The Texas Data Privacy and Security Act (HB4) is an act related to the regulation of the collection, use, processing, and treatment of consumers’ personal data by certain business entities in Texas. This act is known as the Texas Data Privacy and Security Act.
Here is a summary of the key sections:
- Title and Definitions (Sections 1-3):
- The act is named the Texas Data Privacy and Security Act.
- Definitions for terms such as “affiliate,” “authenticate,” “biometric data,” “controller,” “consumer,” “personal data,” and “sensitive data” are provided.
- Applicability (Section 541.002):
- The act applies to businesses conducting operations in Texas, processing or selling personal data, and not classified as small businesses by the U.S. Small Business Administration.
- Exclusions include state agencies, political subdivisions, financial institutions, covered entities under HIPAA, nonprofits, higher education institutions, and certain utility companies.
- Consumer Rights (Sections 541.051-541.055):
- Consumers have the right to access, correct, delete their personal data, obtain copies in digital format, and opt out of data processing for targeted advertising or sales.
- Controllers must respond to consumer requests within 45 days, with a possible extension of an additional 45 days if necessary.
- Consumers can appeal a controller’s refusal to take action on their request.
- Controller and Processor Duties (Sections 541.101-541.107):
- Controllers must limit data collection to what is necessary, ensure data security, and provide transparent privacy notices.
- Processors must adhere to controller instructions and assist in compliance.
- Data protection assessments are required for certain processing activities.
- Special provisions for deidentified or pseudonymous data and small businesses.
- Enforcement (Sections 541.151-541.156):
- The Attorney General has exclusive enforcement authority and can issue civil investigative demands.
- Violations can lead to civil penalties up to $7,500 per violation.
- The act does not provide a basis for private lawsuits.
- Construction and Exemptions (Sections 541.201-541.205):
- The act includes provisions to ensure it does not conflict with other laws or inhibit free speech.
- Controllers and processors can still collect, use, or retain data for certain purposes like research, product improvement, and legal compliance.
- Implementation and Review (Sections 3-7):
- The Department of Information Resources will review the implementation of the act and create an online portal for public feedback.
- The Attorney General must post relevant information and mechanisms for consumer complaints online by July 1, 2024.
- The act takes effect on July 1, 2024, with certain provisions effective January 1, 2025.
How does this apply to business websites that use cookies for google analytics, ad remarketing for social media and Google Ads, and collect leads through web forms?
the Texas Data Privacy and Security Act has specific implications. Here are the key points relevant to your scenario:
- Disclosure Requirements:
- Websites must provide a clear and accessible privacy notice. This notice must include:
- Categories of personal data collected, including sensitive data if applicable.
- The purposes for processing personal data.
- Methods for consumers to exercise their rights.
- Categories of personal data shared with third parties, if any.
- Categories of third parties with whom data is shared.
- Websites must provide a clear and accessible privacy notice. This notice must include:
- Consumer Rights:
- Consumers have the right to access, correct, and delete their personal data.
- They can also obtain a copy of their data in a portable format and opt-out of data processing for targeted advertising, sales, or profiling.
- Targeted Advertising and Data Sales:
- If the website engages in targeted advertising using personal data (e.g., remarketing for social media and Google Ads), this must be clearly disclosed.
- The website must provide a way for consumers to opt out of this data processing.
- Consent for Sensitive Data:
- If the website collects sensitive data (e.g., biometric data, health information), explicit consent from consumers is required.
- Data Security:
- Businesses must implement reasonable security measures to protect the personal data they collect and process.
- Processors and Third Parties:
- If personal data is shared with third parties or processors (e.g., Google Analytics, ad platforms), the business must ensure these entities adhere to similar data protection standards.
- Contracts with processors should specify the data processing terms and ensure confidentiality and security of the data.
- No Sale of Personal Data Without Consent:
- The sale of personal data without explicit consumer consent is prohibited.
Practical Steps for Compliance:
- Update Privacy Policy:
- Clearly state what data is collected (e.g., cookies for analytics, contact information from forms).
- Explain the purposes of data collection (e.g., improving website experience, marketing, responding to inquiries).
- Provide details on data sharing (e.g., with Google Analytics, ad platforms).
- Implement Opt-Out Mechanisms:
- Allow users to opt out of cookies and tracking for targeted advertising.
- Provide clear instructions on how to opt out of data collection.
- Secure Data Handling:
- Ensure data collected is stored securely.
- Limit data collection to what is necessary for the specified purposes.
- Transparency and Consent:
- Obtain explicit consent for collecting any sensitive data.
- Use clear and straightforward methods to obtain consent for cookies and tracking.
What additional provisions go into effect in January 2025?
The Texas Data Privacy and Security Act specifies that certain provisions will take effect on January 1, 2025. Specifically, Section 541.055(e) of the Business & Commerce Code, as added by this Act, will become effective on this date. Here is the relevant information regarding this provision:
Section 541.055(e):
Authorized Agent Opt-Out Mechanism:
- Consumer Designation: A consumer may designate another person to serve as their authorized agent to act on their behalf to opt out of the processing of their personal data for targeted advertising and the sale of personal data.
- Technology for Opt-Out: The consumer can use various technologies, such as a link to a website, a browser setting or extension, or a global setting on an electronic device, to indicate their intent to opt out.
- Verification: The controller must comply with the opt-out request from an authorized agent if they can verify the identity of the consumer and the agent’s authority with commercially reasonable efforts.
- Conditions for Non-Compliance: A controller is not required to comply with an opt-out request from an authorized agent if:
- The request is not communicated clearly and unambiguously.
- The controller cannot verify that the consumer is a Texas resident.
- The controller lacks the ability to process the request.
- The controller does not process similar requests for compliance with other states’ laws.
Special Provisions:
- Non-Disadvantage Clause: Technology used for opt-out must not unfairly disadvantage another controller and must be consumer-friendly and easy to use.
- No Default Settings: The technology must require the consumer to make an affirmative, unambiguous choice to opt out.
These provisions aim to enhance consumer control over their personal data by allowing them to use various technologies to opt out of data processing activities, with the assistance of authorized agents if needed. Businesses must be prepared to implement these mechanisms and ensure they can verify and process such requests appropriately by January 1, 2025.
Photo by Miguel Á. Padriñán
Let's Do This Together.
Join over 10,000 subscribers that receive our digital newsletter, full of actionable news and information you can apply to your business. Sign up today!
Sharing Is Caring.
Share this post with all of your contacts by using the social sharing links below.
Related Content.
To Go Fast, Go Alone. To Go Far, Go Together.
Are Your Ready To Take The Next Step? Drop us a line today for a free consultation.
Get In Touch
Apache Interactive
Kingwood Texas
832.971.4905
Connect@ApacheInteractive.com
We Love Referrals
Who We Are And What We Do
Apache Interactive is a digital marketing agency specializing in technical SEO, online advertising (PPC), content marketing, and web design and development services.
We work directly with client companies, and also partner with other marketing and branding agencies that want to have a digital marketing expert on call to assist with challenging projects.
Stay Connected
The Internet is a big place and we love to hang out on all of the major social networks.
Follow our accounts and never miss any of our photos, videos, or other digital marketing mayhem.