Texas Data Privacy and Security Act: What You Should Know About TDPSA?
Last year, a significant development occurred in Lone Star State: the signing of the Texas Data Privacy and Security Act.
You may have a lot of questions about this law, which is why we aim to shed light on this crucial law and provide a comprehensive understanding of what your business needs to consider for TDPSA compliance in this article.
Let’s dig in.
Key Takeaways
- The Texas Data Privacy and Security Act regulates how businesses cooperating in Texas and selling products and services to Texas residents can process their consumers’ personal data.
- The law will come into effect on 1st July 2024, save for specific provisions related to universal opt-out mechanisms that go into effect on 1st January 2025
- The TDPSA is enforced by the Attorney General, who can fine a business $7,500 per violation.
Texas Data Privacy and Security Act Overview
The Texas Data Privacy and Security Act (TDPSA), or Bill H.B. 4, was passed in the Senate of Texas and signed by Governor Greg Abbott on 10th May 2023.
TDPSA regulates how businesses handle and process consumers’ personal data, including collection, storage, sharing, selling, etc.
Most of the law’s provisions will come into effect on 1st July 2024 (the same day as the Oregon Consumer Data Protection Act). However, specific requirements, such as the universal opt-out mechanism and Global Privacy Control (GPC), will not take effect before 1st January 2025.
Who Does Texas Data Privacy Act Applies to?
The Act applies to businesses operating in Texas, collect and process personal information from consumers residing in Texas, and satisfy at least one of the following:
- Have a gross revenue per year of more than $25 million
- Buy, sell, receive, or share for profile personal information of 50,000 or more consumers
- Derive a minimum of 50% of their annual revenue.
However, TDPSA does not apply to
- Nonprofit organizations
- Federal and Texas state agencies
- Financial institutions covered by the Gramm-Leach-Bliliey Act (GLBA)
- Covered entities under the Health Insurance Portability and Accountability Act (HIPAA)
- Higher education institutions
TDPSA Key Terms and Definitions
Here’s how the Texas Data Privacy and Security Act defines the most important terms when it comes to data privacy:
- Consumer
An individual who is a resident of this state acts only in an individual or household context.
- Controller
An individual or other person that (...) determines the purpose and means of processing personal data
- Child
An individual younger than 13 years of age.
- Consent
A clear and affirmative act, signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.
- Personal information
Information that identifies, relates to, describes, can be associated with, or can reasonably be linked to, directly or indirectly, a particular consumer or household.
- Processor
A person who processes personal data on behalf of a controller
- Sensitive Data
A category of personal data. The term includes:
- Personal data revealing racial or ethnic origin, religious beliefs, mental or physical diagnosis, sexuality, or citizenship or immigration status
- Genetic or biometric data that is processed to uniquely identify an individual
- Personal data collected from a known child
- Precise geolocation data
- Third-party
A person is other than the consumer, the controller, the processor, or an affiliate of the controller or processor.
Consumer Rights Under the Texas Data Privacy Act
The Texas Data Privacy Act grants consumers a similar set of privacy rights as most other data privacy regulations in the US, like VCDPA or CPRA.
These consumer personal data rights include:
- Right to access data. The consumer has the right to know if the controller is processing their personal data and to access that data.
- Right to correct data. Under TDPSA, the consumer has the right to request the controller to correct any inaccuracies in the personal data they have relating to the consumer
- Right to delete personal data. At any point, including if the consumer previously granted consent, they have the right to request that the controller delete their personal data
- Right to data portability. The consumer can request a copy of their personal data in a readily usable and portable digital format and transfer the data to another controller
- Right to opt-out of data processing. The consumer has the right to opt out of data processing done for:
- Targeted advertising
- Sale of personal data
- Profiling
The law does not, however, include the right to restrict the processing of personal data.
Main Requirements of the Texas DPSA
The Texas Data Privacy Act includes specific requirements and provisions for controllers and processors. These are:
Controller Requirements
The controller must limit personal data collection to what is relevant and necessary for the purposes for which it is processed.
They must also respond to an authentic consumer request (also called DSARs) regarding their personal data within no more than 45 days of receiving the request. This term can be extended for another 45 days for certain circumstances, wherein the controller must inform the consumer of this within the original 45 days.
In addition, the controller has to provide a clear and accessible privacy notice. This should include:
- Categories of data it is processing
- The purpose of processing data
- In what ways can consumers exercise their data privacy rights
- Categories of personal data it shares with third parties
- Categories of third parties with whom the controller shares consumer personal data
The controller may not:
- Process consumer personal data for any purpose other than what is specified to the consumer unless the consumer grants explicit consent
- Process personal data in a way that violates federal and state laws against unlawful consumer discrimination
- Discriminate against consumers for exercising their data privacy rights
- Process the consumer’s sensitive personal information (SPI) without obtaining their consent or their parent’s or guardian’s consent if the consumer is a child.
Processor Requirements
Under the Texas Data Privacy Act, the processor “shall adhere to the instructions of a controller and shall assist the controller in meeting or complying with the controller’s duties or requirements.”
In particular, the processor must assist the controller in:
- Responding to consumer rights requests
- Complying with data processing security requirements and security data breach notifications (the Texas Identity Theft Enforcement and Protection Act, TITEPA, regulates these)
- Providing necessary information for the controller to conduct and document a Data Protection Assessment (DPA)
The controller and processor must have a contract between them that outlines:
- Clear data processing instructions
- Nature and purpose of processing
- Types of data processed
- Duration of processing
- Rights and obligations of both parties
In addition, the processor:
- Will be subject to confidentiality regarding the data it is processing
- Delete or return, at the controller’s request, all personal data after completing their service (unless the law requires its retention)
- Make all data in its possession available at the consumer’s request
- Allow and cooperate with the controller or the controller-designated assessor on assessments
Consent Requirements
Data controllers usually don’t need to obtain explicit user consent before collecting their data. The only exceptions include the following:
1. Processing data belonging to a known child.
A “known child” is someone under 13 years for whom the controller has actual knowledge or willfully disregards their age.
Regarding personal data belonging to known children, the controller must first obtain consent from their parent or legal guardian.
2. Processing sensitive personal data
Consent is also required if the controller intends to process sensitive personal data, such as racial or ethnic origins, genetic or biometric data, sexual orientation, religious or political beliefs, precise geolocation data, etc.
3. Processing data not reasonably necessary or compatible with the specified data processing purpose
How to Prepare Your Business for the TDPSA?
For the most part, the TDSPA will come into effect on 1st July 2024, save for specific provisions which will take effect on 1st January 2025. Here’s a checklist of what you must do to prepare your business for TDPSA compliance:
- Update your Privacy Policy and ensure that you follow all obligations under TDPSA.
- Update your Cookie Consent Management Policy to adhere to the TDPSA. Pay particular attention to providing clear opt-out options to users regarding targeted advertising and selling personal data.
- Perform a Data Protection Assessment for data whose processing can harm an individual or their property.
- Create a Data Subject Access Request (DSAR) form that consumers can easily access and link to your Privacy Policy.
- Implement adequate and reasonable security measures to protect consumers’ personal information.
- Ensure your processors adhere to the TDPSA requirements
What Happens if You Violate the Texas Data Privacy and Security Act?
The Attorney general can issue a civil investigative demand against the entity for which it has reasonable cause to believe it is violating this law and may request the controller to disclose any DPA relevant to that investigation.
Upon receiving the notice from the Attorney General, the business has a cure period of 30 days, during which it has to correct the specific violations.
If the business fails to correct the violations within 30 days, the Attorney General can fine them up to $7,500 per violation.
The Attorney General has full authority to enforce this Act, but the law does not include a private right of action.
Frequently Asked Questions (FAQs)
What are the Exemptions From the Texas Privacy Act?
The Texas Data Privacy and Security Act will not apply to:
- Nonprofit organizations
- Covered entities under the Health Insurance Portability and Accountability Act (HIPAA)
- Federal and Texas state agencies
- Financial institutions covered by the Gramm-Leach-Bliliey Act (GLBA)
- Higher education institutions
In addition, certain information is also exempt from the Act, such as:
- Protected health information (PHI) under the Health Insurance Portability and Accountability Act
- Health records
- Patient-identifying information
- Identifiable private records collected as part of clinical research or for the protection of human subjects
- Personal information regarding the consumer’s credit standing and records
- Personal information processed under federal laws such as the Fair Credit Reporting Act (FCRA), Family Educational Rights and Privacy Act (FERPA), Farm Credit Act (FCA), Driver’s Privacy Protection Act (DPPA), and others
- Data processed in the context of employment
- Data used for emergency contact purposes
- Data necessary to administer the benefits to another individual
What is the Data Breach Law in Texas?
The obligations of Texas companies regarding data breach incidents and identity theft are regulated by the Texas Identity Theft Enforcement and Protection Act (TITEPA).
Under TITEPA, a business that suffers a security breach must provide a written or electronic notice to the affected individual within 60 days of discovering the breach.
What is the Texas Information Act?
The Texas Information Act or [The Public Information Act](https://comptroller.texas.gov/about/policies/open-records/public-information-act.php#:~:text=Texas Government Code%2C Chapter 552,ask why you want them.) grants individuals the right to access government records and an officer for public information. The officer may not ask why you need this information.
Under the PIA, an individual requesting the information (requestor) has the right to:
- Access information that is not confidential or otherwise protected
- Receive equal treatment as other requestors
- Receive information like voting of public officials
- Received an itemized statement in writing or estimated charge if it exceeds $40 in advance
- Choose between inspecting the requested information, receiving a copy, or both
- Get a waiver or reduction if the access to the requested information is of public benefit
- Obtain a copy of the communication from the governmental body asking the Attorney General’s office for a ruling if the information can be withheld.
- File a complaint for overcharges with the Office of the Attorney General for public information.
How Can Captain Compliance Help?
Texas is one of the only two US states with a population of over 30 million. That means 30 million potential consumers whose personal data you might be responsible for if you run a business in the Lone Star State or sell products and services to Texas residents.
Despite this, Texas only recently signed a comprehensive data privacy law that regulates this.
The Texas Data Privacy and Security Act will become effective on 1st July this year, so you need to prepare your business. Luckily, Captain Compliance can help you with this and ensure you comply with the TDPSA.