Selling and Sharing Texans’ Data: Hot Commodity or Ripe for Hot Water?

Understanding the Texas Data Privacy and Security Act Is Essential to Remain Compliant with Customer Data

Whether you’re a car wash operator using automated license plate readers (ALPRs) to see if “Super Wash Jim” visits enough to justify a monthly membership, or you’re a grocery store retailer interested in analyzing customer purchases to predict future sales, data can be extremely valuable. While a business can gather information solely for its own internal purposes, there is also ample opportunity today to sell customer data for additional revenue. Regardless of how you choose to use the data in your possession, determining its uses are critical decisions that every business needs to be prepared for.

In this post, Merritt Law covers the high-level considerations for businesses looking to sell, share or license their customers’ data, specifically Texans’ data under the Texas Data Privacy and Security Act, plus a few considerations for businesses to share data responsibly. Ultimately, whether your business decides to share data with third parties will be a decision that should be made only after consulting competent legal counsel with experience in technology law and carefully considering the risks versus the benefits that sharing data may create. 

Is It Legal to Share Customer Data in Texas?

Whether you can sell or share consumer data in Texas depends on the various federal and state laws that may apply,  the type of data shared, for what purpose, with whom, and the industry you operate in. 

Here in Texas, companies can look to requirements laid out by the Texas Data Privacy and Security Act and other federal laws. When clear statutory guidance is absent, companies can look to non-binding guidance from the Federal Trade Commission (FTC), market trends, and industry standards. As a general rule, businesses should handle customer data prudently – ensuring the data is kept secure, and limiting the use, retention time, and recipients of such data.

Why Does Proper Data Sharing Matter?

While the value of selling customer data can be significant, so too can the consequences for an unprepared business. 

As an example, the Texas Attorney General’s Office recently reached a historic $1.375 billion settlement with Google for Google’s unlawful tracking and collecting of users’ private data, including their geolocation and biometric data. In 2024, Meta had to pay a $1.4 billion settlement deal to the Texas Attorney General’s Office for unlawfully collecting and using facial recognition data. 

While your business may not be Google or Meta, and while you may not be collecting customers’ facial recognition or geolocation data, the collection and sale of personal data by any business should always be properly evaluated.

Which Data Privacy Laws Apply and Who Must Comply?

Federal

There is not yet a comprehensive federal law governing all varieties of data. While some federal laws, such as the U.S. Privacy Act of 1974 (governing dissemination of personal information by federal agencies), the Children’s Online Privacy Protection Act (COPPA) (children’s online privacy), Health Insurance Portability and Accountability Act of 1996 (HIPAA) (confidentiality of medical records), and the Gramm-Leach-Bliley Act (privacy and consolidation of consumers’ financial information by banks, securities firms and insurance companies), exist to protect some forms of personal data, most businesses interested in selling consumer data will rely on individual states’ privacy legislation, laws governing unfair and deceptive trade practices, and self regulation.

State

Each state has different applicability requirements, but determining which state or states’ privacy laws apply to your business typically depends on whether your business 1) has operations in such a state, 2) targets business to residents of that state, or 3) processes data of consumers in that state. Careful analysis should be given to determine any and all state or federal laws that your business may need to comply with. Further, additional laws may apply when data is transferred between state lines.

Businesses operating in Texas or processing Texans’ data should focus on Texas’s Data Privacy and Security Act (Texas DPSA). However, Texas businesses should remain vigilant about changes in state and federal laws, as well as the unintended reach their data collection may have on out-of-state customers.

The Texas Data Privacy and Security Act (DPSA)

Texas’s DPSA applies to for-profit businesses that (1) conduct business in Texas or produce a product or service consumed by Texas residents; (2) process or engage in the sale of personal data; and (3) are not a small business, as defined by the U.S. Small Business Administration (SBA), except to the extent that a small business engages in the sale of sensitive data.

To determine if a business is categorized as a small business, the SBA has defined certain size standards based on annual receipts or number of employees. While some businesses may already know if they qualify as a “small business” based on tax filings, an unsure business should consult with a trusted accountant or legal counsel to help make that determination.

The Texas DPSA further does not apply to certain other types of entities that are already governed by a comprehensive privacy law, such as financial institutions, electric utility providers, and covered entities governed by HIPAA.

Most other businesses, that are not small businesses and that engage in the processing or sale of personal data of Texans, or a business of any size that sells sensitive data of Texans, must comply with the requirements of the Texas DPSA.

Other Privacy Considerations for Responsible Data Sharing

Statutes specifically related to data privacy are not the only considerations for a business to consider. State attorneys general and the Federal Trade Commission often look to other legal frameworks for companies violating consumers’ rights, including violations under deceptive and unfair trade practices laws. 

Best practice states that a business should limit data use and disclosure wherever possible, and only consider sharing or selling data when the benefits to such disclosure outweighs the risk of law violations, data security breaches, and consumer distrust. A prudent business will first ensure its use of data complies with all relevant laws, its handling of customer data is responsible and promotes customer trust, and it has adequate security measures and privacy policies in place to ensure such data is protected. 

Merritt Law Can Help You Stay in Compliance with Data Privacy Regulations

Before selling or sharing customer data, it is important for Texas businesses to understand what data privacy regulations apply to them and their level of control over customer data, among many other crucial details.

While data licensing and sales can be complex, businesses can and should always consult experienced legal counsel to ensure they and their data are protected. Merritt Law can work with you to review or draft your data privacy agreement and walk you through the most effective strategy for ensuring you are protected and avoiding any privacy mishaps. Call us today!

* This article published by Merritt Law is intended for informational purposes only and is not considered legal advice on any subject matter.