Texas has passed their HB 4, joining a growing list of states which have passed their own data privacy laws, laws which impact email and email marketing, among other things. The new Texas law goes into effect on July 1, 2024, and affects any business which either is in Texas, or which does business with individuals who reside within Texas. It is also very strict on email address collection, email use, and email marketing, and among other things it requires consent before you do nearly anything non-transactional with someone’s email address. We break it down for you here.
Unlike most of the other new state privacy laws, including those of Connecticut, Colorado, Utah, and Virginia, the new Texas data privacy law doesn’t itself spell out any size or revenue threshold in terms of whether the law is applicable to your business. Instead it basically applies to any business which does not meet the definition of a ‘small business’ used by the Federal government’s Small Business Administration (‘SBA’). According to the Small Business Administration, “The Office of Advocacy defines a small business as an independent business having fewer than 500 employees.”
On another page the SBA elaborates that in order to be designated as a small business, the business must:
Be a for-profit business of any legal structure
Be independently owned and operated
Not be nationally dominant in its field
Be physically located and operate in the U.S. or its territories
And adds that “Most manufacturing companies with 500 employees or fewer, and most non-manufacturing businesses with average annual receipts under $7.5 million, will qualify as a small business.”
So, again, if your business does not fall within these parameters then the new Texas data privacy law does apply to you, whether you are a business headquartered in Texas, or a business outside of Texas but that does business with people who are in Texas.
Here’s specifically how the new Texas privacy law is applicable to email collection and email marketing. At the end is the direct link to the text of the new law.
How the New Texas Data Privacy Law (HB 4) Applies to Email and Email Marketing
In order to understand how the new Texas data privacy law applies to the collection and use of email addresses, one needs to look specifically at two of the definitions contained within the law; those are the definitions of ‘personal data’, and of ‘consent’. Here are those definitions:
Texas Data Privacy Law Definition of Personal Data
“Personal data” means any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. The term does not include deidentified data or publicly available information.
Texas Data Privacy Law Definition of Consent
We’re not going to put the definitions of data “controller” and data “processor” here; the bottom line is that if you are collecting email addresses, sending email to email addresses, running a mailing list, doing email marketing, or any of those sorts of things, you meet the definition of ‘controller’, ‘processor’, or both.
Here’s what the Texas law says about the collection and use of personal data (which includes email addresses). The actual text of the law is in italics, our explanations and commentary are in bold
SUBCHAPTER C. CONTROLLER AND PROCESSOR DATA-RELATED DUTIES AND PROHIBITIONS
Sec. 541.101. CONTROLLER DUTIES; TRANSPARENCY.
(a) A controller:
(1) shall limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which that personal data is processed, as disclosed to the consumer; and
This is a short sentence with a lot of oomph. This clause actually means that you must disclose to someone what you are going to do with their email address before you do it; this means you must tell them that you are going to put them on a mailing list before you do it.
(2) for purposes of protecting the confidentiality, integrity, and accessibility of personal data, shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue.
This one is self-explanatory.
(b) A controller may not:
(1) except as otherwise provided by this chapter, process personal data for a purpose that is neither reasonably necessary to nor compatible with the disclosed purpose for which the personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent;
This reinforces the first clause above; you may not do anything with someone’s email address unless either you have disclosed to them that you are going to do that thing with their email address OR you have the person’s direct consent to do it.
(2) process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers;
(3) discriminate against a consumer for exercising any of the consumer rights contained in this chapter, including by denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer; or
These two are self-explanatory and not (we hope!) relevant to either your business practices or our discussion here.
(4) process the sensitive data of a consumer without obtaining the consumer’s consent, or, in the case of processing the sensitive data of a known child, without processing that data in accordance with the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. Section 6501 et seq.).
This is the clause that really puts a fine point on it. You may not put someone’s email address on a mailing list without their consent, because that amounts to processing it. That also means that you may not do cold emailing unless, arguably, you do it truly manually, typing in each person’s email address into your mail client, although a legal argument can be made that this also is processing it.
You can go here to read the full text of Texas’ new data privacy law (HB 4)