Texas and New Hampshire Add to the Ranks: Proposing Comprehensive Data Privacy Bills for Enhanced Protection

Texas and New Hampshire Add to the Ranks: Proposing Comprehensive Data Privacy Bills for Enhanced Protection

In addition to the existing states such as California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia, both Texas and New Hampshire are poised to implement comprehensive Data Privacy Bills aimed at safeguarding their citizens from businesses and/or other entities engaged in the sale of customer data. The The Texas Data Privacy and Security Act (TDPSA) was signed by the Governor Abbot On Sunday, June 18, 2023 was made into a law. Similarly, On March 6, 2024, New Hampshire Governor Chris Sununu signed the Senate Bill – 255 to make it a law. The new Data Privacy Laws will take effect in Texas on July 1, 2024, and in New Hampshire on January 1, 2025.

Both states have established specific thresholds concerning the number of employees, annual revenue, and the number of customers whose data businesses and other entities hold. Only those businesses and entities involved in selling customer data and meeting these requirements will be subject to the provisions of these laws, mirroring the approach taken by previous states in enacting similar legislation.

The Texas Data Privacy and Security Act (TDPSA) applies only to a person that:

• conducts business in this state or produces a product or service consumed by residents of this state;
• processes or engages in the sale of personal data; and
• is not a small business as defined by the United States Small Business Administration, except to the extent that Section 541.107 applies to a person described by this subdivision.[1]

Clause (b) of the Section A541. 002., deals with businesses, entities or organisations to which this chapter does not apply.

Texas Data Privacy and Safety Act, additionally provides exemption to small business as recognised under the U.S. Small Business Administration’s (SBA) standards. According to current SBA standards, a U.S. business is considered small if it has annual average receipts of less than $2.25 million and fewer than 100 employees. Such small businesses are typically exempt from the primary requirements of TDPSA provided under section Sec.A541.107.A.

On the other hand, `Senate Bill 255 will apply to persons/business/other entities who control or process the personal data of no less than:

(1)         35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or

(2)         10,000 unique consumers and derive more than 25% of their gross revenue from the sale of personal data.

With technology advancing swiftly and digital platforms frequent, excessive amounts of personal information are constantly being created, stored, and exchanged. This data encompasses sensitive aspects of individuals’ identities, choices, actions, and even health status. Yet, as data gathering and manipulation proliferate, so too do the perils of misappropriation, illicit entry, and abuse.

[1] See TDPSA, Sec. A541.002 (a)