Texas Governor Greg Abbott signed into law the Texas Data Privacy and Security Act (TDPSA) on June 18, 2023. With the passage of TDPSA, Texas becomes the tenth state to adopt a consumer data privacy law. TDPSA passed the Texas legislature following a conference committee that aligned differences between the House and Senate iterations of the bill.
What Does the TDPSA Do?
Like most general consumer data protection laws, the TDPSA is designed to provide consumers with valuable information about how their personal information is used, collected and potentially sold. The TDPSA endeavors to protect consumer information by ensuring that individual personal data collected by controllers – individuals or other persons that, alone or jointly with others, determine the purpose and means of processing personal data – is limited to what is adequate, relevant and reasonably necessary to the purposes for which that personal data is processed. Similar to the Health Insurance Portability and Accountability Act (HIPAA), the TDPSA also requires controllers to protect the confidentiality, integrity and accessibility of personal data by establishing, implementing and maintaining reasonable administrative, technical and physical data security practices that are appropriate to the volume and nature of the personal data at issue. More specifically, and as outlined below, the TDPSA grants consumers certain rights with respect to how their personal information is collected and used, requires collectors to reasonably notify consumers about the type of data collected, why such data is being collected and how it will be used, and requires controllers to perform data protection assessments of the consumer personal data, which will weigh the benefits against the risks of processing consumer data. Data protection assessments will address various stakeholders, including controllers, consumers and the public.
Consumer Rights
The TDPSA empowers consumers – Texas residents acting only in an individual or household context – to seek information on how their personal data is being used or processed by a controller. The TDPSA includes several rights consumers may exercise to better understand how their personal data is collected and used, including, without limitation, correcting inaccuracies in consumer's personal information and deleting personal data provided by or obtained about a consumer. Importantly, consumers may also opt out of processing their personal data for targeted advertising, the sale of personal data or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer. Controllers must adhere to consumer requests to opt-out and failure to adhere to such requests could result in a violation of the TDPSA. The TDPSA does provide controllers with flexibility as to how consumers may submit requests related to their personal data; however, the method must be consistent with how consumers typically interact with the controller and cannot require consumers to create new accounts to exercise their rights.
Privacy Notice
Controllers must give consumers a reasonably accessible and clear privacy notice that outlines the type of data a controller processes, the reason for processing the personal data, how consumers can exercise their rights and submit requests to exercise such rights, and if applicable, the type of data that is shared with third parties. There are special statements for privacy notices where the controller is selling sensitive personal data and/or biometric personal data.
Data Protection Assessments
If a controller processes personal data for targeted advertising, sale or profiling, the controller must conduct and document a data protection assessment. A data protection assessment should identify the benefits, both direct and indirect, from processing personal data, and should consider the use of deidentified data, the reasonable expectations of consumers, the context of the processing and the relationship between the controller and the consumer whose personal data will be processed. A data protection assessment conducted by a controller for the purpose of complying with another law may fulfil the data protection assessment requirement within the TDPSA if such assessment has a similar scope and effect.
Who Must Comply?
Unlike its nine predecessors, the TDPSA is applicable to individuals and entities that 1) conduct business in Texas or produce a product or service consumed by Texas residents, 2) process or engage in the sale of personal data and 3) are not considered "small businesses" by the U.S. Small Business Administration.
The TDPSA does not apply to 1) state agencies or Texas political subdivisions, 2) financial institutions or data subject to provisions of the Gramm-Leach-Bliley Act, 3) covered entities or business associates subject to HIPAA, 4) nonprofit organizations, 5) higher education institutions or 6) electric utility, power generation or retail electric providers. Protected health information (PHI) as defined by HIPAA, health records and other personal health information are exempt from the TDPSA.
Who Enforces the TDPSA and When is it Effective?
The TDPSA will be enforced by the Attorney General's office. Consumers do not have a private right of action for potential TDPSA violations. The Attorney General must provide notice of the violation and a 30-day period to cure such violation. To demonstrate that the violation was cured, a person must provide supportive documentation demonstrating the cure. If a person is unable to demonstrate a cure of the violation, such person may be liable for a civil penalty not to exceed $7,500. The majority of the TDPSA goes into effect July 1, 2024.
