The Texas Data Privacy and Security Act (TDPSA): What Businesses Need to Know
Privacy & Compliance | August 02, 2023
On June 16, 2023, Texas Governor Greg Abbott signed the Texas Data Privacy and Security Act (TDPSA) into law, making the Lonestar State the 10th state to pass a comprehensive consumer data privacy law and the fifth to do so in 2023. The law was modeled after Virginia’s VCDPA, with the goal of creating a law that would be largely exchangeable with other states’ privacy regulations. However, there are significant differences in the scope and application of the law. The law will go into effect on July 1, 2024, and will cover Texas’s 30 million residents– the second largest jurisdiction of any state-level privacy law, after California.
In this blog, we’ll cover the scope of the Texas Data Privacy and Security Act, the rights it grants to Texas citizens, regulatory requirements for businesses, and how the law will be enforced.
For a more in-depth breakdown of state-level privacy laws, check out our new Comprehensive Guide to US Privacy Law for 2023, a free 46-page eBook that gives a comparison chart of all state-level privacy laws, as well as an in-depth breakdown of each law, the consumer rights and business requirements of each law, and best practices for compliance with the patchwork of US privacy laws.
Who does the Texas Data Privacy and Security Act Apply to?
Unlike other states’ laws, the TDPSA does not use business revenue or volume of data to determine thresholds for applicability, instead the law makes specific exemptions for organizational categories such as nonprofits and higher ed and for small businesses.
The TDPSA applies to any person or business who:
- Conducts business in Texas or produces products or services consumed by Texas residents;
- Processes or engages in the sale of personal data; and
- Are not a small business, as defined by the US Small Business Administration (an independent business with fewer than 500 employees), unless the business sells sensitive data.
The TDPSA makes entity-level exceptions for government agencies, businesses subject to the GLBA, entities covered by HIPAA or HITECH, nonprofit organizations, higher education institutions, and utility companies.
What Rights does the Texas Data Privacy and Security Act provide for Texas citizens?
Texas’s privacy law grants citizens of the state several new rights, largely based on the rights put forth by the EU’s General Data Protection Regulation (GDPR) in 2018. Below, we examine several rights common among US data privacy laws, whether Texas’s law provides them, and the specific requirements for each right.
Right to Access
Texan consumers have the right to confirm whether a controller is processing the consumer’s personal information and to access that information
No Right to Correction
Consumers have the right to correct inaccuracies in their personal information.
Right to Deletion
The law gives consumers the right to deletion of their personal data, whether provided by or obtained about the consumer.
Right to Data Portability
Consumers have the right to a copy of their personal information in a portable and readily usable format.
Right to Opt-Out of Data Processing
Consumers have the right to opt out of the processing of personal information for the purposes of targeted advertising, selling personal information about the consumer, or profiling. Notably, Texas is the first U.S. state to include pseudonymous data in the “personal data” definition, aligning with the European Union’s General Data Protection Regulation.
The TDPSA also adopts a broad definition of the term “sale” ( “sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by a controller to a third party”) which could broaden the scope of application for the law’s consent provisions.
Furthermore, controllers may not process the sensitive data of a consumer without obtaining the consumer’s consent.
As of January 1st, 2025, the TDPSA will require controllers to recognize “authorized agents” such as global opt-out mechanisms and browser settings that communicate the user’s wish to opt-out.
Right to Opt-Out of Automated Decision Making
Texas’s law gives consumers the right to opt out of profiling – defined here as solely automated processing performed to predict personal aspects of the individual – where used to make decisions that produce legal or similarly significant effects.
What are the Regulatory Requirements for Businesses?
Privacy Notice Requirements
Businesses subject to Texas law are required to provide consumers with an easily accessible, clear privacy notice detailing the types of personal data they process, the reason for processing, the methods consumers can use to exercise their rights, and if relevant, the types of data they share with third parties, and the categories of these third parties. If a controller sells sensitive or biometric personal data, they must explicitly state, “We may sell your sensitive/biometric personal data,” in the same location and manner as the main privacy notice.
Consent Management Requirements
As demonstrated by the ‘right to opt-out,’ Texas’s law follows the opt-out consent model common to US laws. However, the law follows an opt-in consent model where sensitive personal information is concerned.
Data Security Requirements
Under Texas law, data controllers must “establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue.”
Data Protection Assessment Requirements
Controllers must perform and document a data protection assessment (DPA) for certain activities involving personal data. These activities include targeted advertising, selling personal data, consumer profiling that poses a reasonable risk of harm, processing sensitive data, and any other process that presents a heightened risk to consumers. The DPA should identify potential benefits and risks associated with the processing, considering safeguards used to mitigate risks. Assessments done in compliance with other regulations, if comparable, may also suffice for the purposes of TDPSA.
Data Collection and Purpose Limitation Requirements
Controllers must limit personal data collection to what is adequate, relevant, and reasonably necessary.
Businesses may not process personal data in violation of state and federal laws that prohibit unlawful discrimination against a consumer and may not discriminate against a consumer for exercising any of their consumer rights.
How will the law be enforced?
The Texas Attorney General solely enforces the TDPSA and can investigate suspected violations. If a person breaches TDPSA provisions and doesn’t rectify the issue within 30 days or violates a written agreement given to the Attorney General, they could face civil penalties up to $7,500 per violation.
Before any enforcement action, the Attorney General must provide a 30-day violation notice. If the controller corrects the violation within this period and provides the Attorney General with a written statement confirming the violation has been fixed, informs the consumer (if possible), furnishes supporting documents, and adjusts internal policies to prevent future violations, no action will be taken.
There is no private right of action under Texas law.
Get Compliant with CHEQ Privacy
State privacy laws like this one are pressing new responsibilities—and penalties—on businesses and marketers. CHEQ Privacy offers organizations a solution to help build a fully compliant website and simplify compliance with Texas’s law, as well as the UCPA, CTCDPA, VCDPA, CCPA, CPA, GDPR, and any future privacy laws.
Request a demo to see how CHEQ can help your organization meet its compliance and consent management needs.