Texas Jurisdiction: Sale of Personal Data Criterion in the Texas Data Privacy and Security Act (TDPSA)

The Texas Data Privacy and Security Act (TDPSA) includes the sale of personal data criterion as a key factor in determining the law's applicability. This factor is utilized to bring within the scope of the law any business that processes or engages in the sale of personal data, highlighting the legislative intent to regulate entities that monetize personal information.

Text of Relevant Provisions

TDPSA Sec. 541.002(a)(2):

"This chapter applies only to a person that: (2) processes or engages in the sale of personal data; and"

Analysis of Provisions

• Sale of Personal Data as a Trigger for Applicability: The provision explicitly includes entities that process or engage in the sale of personal data, ensuring that businesses involved in data monetization fall under the scope of TDPSA. The phrase "processes or engages in the sale of personal data" directly targets those entities that handle personal information with the intent of selling it, reflecting the law's focus on protecting consumer data in the context of commercial exploitation.
• Combination with Other Applicability Criteria: This criterion is combined with other factors such as conducting business in the state or targeting residents of Texas. This combination ensures that entities not only have a physical or economic presence in Texas but also engage in activities that potentially endanger the privacy of residents through the sale of their personal data.
• Absence of a Revenue Threshold: Unlike some other jurisdictions that may set a specific revenue percentage from data sales as a threshold (e.g., deriving a certain percentage of gross revenue from data sales), the Texas provision applies broadly to any entity involved in the sale of personal data, regardless of the proportion of revenue derived from such sales. This broadens the scope of the law to include both large-scale data brokers and smaller businesses that may still significantly engage in the sale of personal information.

Implications

• For Businesses Engaged in Data Sales: Companies operating in Texas that engage in the sale of personal data must comply with the TDPSA, regardless of their size or the proportion of revenue derived from such activities. This wide applicability increases the regulatory burden on businesses that might otherwise escape scrutiny in other jurisdictions with higher thresholds.
• Broad Applicability Across Business Models: The absence of a revenue threshold means that even smaller businesses or those with diversified revenue streams that include data sales must ensure compliance with the TDPSA. This could lead to increased operational costs for these businesses as they must implement data protection measures to align with the requirements of the law.