Navigating the Digital Landscape: Texas Data Privacy and Security Act Marks a Turning Point

In a significant advance towards protecting consumer data, the Texas Data Privacy and Security Act (TDPSA) officially became law in Texas on June 16, 2023. This milestone positions Texas as the 11th state to enact a comprehensive consumer data privacy law. As companies now wrestle with the implications of this legislation, it is crucial to understand the specific state resident, data and revenue thresholds involved. Moreover, businesses must prepare to address potential surges in data subject requests while also navigating the new compliance and reporting obligations.

Understanding TDPSA

The TDPSA reflects a response to the escalating concerns surrounding consumer data protection. As the digital landscape continues to evolve, the institution of data protection laws is a growing trend. TDPSA is designed with the consumer in mind and grants them greater control over their personal information. At the same time, it places the bulk of the responsibility to properly secure and handle consumer data on businesses. The TDPSA applies to all persons that:

• Conduct business in Texas or produce products or services consumed by Texas residents;
• Process or engage in the sale of personal data; and
• Are not small businesses as defined by the Small Business Act.

It is important to note that contrary to its counterparts in other states, the TDPSA does not provide for specific thresholds based on annual revenue or the volume of data processed by a particular business.

Summary of Key Considerations for Controllers:

TDPSA requires that data controllers meet specific requirements in the process of collecting personal data:

• Only collect data that is “adequate, relevant and reasonably necessary”;
• Ensure that data is collected in a nondiscriminatory manner;
• Provide opt-out opportunities for the sale of personal data, targeted advertising, or profiling. Opt-outs must be clearly and conspicuously disclosed.;
• Obtain prior consent in the processing of sensitive personal data. If the individual is a child, the data must be processed in compliance with the Children’s Online Privacy Protection Act of 1998. Controller must provide notice of potential sale of sensitive data. It must state: “NOTICE: We may sell your sensitive personal data“, or for biometric data collected such as fingerprint or face scans, it must state: “NOTICE: We may sell your biometric personal data.”;
• Controller must provide consumers with a reasonably accessible and clear privacy notice with the following information:
  • The categories of personal data processed by the controller, including any sensitive data;
  • The purpose for processing personal data;
  • The categories of personal data shared with third parties;
  • The categories of third parties with whom the data is shared; and
  • A description of the methods required for a consumer to submit a request to exercise their rights under the TDPSA, including any rights to appeal.

• Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue.

Exemptions to the Law

Like many other data privacy laws cropping up across the country, the TDPSA allows for “entity-level, data-specific, and employment-related” exemptions. Further, the law only applies to consumers acting in an individual or household capacity and does not apply to business to business transactions.

Entity Level Exemptions

• Electric utilities, power generation companies and retail electric providers;
• Financial institutions subject to Title V of the Gramm-Leach-Bliley Act;
• Covered entities governed by HIPAA;
• State agencies and political subdivisions;
• Nonprofit organizations; and
• Institutions of higher education.

Data-Specific Exemptions

• Health information protected by HIPAA;
• Information processed in accordance with the Fair Credit Reporting Act, Driver’s Privacy Protection Act, Family Educational Rights and Privacy Act, the Farm Credit Act; others.
• Personal data processed by an individual in the act of a personal or household activity; and
• Emergency contact information.

Employment-Related Exemptions

Information processed or maintained in the course of an individual applying to, employed by, or acting as an agent or independent contractor and the information is used for the purposes of that individual’s employment.

Data Subject Requests

With the enactment of TDPSA, companies should anticipate a potential influx of data subject requests. These requests may involve inquiries about the collection, use and deletion of personal information. Consumers may also request corrections of their personal data. Consumers may also request a copy of their personal data that was collected.  Businesses must establish at least two or more secure accessible ways for a consumer to access their data. For example, these methods could include through the website or via email.  All requests must be responded to within 45 days, with a possible extension of an additional 45 days if necessary. Establishing efficient response mechanisms is crucial to ensuring compliance and maintaining trust with consumers.

Compliance and Reporting Guidelines

TDPSA introduces a complex framework of compliance and reporting obligations that companies must navigate. From ensuring the implementation of privacy policies to reporting data breaches promptly, adherence to these obligations is essential for avoiding legal repercussions. Controllers must conduct regular document data protection assessments that identify the potential risks to consumers and balance the benefit of the business in utilizing that information. The categories of information that must be assessed under the law include:

• Processing personal data for targeted advertising;
• The sale of personal data;
• Processing personal data for prog=filing customers if there is a danger of unfair or deceptive treatment as a result;
• Processing sensitive data; and
• Any data processing that presents a “heightened risk to consumers.”  

Data Security Measures

The law underscores the importance of robust data security measures. Companies are expected to implement safeguards to protect consumer data from unauthorized access, disclosure, alteration, and destruction. This includes adopting encryption, access controls, and other industry-standard security practices.

Enforcement

The Texas attorney general has the exclusive authority to enforce the TDPSA and may impose fines of up to $7,500 per violation as well as seeking injunctive relief and attorney fees. Consumers do not have a private right of action to bring suit under the TDPSA. If the attorney general discovers a violation of the TDPSA, it will give the business 30 days to “cure” the problem. If the problem is resolved no charges may be brought.

Conclusion

As Texas joins the ranks of states prioritizing consumer data protection, businesses are tasked with adapting to the new regulatory landscape. Beyond compliance, companies have an opportunity to build trust with their customers by demonstrating a commitment to data privacy and security. Navigating the intricacies of TDPSA requires a proactive approach, with companies taking steps to understand the law’s nuances, establish compliance frameworks and foster a culture of data responsibility.

The cybersecurity law practice team at Wood, Smith, Henning, and Berman are well versed in the implications of this law and its impact on business. Should you have any questions or require legal assistance in achieving compliance with this law please do not hesitate to reach out to a member of our team.

Meet the Authors