Texas Data Privacy and Security Act brings Texas among the ranks of several states to enact comprehensive data privacy laws.
Texas Data Privacy and Security Act (TDPSA) was passed on June 16th, 2023 and will take effect on July 1, 2024, bringing Texas among the ranks of several states to enact comprehensive data privacy laws. With its enactment, at least 40% of the US population will now have access to new data privacy rights. Companies should be prepared to navigate compliance complexities that may come about as a result. The TDPSA is founded on principles of data governance, such as purpose limitation and robust security measures. It prohibits controllers from collecting excessive personal information or utilizing collected data for purposes other than those for which it was originally intended, unless they have obtained the consumer’s consent. The TDPSA is considered slightly more “business-friendly” than laws in California and Colorado. Consequently, companies prepared to comply with other state privacy laws should be well-positioned to comply with the TDPSA. However, several notable provisions in the TDPSA should be considered when developing company compliance programs.
The TDPSA applies to most businesses that conduct business in Texas or with Texas residents, save for a few key exceptions.
TDPSA applies to individuals or organizations that conduct business in Texas or offer products or services to Texas residents, process or engage in the sale of personal data, and do not meet the definition of “small businesses” as defined by the Small Business Administration. Unlike privacy laws in certain states, the TDPSA does not set specific thresholds based on annual revenue or the volume of personal data processed. The TDPSA does however, set exemptions for entity-level, data-specific, and employment-related situations. The TDPSA also has processing-related exemptions, which allow controllers and processors to process personal data for specific purposes, such as complying with laws or regulations, protecting the safety of individuals, or providing a product or service requested by a consumer.
The TDPSA mandates several specific controller obligations, and rights that they must fulfill to consumers.
The TDPSA mandates specific obligations for data controllers, including limiting personal data collection, non-discrimination, opt-out rights for sales and targeted advertising, protections for sensitive personal data, and providing privacy notices. In addition TDPSA provides consumers certain rights regarding their personal data, including the ability to confirm the processing and access of their personal information, request corrections to inaccurate data, request the deletion of their information, and obtain a portable copy of their data if available digitally. Businesses subject to the TDPSA must provide two secure methods for consumers to submit requests to exercise their rights. Responses to consumer requests are due within 45 days of receipt, with a possible 45-day extension. Controllers must provide information in response to a consumer’s request per consumer free of charge, unless the request is considered excessive. Additionally, the TDPSA renders void any provision in a contract that waives or limits consumer rights.
It also prohibits businesses from collecting “sensitive data” (e.g., racial, religious beliefs, health, sexual orientation, citizenship) without consent. This includes genetic and biometric data and geolocation data within a certain radius. For children under 13, COPPA’s verifiable parental consent is required for data collection.
Data Protection Assessments and processor contracts are required for all controllers regulated by the TDPSA.
Under TDPSA, controllers must conduct data protection assessments for certain data processing with significant consumer risks. Similar to Connecticut’s privacy law, these include targeted advertising, personal data sales, unfair or deceptive treatment profiling, sensitive data processing, and activities posing a heightened risk. It is important to note that assessments need not be retroactive.
The TDPSA also employs a controller-processor framework, requiring controllers and processors to enter into agreements that stipulate data processing instructions, data type, processing duration, and party rights and obligations. These agreements should cover confidentiality of personal information, contracts with subordinate processors, data deletion or return upon contract termination, and collaboration in assessments by the controller.
The Texas state attorney has exclusive enforcement rights of the TDPSA, and provides a 30-day cure period to allow businesses to rectify violations.
The TDPSA is exclusively enforced by the state’s attorney general. Civil penalties up to $7,500 for violations, injunctive relief, and fees recovery are possible. Consumers lack a private right of action. Before enforcing the TDPSA, the attorney general must provide a 30-day “cure” period, during which violations can be rectified without enforcement action. Proper cure requires a written statement and appropriate measures. The right to cure under the TDPSA is permanent, unlike in certain states where the right to cure expires.
If you have any questions about complying with the TDPSA. or other US data privacy laws, or need assistance reviewing your data privacy practices, connect with Aphaia today.
