January 8, 2024
Champion LLP Associate Thaís Dourado Authors Dallas Bar Association Expert Analysis of Energy AI Initiatives and New Texas Privacy Law
By Champion LLP
This article by Thaís Dourado was originally published in the Dallas Bar Association’s January 2024 edition of Headnotes.
Texas is the leading U.S. state in electricity production, generating nearly twice as much as the second-ranked Florida. According to the U.S. Energy Information Administration, Texas is also the nation’s largest electricity consumer. In 2022, the residential sector accounted for approximately two-fifths of electricity sales in Texas, the commercial sector consumed about one-third, and the industrial sector used around three-tenths.
Texas’ power grid avoids regulation by the Federal Energy Regulatory Commission, allowing Texas to have its own energy policy and foster a competitive market for electricity providers in the state. There are various state laws and regulations that govern the industry.
One such law is the Texas Data and Privacy Security Act (TDPSA), which Governor Greg Abbott enacted by signing House Bill 4 on June 18, 2023. The Lone Star State is currently one of the 14 U.S. states with a comprehensive data privacy statute. Many aspects of the TDPSA take effect on July 1, 2024, with additional specific rules regarding universal opt-out technology to take effect on January 1, 2025.
The TDPSA applies to entities that conduct business in Texas or that produce products or services consumed by Texas residents. Unlike all other U.S. states, Texas created a limited exemption in TDPSA for “small businesses” as defined by the U.S. Small Business Administration (SBA). Nevertheless, whether a small business meets the SBA definition is a complicated issue, and the lack of other thresholds may indicate that the TDPSA will apply broadly.
While the TDPSA is similar to the well-known California Privacy Rights Act (CPRA) and prioritizes consumers, the TDPSA is considered more “business-friendly” than other states’ privacy laws. Like many other U.S. states’ data protection laws (but different from the CPRA), the TDPSA does not provide for a private right of action. The Attorney General will have the exclusive authority to enforce TDPSA violations, although no rulemaking power is provided to the Attorney General to interpret the Act.
The TDPSA affects the Texas energy sector directly. Many companies in the industry are undergoing a global digital revolution and have increasingly utilized information and communication technologies (ICTs) that require the implementation of privacy security measures. These energy companies must be well-positioned to comply with the TDPSA.
An example of technological development in the electricity sector triggering the application of data protection laws is the use of smart meters. Smart meters allow consumers to track their electricity consumption and costs while collecting such information and transferring it to system operators. Data gathered from the most modern smart meters can serve to identify energy usage patterns associated with specific appliances, including electric kettles and televisions, and charging electric vehicles. Data collected by smart meters can also be combined with other information, such as usage metadata and post code information, to generate sensitive identifying information about specific consumers. For example, power consumption records from a residential hemodialysis machine could reveal an individual’s health diagnosis.
Artificial Intelligence and machine learning systems also analyze smart meter-generated consumer information and can reveal lifestyle habits and other personal data. And consumer data has many applications and may be used, for example, to influence behavior. Therefore, data privacy rules and regulations applied to the energy sector are essential to safeguard consumer rights.
Under the TDPSA, covered businesses must obtain clear affirmative consent from consumers before processing sensitive data. Even an otherwise exempt small business is prohibited from selling sensitive personal data that could identify an individual unless the business first obtains that individual’s consent.
The TDPSA requires clear privacy notices to consumers regarding the category of data being processed, the data processing purpose, and the means available for consumers to exercise their data privacy rights. Except for exempt small businesses, if a business engages in the sale of sensitive data, the following notice must be provided: “NOTICE: We may sell your sensitive personal data.” If a business engages in the sale of biometric personal data, the following notice also must be included: “NOTICE: We may sell your biometric personal data.”
The TDPSA requires covered businesses to expand their opt-out compliance programs and recognize universal opt-out mechanisms for the sale of personal data and targeted advertising. Under the TDPSA, such mechanisms must be consumer-friendly and easy to use and allow the data controller to determine if the consumer is a Texas resident and has made a legitimate opt-out request.
Texas energy companies with preexisting compliance policies for the General Data Protection Regulation (GDPR), CPRA, Florida Digital Bill of Rights, Virginia Consumer Data Protection Act, and other states’ data protection laws may already comply with most aspects of TDPSA. Nonetheless, these companies must carefully analyze Texas’ novel statute and review their compliance programs to ensure adherence to the TDPSA, especially businesses using artificial intelligence, machine learning, and ICTs.