And Texas Makes Ten: An Update on State Privacy Laws and VPD

VPD Provisions

The TDPSA does not specifically define “vehicle information” or include any provisions specific to VPD. It defines “personal data” as “any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual.” Notably, the definition of “personal data” expressly “includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.” However, it does not include “deidentified data or publicly available information.” H.B. 4, 88th Gen. Assemb., Reg. Sess. § 541.001(19) (Tex. 2023).

“Sensitive data” is defined as “a category of personal data” that includes, among other things, “precise geolocation data,” which is “information derived from technology, including global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of an individual with precision and accuracy within a radius of one thousand seven hundred fifty feet (1,750’).” H.B. 4, 88th Gen. Assemb., Reg. Sess. § 541.001(21), (29)(C) (Tex. 2023).

If a consumer “provides” data to a controller and such data is available in “a digital format,” the controller must provide such data to the consumer following an “authenticated request” in a “readily usable format that allows the consumer to transmit the data to another controller without hindrance.”  H.B. 4, 88th Gen. Assemb., Reg. Sess. § 541.051(b)(4) (Tex. 2023). With some exceptions, the controller also must respond to the request free of charge and within 45 days. H.B. 4, 88th Gen. Assemb., Reg. Sess. § 541.052(b), (d) (Tex. 2023).

The TDPSA restricts the processing of personal data for undisclosed purposes without consumer consent, and the processing of sensitive data without consent. H.B. 4, 88th Gen. Assemb., Reg. Sess. § 541.101 (Tex. 2023).

The TDPSA also covers “biometric data,” defined as data that is “generated by automatic measurement of an individual’s biological characteristics,” including “a fingerprint, voiceprint, eye retina or iris, or other unique biological patterns or characteristics that are used to identify a specific individual.” H.B. 4, 88th Gen. Assemb., Reg. Sess. § 541.001(3) (Tex. 2023). Such data is included within the definition of “sensitive data” when it is “processed for the purpose of uniquely identifying an individual.” H.B. 4, 88th Gen. Assemb., Reg. Sess. § 541.001(29)(B) (Tex. 2023).While this may not have obvious implications in a discussion about VPD, as we noted in a prior update, recent litigation in Illinois involving Subaru’s driver monitoring feature suggests otherwise.

The TDPSA specifically exempts from its scope “personal data collected, processed, sold, or disclosed in compliance with the Driver’s Privacy Protection Act of 1994 (18 U.S.C. Section 2721 et seq.).” H.B. 4, 88th Gen. Assemb., Reg. Sess. § 541.003(12) (Tex. 2023).

In addition, the TDPSA does not prohibit a controller of processor of protected data from collecting, using, or retaining data to “conduct internal research to develop, improve, or repair products, services, or technology” or to “effect a product recall.” H.B. 4, 88th Gen. Assemb., Reg. Sess. § 541.202 (Tex. 2023).