Final Countdown: Understanding and preparing for the Texas Data Privacy and Security Act (TDPSA)

The Texas Data Privacy and Security Act (TDPSA) is a consumer privacy law similar to other states’ privacy laws. This comprehensive new law takes effect on July 1, 2024, and regulates how businesses conducting business in Texas collect, use, and protect personal data. If your organization falls within the scope of TDPSA and you are not yet compliant with TDPSA requirements, you’ll need to move fast to be ready for the July 1 effective date.

This blog post describes who must comply with TDPSA, how it compares with privacy laws in other states, what rights it gives to consumers, what type of personal data is covered, essential TDPSA requirements, non-compliance penalties, and how to prepare your organization to achieve TDPSA compliance.

What Kind of Organizations Must Comply With TDPSA?

TDPSA defines transparency and disclosure obligations for a “controller” (a person or entity who determines the purpose and means of processing personal data) who:

1. Conducts business in Texas by producing products or services consumed by residents of the state,
2. Processes or engages in the sale of personal data, and
3. Is not a small business, as defined by the US Small Business Administration (SBA).

Excluded Organizations and Data

TDPSA does not apply to:

• State government entities.
• Nonprofits.
• HIPAA-covered entities and business associates.
• Higher educational institutions (public or private).
• Utility service providers.
• Gramm-Leach-Bliley Act-regulated entities (financial institutions) and data.

The following classes of data are excluded from TDPSA requirements:

• Health records and health related data.
• Scientific research data.
• Consumer credit-reporting data.
• Personal motor vehicle records.
• Insurance data.
• Data regulated by the Family Educational Rights and Privacy Act or federal Farm Credit Act.
• Employment-related information.

Limited Applicability Provision for Small Businesses

TDPSA has a limited applicability provision requiring small businesses that engage in the selling of sensitive data to obtain the consumer’s consent prior to selling the data. Sensitive data includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, citizenship or immigration status, genetic or biometric data, personal data collected from a known child, or precise geolocation.

No Minimum Thresholds for Revenue or Number of Consumers

TDPSA does not include a revenue threshold or a minimum number of consumers whose personal data is processed or sold for the law to apply. This results in a broader scope of businesses that must comply with TDPSA than is the case with privacy laws in other states, many of which do have minimum thresholds for revenue or number of consumers.

How Does TDPSA Compare with Privacy Laws in Other States?

TDPSA is similar to privacy laws in Virginia, Utah, and Iowa (among others), which are generally business-friendly relative to more stringent laws such as those in California and Colorado. Businesses that are already compliant with other state privacy laws should be well-positioned to comply with TDPSA. With that said, TDPSA contains several unique provisions that companies need to consider when developing their privacy compliance programs.

TDPSA, while sharing similarities with privacy laws in Virginia, Utah, and Iowa, also introduces unique provisions. These provisions, distinct to TDPSA, require businesses to carefully consider and adapt their privacy compliance programs. This is particularly relevant for companies already compliant with other state privacy laws, as they may need to make specific adjustments to meet TDPSA’s requirements.

What Rights Does TDPSA Give to Consumers?

TDPSA grants Texas residents acting in an individual or household context (“consumers”) specific access and control rights concerning their personal data. Consumers may submit authenticated requests to a controller to:

1. Confirm whether the controller is processing their personal data and provide them access to their personal data.
2. Correct inaccuracies in their personal data.
3. Delete personal data provided by or obtained about them.
4. Obtain a copy of the consumer’s personal data that the consumer previously provided to the controller (i.e., data portability).
5. Opt-out of the processing of their personal data for targeted advertising, selling personal data about them, or profiling.

A controller must respond to consumer requests within 45 days. However, that period may be extended for an additional 45 days if reasonably necessary, depending on the complexity and number of requests. TDPSA also grants consumers the right to appeal a controller’s refusal to take action on requests to exercise their rights, to which the controller must reply within 60 days. If the controller denies a consumer’s appeal, the controller must provide the consumer with an online method to contact the Texas Attorney General to submit a complaint.

What Type of Personal Data is Covered Under TDPSA?

TDPSA defines “personal data” covered under the act as “information that is linked or reasonably linkable to an identified or identifiable natural person.” De-identified and aggregated data are excluded. This definition is closely tied to the definitions used in other state-level data privacy laws.

What Are the Key Requirements of TDPSA?

Here’s a summary of the key requirements of TDPSA:

• Limits on collection of personal data. Controllers must limit personal data collection to adequate, relevant, and reasonably necessary as it relates to the purpose you’ve disclosed to the consumer and why you’re processing their data.
• Data security requirements. Controllers must protect the confidentiality and integrity of the data they collect by establishing, implementing, and maintaining “…reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue.”
• User consent. Controllers must obtain user consent:
  • From a legal guardian to process personal data about a child under thirteen.
  • If they intend to process personal data for purposes that are not “reasonably necessary” or “compatible with the disclosed purposes for which the personal data was processed initially.”
  • If they intend to process sensitive personal data, which is defined as personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, citizenship or immigration status, genetic or biometric data, personal data collected from a known child, or precise geolocation.
• Disclosure requirements. Controllers must clearly disclose to consumers:
  • That they are engaged in selling the consumers’ sensitive personal data or biometric data.
  • How to opt out from the sale of their personal data to third parties and the processing of their personal data for targeted advertising.

• Respond to authenticated consumer requests. Controllers are obligated to respond to authenticated requests from consumers related to the TDPSA rights described above in the “What Rights Does TDPSA Give to Consumers?” section (e.g., consumer right to obtain a copy of the personal data that the consumer previously provided to the controller).
  • Controllers must respond to these requests in 45 days or less, with the possibility of a 45-day extension in some circumstances.
  • Controllers must respond free of charge at least twice annually per consumer.
  • Controllers must offer two or more secure and reliable methods to enable consumers to submit requests. These methods must consider how consumers typically interact with you, the necessity for secure and reliable communications, and the ability of the controller to authenticate the identity of the consumer making the request.
• Appeal process. Controllers must establish a process for consumers to appeal the refusal to take action on requests to exercise their rights and provide consumers an online mechanism to contact the attorney general should their appeal be denied.

• Data protection impact assessments. Controllers must conduct and document data protection impact assessments if they perform any of the following data processing activities:
  • Process personal data for targeted advertising.
  • Take part in the sale of personal data.
  • Process personal data for profiling.
  • Process sensitive data.
  • Conduct any processing activities involving data that present an increased risk of harm to consumers.

• Contractual obligations for processors. If a controller relies on a third-party data processor, both parties must sign a contract that incorporates TDPSA stipulations, including:
  • Clear instructions for processing data.
  • The purpose and nature of the processing.
  • The type of data that’s subject to the processing.
  • The duration of the processing.
  • The rights and obligations of both parties.
  • A requirement that the processor shall ensure that each person processing the data is subject to a duty of confidentiality.
  • A requirement that the processor will delete or return all data to the controller as requested.
  • A requirement that the processor will make all information in their possession available to the controller to demonstrate compliance with the TDPSA.
  • A requirement that the processor will allow and cooperate with reasonable assessments by the controller and their designated assessor.
  • A requirement that the processor will only engage with subcontractors under contracts that meet these same stipulations.

• Controllers must provide a clear privacy policy that includes the categories of personal data processed, the purpose for processing personal data, the categories of personal data shared with third parties, the categories of third parties, and the consumer’s rights and the manner in which consumers may exercise their rights, including to appeal.

In this section, we’ve touched on key requirements of TDPSA, but it is important to note that there are additional requirements and nuances that must be reviewed in detail as you plan to bring your organization into compliance with this comprehensive data privacy law.

Are There Penalties for Non-Compliance?

Organizations found to be in violation of TDPSA will be given a 30-day grace period to remedy the violation(s). Failure to remedy the violation(s) within this timeframe may result in the Attorney General imposing civil penalties of up to $7,500 for each violation. The Attorney General may also take the following actions:

• Recover civil penalties.
• Restrain or enjoin the person from violating the TDPSA.
• Seek injunctive relief.
• Recover attorney’s fees and other reasonable expenses incurred in the investigation.

How Should We Prepare Our Organization?

In this section, we’ll outline the steps your organization will likely need to take to align with TDPSA requirements.

If you already comply with other U.S. state privacy laws or international privacy laws such as GDPR, you may have limited work to do. In this case, the first step will be to identifying gaps between your privacy posture and TDPSA requirements. Then, you’ll need to develop and implement a plan to close the gaps.

The major steps needed to comply with TDPSA are summarized below:

• Create a process for authenticating consumer requests.
• Create a process for consumer appeals.
• Conduct data protection impact assessments.
• Update your privacy policy. Controllers must provide consumers with a reasonably accessible and clear privacy policy that explains:
  • The categories of personal data processed, including sensitive data.
  • The purpose for processing the data.
  • How consumers can exercise their rights and the process for appealing the decision.
  • The categories of data shared with third parties, if any.
  • The categories of the third parties you share the data with, if any.
  • A description of how consumers can submit requests to exercise their rights under TDPSA.
• Controllers that sell sensitive personal data or biometric information must include the following notice(s) in “the same location and in the same manner as the privacy notice”:
  • NOTICE: We may sell your sensitive personal data.
  • NOTICE: We may sell your biometric personal data.
• Update your website(s) to honor universal opt-out preferences on users’ browsers.
• Update your cookie consent banners to include opt-out options and appropriate policy links to meet TDPSA opt-out requirements (e.g., opt out of sale of personal information).
• Update your systems and processes to ensure you can meet TDPSA User Consent and Disclosure requirements.
• Develop and obtain signed contracts with third-party data processors that incorporate TDPSA stipulations.
• Update your data security posture to ensure you can adequately protect the confidentiality and integrity of personal data being collected. Make sure you are using “…reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue.”

We Can Help

Tevora’s data privacy and security experts can answer any questions you have about TDPSA and how it compares to other data security laws. We would also welcome the opportunity to help your organization plan for and implement the changes needed to comply with this comprehensive data security law. Just call us at (833) 292-1609 or email us at sales@tevora.com.