Navigating Tech and Privacy

Are You Ready for the Texas Data Privacy and Security Act? Here’s What You Need to Know

Published by

Kati P.

on

The Texas Data Privacy and Security Act (“TDPSA”), set to take effect on July 1, 2024, represents a significant step forward in the regulation of personal data collection, use, processing, and treatment by certain business entities in Texas. This legislation, inspired by a growing demand for data privacy, outlines comprehensive measures aimed at safeguarding consumer data and imposing civil penalties for non-compliance.

Who does the TDPSA apply to?

The Texas Data Privacy and Security Act (TDPSA) imposes transparency and disclosure obligations on “controllers,” defined as entities determining the purpose and means of processing personal data. These obligations apply to those conducting business in Texas by providing products or services to state residents, engaging in the sale or processing of personal data, and not qualifying as small businesses per the US Small Business Administration (SBA). Importantly, small businesses that sell sensitive data1 must obtain consumer consent prior to such activities.

What Does the Texas Data Privacy and Security Act Entail?

The Texas Data Privacy and Security Act introduces several critical components to enhance consumer data protection.2 Here are some of the key highlights:

Consumer Rights:

  • Access and Correction: Consumers have the right to confirm whether a controller is processing their personal data, access that data, and correct inaccuracies.
  • Deletion and Portability: Consumers can request the deletion of their personal data and obtain a copy in a portable format.
  • Opt-Out Rights: Consumers can opt out of the processing of their personal data for targeted advertising, the sale of personal data,3 and profiling.

Controller4 and Processor5 Duties:

  • Data Minimization and Security: Controllers must limit data collection to what is necessary and maintain reasonable security practices.
  • Transparency: Controllers are required to provide clear privacy notices detailing data processing activities and consumer rights.
  • Nondiscrimination: Controllers must not process personal data in violation of state or federal laws prohibiting unlawful discrimination against consumers, and may not discriminate against consumers who exercise their rights under the TDPSA.
  • Processor Obligations: Processors must adhere to the instructions of controllers and assist in compliance with data protection requirements.
  • Data Protection Assessments: the TDPSA requires controllers to conduct and document DPAs for certain processing activities. These activities include any processing that might present a heightened risk of harm to consumers, as well as: (1) processing for targeting advertising; (2) sale of personal data; (3) processing for certain types of profiling; and (4) processing sensitive data.

Sensitive Data:

  • Special provisions are in place for the processing of sensitive data, including biometric data, health information, and data related to children. Prior consent is mandatory for processing such data.

Enforcement:

  • The Attorney General has exclusive authority to enforce the Act. Violations can result in civil penalties of up to $7,500 per violation. The Act also includes provisions for issuing civil investigative demands and outlines procedures for addressing violations.

What Are the Implications for Businesses?

Businesses operating in Texas or targeting Texas residents must prepare for compliance with the new regulations. This includes:

  • Reviewing and Updating Privacy Policies: Businesses need to ensure their privacy policies are transparent and comply with the Act’s requirements.
  • Implementing Data Protection Measures: Adequate security measures must be established to protect the integrity and confidentiality of personal data.
  • Handling Consumer Requests: Processes must be put in place to efficiently handle consumer requests related to data access, correction, deletion, and opting out of data processing.

Looking Ahead: The Future of Data Privacy

The Texas Data Privacy and Security Act marks a pivotal shift towards stronger consumer protection in the digital age. However, the success of this legislation will largely depend on its implementation and the ability of businesses to adapt to the new requirements.

The Act also raises important questions about the future of data privacy regulation in the United States. As states continue to develop their own privacy laws, the need for a unified federal framework becomes increasingly evident. Such a framework would provide consistency for businesses operating across state lines and ensure that all consumers, regardless of their location, enjoy robust data protection.

Moreover, the Act addresses the growing concerns around sensitive data and targeted advertising. By giving consumers more control over their personal data and setting stricter guidelines for businesses, Texas is paving the way for more comprehensive data protection standards. This legislation could potentially influence other states to adopt similar measures, contributing to a nationwide shift towards enhanced data privacy.

How Can You Stay Informed and Prepared?

For businesses and consumers alike, staying informed about the latest developments in data privacy laws is crucial. By prioritizing data privacy and security, we can collectively foster a safer and more trustworthy digital environment. Businesses should consider investing in training programs to educate their staff on the new requirements and ensure that their data handling practices are in line with the Act. Additionally, employing technology solutions that enhance data security and privacy can be a proactive step towards compliance.

In conclusion, the Texas Data Privacy and Security Act is a significant advancement in consumer data protection. Businesses must take proactive steps to comply with the new regulations, while policymakers and industry leaders should continue to collaborate towards a comprehensive national data privacy strategy. Together, we can create a digital ecosystem that respects consumer privacy and promotes trust.

Happy Friday!

  1. Sensitive data is defined to include genetic or biometric data, data of known children, precise geolocation data, and personal data revealing racial or ethnic origin, religious beliefs and health status. Notably, unlike other US State Data Privacy Laws, the TDPSA’s definition of sensitive data also includes citizenship and immigration status. ↩︎
  2. H.B. 4, 88th Leg., Reg. Sess. (Tex. 2023) (enacted), available at https://capitol.texas.gov/tlodocs/88R/billtext/html/HB00004F.htm. ↩︎
  3. The act defines it as “sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.” The Texas law’s definition of “sale of personal data” is more similar to the California Privacy Rights Act   ↩︎
  4. According to the TDPSA “Controller” means an individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data.  ↩︎
  5. According to the TDPSA “Processor” means a person that processes personal data on behalf of a controller. ↩︎

Leave a comment

Previous Post
Next Post

Recent posts

Quote of the week

Civilization is the progress toward a society of privacy. The savage’s whole existence is public, ruled by the laws of his tribe. Civilization is the process of setting man free from men.

~ Ayn Rand

Navigating Tech and Privacy

About

I’m a first-generation lawyer in California with a passion in data privacy, technology, intellectual property, and AI law. I’m an advocate for diversity, equity, and community. During my free time, I love painting, traveling, learning new things, volunteering and providing mentorship to fellow first-generation students. Connect with me!

Topics