What’s in YOUR Data?

In this age of social media and online transactions, sharing highly personal information is almost second nature. As anyone who’s ever been a victim of online fraud will attest, this comes with obvious risks, even when sharing with a business entity for legitimate business reasons like real estate.

To address this, the state legislature passed regulations that provide an additional layer of protection for Texans. These regulations will mean changes in how real estate brokerage firms handle clients’ personal data.

Unlike the European Union, which adopted the General Data Protection Regulation (G​DPR) in 2018, the United States does not have a comprehensive federal law that establishes protections for privacy and security of all personal data about individuals. With the passage of the Texas Data Privacy and Security Act (TDPSA), also known as H.B. 4, Texas joins 12 other states (California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Florida, Montana, Oregon, and Delaware) enforcing regulations regarding consumer personal data.

Most of the TDPSA takes effect July 1, 2024, with a required universal “opt-out” mechanism for consumers taking effect Jan. 1, 2025.

The Texas law uses language similar to the GDPR and other states that have recently passed privacy laws referring to “controllers” and “processors.”  A “controller” is “an individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data.” A “processor” processes the data on behalf of the controller.

What is Considered​ Personal Data?

The TDPSA defines “personal data” as “information that is linked or reasonably linkable to an identified or identifiable individual.” This definition is broad and includes any information that can be used to identify a person “directly or indirectly,” including name, address, birthdate, and Social Security number. Sensitive personal data is included as well and is defined as personal data revealing racial or ethnic origin; religious beliefs; mental or physical health diagnosis; sexual orientation; citizenship or immigration status; genetic and biometric data that is processed to uniquely identity an individual; precise geolocation data (location within a radius of 1,750 feet); and personal data collected from a known child under the age of 13.

The TDPSA also includes “pseudonymous data” in its definition of personal data, which is different than other states’ data privacy laws, but is contained in the EU’s GDPR. Pseudonymous data is “de-identified” data, where direct identifiers such as name or Social Security numbers are removed. If a controller or processor uses the pseudonymous data in conjunction with additional information that could reasonably link the data to an identified or identifiable individual, it is subject to TDPSA regulations.

Consumer Ri​​ghts

Consumers can exercise consumer rights listed in the TDPSA at any time by submitting a request to a controller specifying the rights they want to exercise. Parents can make that request for children under 13. According to Subchapter B of the TDPSA, consumers can:

1. confirm whether a controller is processing the consumer’s personal data and access that data;
2. correct inaccuracies in the personal data, considering the nature of the data and the purposes of the processing of the data;
3. delete personal data provided by or obtained about the consumer;
4. if the data the consumer provided to the controller is available in a digital format, obtain a copy of it in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance; or
5. opt out of the processing of the personal data for purposes of:
   (A) targeted advertising;
   (B) the sale of personal data; or
   (C) profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

The controller must respond to a consumer request without “undue delay,” which cannot be later than 45 days after receipt of a request (subject to a 45-day extension where reasonably necessary). The controller must provide the requested information free of charge, but only two times a year per requestor.

Controller and Processor Obl​​igations

Subchapter C of the TDPSA sets out the duties and prohibitions for controllers and processors. Any business that must comply with this new law should consult an attorney or other private data compliance specialist to assist them with compliance.

Controller’s Duties

• Process personal data only for the purposes for which it has been collected and disclosed to the consumer.
• Process only the minimum amount of data necessary for fulfilling the processing purpose.
• Obtain explicit consent for processing sensitive data.
• Provide consumers with privacy notices.
• Honor consumer requests to access, correct, delete, or port their personal data.
• Take reasonable measures to protect the confidentiality, integrity, and accessibility of personal data.

Processors Duties

• Process personal data only on behalf of the controller and in accordance with the controller’s instructions.
• Implement appropriate technical and organizational measures to protect personal data.
• Assist the controller in complying with its obligations under the TDPSA, including responding to consumer requests and data breaches.

Controller’s Prohibitions

• May not process personal data for a purpose that is neither reasonably necessary to nor compatible with the disclosed purpose for which the personal data are processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent.
• May not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers.
• May not discriminate against a consumer for exercising any of the consumer rights contained in the TDPSA.
• May not process a consumer’s sensitive data without obtaining the consumer’s consent, or, in the case of processing the sensitive data of a known child, without processing that data in accordance with the Children’s Online Privacy Protection Act.

Processors Prohibitions

• May not process personal data for their own purposes or for the purposes of any other controller.
• May not subcontract the processing of personal data to another processor without the controller’s prior written consent.

Who Must C​​omply?

The TDPSA applies broadly to any individual or entity collecting, storing, or handling the personal data of any resident of Texas or transferring that data for any consideration. Specifically, it applies to businesses that:

• conduct business in Texas or produce products or services consumed by Texas residents;
• process or engage in the sale of personal data; and
• are not small businesses as defined by the United States Small Business Administration (SBA).

The small business exemption has one caveat. Small businesses that sell sensitive personal data must get consumer consent in advance even though they are otherwise exempt from the law. Sensitive personal data is defined earlier in this article.

A few other targeted exemptions carve out data for which businesses have reporting obligations under other federal law, like data subject to the Health Insurance Portability and Accountability Act (HIPAA) or the Fair Credit Reporting Act (FCRA). The law also exempts personal data processed for employment purposes.

What is Conside​red a ‘Small Business’?

In general, to be classified as a small business by the SBA, a business must be below the standard size for a business in that industry (defined by annual revenue and sometimes number of employees), not be affiliated with a larger organization, and have its principal place of business in the United States.

There are different size eligibility standards depending on the industry. The North American Industry Classification System (NAICS) gives each industry a code, and the SBA has set small business size standards for each NAICS code in Title 13, Chapter 1, Part 121.201 of the Electronic Code of Federal Regulations. The NAICS code for real estate brokerages is 531210.

Real estate brokerages are classified as small businesses based on their annual revenue. The size standard listed for real estate brokerages under Part 121.201 is $15 million in annual revenue. So, if a brokerage makes less than $15 million in annual revenue and meets the other two criteria listed above, the brokerage can be considered a small business.

Enforce​ment

The Texas Attorney General will enforce the TDPSA.

The Attorney General has the authority to investigate and prosecute violations of the law and to seek civil penalties of up to $7,500 per violation, but must give a 30-day notice of violation to a person before bringing any enforcement action.

If the person cures the violation by taking all the steps identified in the TDPSA, the Attorney General will not seek further enforcement.

Overall, the TDPSA is a significant new law that will have an impact on real estate brokerage firms in Texas. Brokerages should consult with an attorney who specializes in this area and take steps to comply with the TDPSA before it takes effect July 1, 2024.

​

_____________________
Kerri Lewis, J.D.​ (kerrilewis13@gmail.com) is a research fellow with the Texas Real Estate Research Center and a member of the State Bar of Texas and former general counsel for the Texas Real Estate Commission.