2. The right to correct inaccurate data.
3. The right to delete any personal data a business may have collected or obtained about a consumer.
4. The right to obtain a copy of their personal data from a business in a usable format.
5. The right to opt out of data processing for advertising, sale, or profiling.

While the law goes into effect on July 1, 2024, businesses have until January 1, 2025, to comply with the global opt-out provision.

Consumers can use global opt-out technology to automatically opt out of data collection for any website they visit.⁵

WHAT BUSINESSES ARE COVERED BY TDPSA?

The legislation broadly covers any business or organization that:⁵

• Conducts business in Texas or generates products or services that are “consumed” by Texas residents.
• Processes or engages in the sale of data.
• Does not identify as a small business based on U.S. Small Business Administration (SBA) standards.

While this language is similar to bills in other states, there are some notable differences. One is the use of the word “consumed.” Given the nature of the global economy, It’s possible for a Texas resident to “consume” a product or service from a business nearly anywhere in the world. While this is Texas legislation, it theoretically could cover any business.

The other unique aspect is the reference to small business. Businesses that meet the SBA standards are exempt from the legislation. As of 2023, the SBA defined a small business as an independent manufacturing business with fewer than 500 employees or a non-manufacturing business with average annual sales receipts under $7.5 million.6 If a business does not meet those exemption standards, it must comply with the TDPSA.

There are a few other exemptions to the legislation, including:⁵

• Financial institutions subject to Title V of the Gramm-Leach-Bliley Act
• Businesses or organizations subject to privacy rules under HIPAA
• Nonprofit organizations, higher education institutions, and electric utility companies

PENALTIES FOR TDPSA VIOLATIONS

Penalties for violating TDPSA have the potential to be staggering because the penalty for each violation of TDPSA is $7,500.5 As data privacy violations often occur in mass, a business with hundreds or thousands of violations could face significant penalties.⁵ However, businesses do have an opportunity to resolve violations before fines are imposed. The Texas Attorney General will notify companies about potential violations after they are identified. Businesses then have 30 days to “cure” the violation. If they can demonstrate in writing that the violations have been resolved, the company may be able to avoid penalties.⁵

In Texas, the Attorney General’s office must initiate all TDPSA violations. Individuals and plaintiff attorneys cannot bring private lawsuits.⁵

RISKS AND PROTECTION STRATEGIES

While TDPSA offers protections for Texas consumers, it adds a layer of requirements and risk for businesses operating in Texas. As with many risks, the first layer of protection is strict, well-defined internal processes and controls that minimize risk. Even if a third-party consent management platform helps businesses manage user consent and opt-outs, a designated controller should manage the processing and use of personal data. Websites and other technical applications should comply with global opt-out technology.

Cyber insurance provides another critical layer of added protection. Many data privacy violations are discovered during a cyber breach. The business then has to manage the fallout of the data breach along with regulatory fines and penalties related to improper data collection and usage.

Cyber insurance minimizes the financial fallout of data processing errors and cyber breaches. However, not all cyber insurance policies are the same. It’s important to consider:

Does it exclude data privacy fines and damages? Not all cyber policies cover all damages. Some are comprehensive and cover many losses, including fines and penalties related to data privacy law violations. Others may only cover strictly defined cyber events like data breaches or malware attacks.

Does it cover first party and third-party damages? Some cyber insurance policies only cover third-party privacy claims, but not third-party regulatory fines, or first-party investigation costs. Most bundled policies (or “throw-in”) with cyber insurance cover limited third-party damages, while missing or heavily sub-limiting coverage of the organization’s first-party costs and expenses. Most bare bones policies include third-party coverage, but not first-party.

Does the policy offer preventive and consulting services? Many cyber insurance policies provide various services to prevent and minimize cyber events. For example, they may offer consultation and best practices to avoid data breaches or comply with privacy laws. Coverage may also provide consultants to minimize the damage in the aftermath of a cyber event.

BOTTOM LINE

More states have taken up the cause of protecting consumer data. While that goal is important, it also creates potentialbusiness liability and enhances the need for robust cyber risk protection. Texas’s new data privacy law heightens the liability associated with data collection and processing. Robust cyber insurance can help clients minimize the risk. A knowledgeable and experienced broker can help retail agents find the right coverage to protect businesses operating in Texas. CRC partners with several cyber carriers, many pre-vetted to meet data privacy requirements. Contact your CRC Group producer today to learn how we can help protect your Texas business clients.

CONTRIBUTOR

• Josh White is a Cyber and Professional Lines Broker with CRC Group’s ExecPro Practice Group.

END NOTES

1. Enhancing Data Privacy: A Glance at Texas’s New Consumer Privacy Law, The National Law Review, August 17, 2023
2. Sephora’s $1.2 Million Fine Proves Customer Privacy Is An Innovation Imperative, Forbes, October 27, 2022
3. Which States Have Consumer Data Privacy Laws?, Bloomberg Law, March 18, 2024
4. New Legislation Would Establish the First US National Comprehensive Privacy Law, The National Law Review, May 14, 2024
5. H.B. 4, Texas Capitol, 2023
6. Basic Requirements, Small Business Administration, November 17, 2023
7. DoorDash fined $375K in second public CCPA enforcement, Compliance Week, February 22, 2024
8. CCPA Enforcement Case Examples, State of California Department of Justice, August 2022
9. Which States Have Consumer Privacy Laws?, Bloomberg Law, March 18, 2024