Businesses have only a short window remaining to ensure compliance with three new privacy laws. Effective July 1, three new comprehensive state data privacy laws come into effect – the Tennessee Information Protection Act (TIPA), the Texas Data Privacy and Security Act (TDPSA), and the Oregon Consumer Privacy Act (OCPA). While Tennessee’s and Oregon’s laws mostly conform to the model set by states like Virginia, Connecticut, and Colorado, Texas’s law diverges significantly from that model with respect to its applicability thresholds, which will be the most expansive of any state law to date. Businesses should carefully evaluate whether they meet the threshold requirements of each law, as detailed below.

The thresholds for Tennessee’s TIPA and Oregon’s OCPA are nearly identical and follow the pattern used by most other state data privacy laws currently in effect. Both laws apply to all persons or entities who do business in the respective state and process the personal information of over 100,000 residents of that state or over 25,000 residents if the person or entity derived a certain percentage of their gross revenue from the sale of personal information – 50% for TIPA and 25% for OCPA. TIPA and OCPA each contain a number of exemptions, including for information collected by a business from its employees. Notably, unlike many other state data privacy laws, OCPA does not contain a blanket exemption for nonprofit organizations. Neither TIPA nor OCPA provides a private right of action, as both laws provide for exclusive enforcement authority by the states’ respective Attorneys General. 

The thresholds for Texas’s TDPSA, on the other hand, deviate substantially from the archetype established by other states, with the result being that many businesses are likely to find themselves within the scope of the new Texas law. As with every other state data privacy law currently in force, an entity must do business in Texas to be subject to the TDPSA. However, unlike any other state law to date, TDPSA does not set a minimum revenue threshold or a minimum number of consumers from whom an entity must gather personal data to be subject to the law. Instead, businesses are subject to Texas’s law if they

1. process or engage in the sale of personal data of any Texas residents and
2. are not a small business, as defined by the U.S. Small Business Administration.

These thresholds are markedly broader than those of any other state data privacy law enacted to date and will likely have the effect of requiring businesses not subject to any other state law to comply with TDPSA. TDPSA does, however, contain a number of exemptions that are common to other states’ privacy laws, including exemptions for nonprofits, entities regulated by either the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA), and data regulated by the Family Educational Rights and Privacy Act (FERPA). Finally, as is the case with TIPA, OCPA, and most of the other current state privacy laws, the TDPSA does not afford a private right of action, and the law may only be enforced by Texas’s Attorney General.

While many of the compliance requirements imposed by the TIPA, OCPA, and TDPSA align with those found in other state data privacy laws, each contains nuances that may require subject entities to update their current data privacy compliance programs. As described above, Texas’s law will have the broadest applicability thresholds of any state law to date. As such, businesses should carefully evaluate whether they meet any compliance thresholds for these new laws.