The state privacy law landscape in the United States is continually evolving. Texas is the tenth state with a consumer data privacy law aiming to protect the privacy of Texas residents.

The law came into effect on July 1, 2024, except for a few provisions, whose effective date is January 1, 2025.

What is the Texas Data Privacy and Security Act (TDPSA)?

The Texas Data Privacy and Security Act (TDPSA) is Texas’ state law that protects consumer privacy by imposing certain obligations on businesses and granting consumers data privacy rights. The TDPSA took effect on July 1, 2024, following its signing on June 18, 2023. However, the provisions on universal opt-out mechanisms come into effect six months later, on January 1, 2025.

Does the TDPSA Apply to Your Business?

Like all other privacy laws in the US states, the TDPSA also sets a threshold for applicability. However, this one differs somewhat. Instead of setting a monetary threshold, it primarily excludes small businesses.

The TDPSA applies to businesses that:

• Conduct business in Texas or target Texas consumers.
• Process or sell personal data.
• Do not qualify as a small business as defined by the Small Business Administration (SBA).

If you process personal data and target Texas consumers, a common practice for many US and global online businesses, you need to determine whether you qualify as a small business. This determination will establish whether this law applies to you.

The Small Business Administration uses various criteria across different industries to determine a business's size, so we cannot provide a straightforward answer here.

Is Anyone Exempt from the Texas Data Privacy Law?

Even though they meet the applicability criteria, the following are not covered by the TDPSA:

• State agencies or political subdivisions of the state of Texas.
• Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA).
• A covered entity and information under HIPAA.
• Nonprofit organizations.
• Higher education institutions.
• Electric power companies or providers.

What Is Personal Data Under the Texas Privacy Act?

Under the TDPSA, personal data includes any information, including sensitive data, linked or reasonably linkable to an identified or identifiable individual. Unlike some other laws, it doesn’t explicitly list the categories of personal data. As long as a piece of information can identify someone, that information is personal data and falls under the scope of the law.

The TDPSA provisions further clarify that pseudonymous data, when used in conjunction with additional information, also qualifies as personal data because it can reasonably link the data to an identified or identifiable individual.

The law exempts certain categories of personal information from its scope.

• De-identified data.
• Data protected under HIPAA.
• Health records.
• Data collected and processed in relation to a criminal investigation.
• Data in an employment context.

What is TDPSA Sensitive Personal Data?

The TDPSA differentiates between personal data and sensitive personal data, giving the latter a special regime. Sensitive data encompasses the following types of information:

• Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, or citizenship or immigration status.
• Genetic or biometric data processed for the purpose of uniquely identifying an individual.
• Personal data collected from a known child.
• Precise geolocation data.

What Are TDPSA Controllers and Processors and What Are Their Duties?

Controllers are companies that make decisions on data collection, processing, use, storage, etc. Processors are companies that act on behalf of the controllers.

If you run an e-commerce store, you are the data controller. The third-party tools you use to process personal data, such as those used for email communication, targeted ads on social media, or tracking website usage, are your data processors.

If you run a SaaS business, you can be a controller when you use data for your own business and act as a data processor for businesses that use your SaaS.

The duties of controllers include:

• Processing personal data only for the purposes for which it has been collected.
• Processing only the minimum amount of data necessary for fulfilling the processing purpose.
• Obtaining explicit consent for processing sensitive data.
• Providing consumers with privacy notices.
• Responding to valid consumer requests.
• Entering into contracts with each processor to ensure that data is processed lawfully
• Conducting data protection impact assessments if necessary.
• Implement data security practices.

Processors’ duties include:

• Processing data on behalf of the controller only based on a written contract.
• Assisting the controller in responding to data requests.
• Helping the controller with data security and breach responses.
• Providing the controller with necessary information needed for conducting data protection impact assessments.

What Is a Data Processing Agreement, and Why Do We Need It?

The Data Processing Agreement is a contractual agreement between the controller and the processor, wherein the controller provides instructions to the processor regarding processing.

This contract regulates the processor's data processing practices for tasks carried out on behalf of the controller. The Texas Consumer Privacy Act explicitly prescribes that the contract must include:

• Clear instructions for processing data.
• The nature and purpose of processing.
• The type of data subject to processing.
• The duration of processing.
• The rights and obligations of both parties.
• A requirement that the processor must: Keep data confidential. Delete or return the data on the controller’s request. Allow and cooperate with reasonable assessments by the controller or the controller's designated assessor. Hire only subcontractors that meet the requirements applicable to the processor.

What Is a TDPSA-Compliant Privacy Notice?

You owe your users information on how you handle personal data. You need to provide that information through your privacy notice, also widely known as a privacy policy.

The TDPSA, like many other laws, prescribes the essential elements that each privacy policy should contain. These include:

• The categories of personal data processed by the controller, including, if applicable, any sensitive data.
• The processing purposes, i.e., why you collect personal data and process it
• How consumers may exercise their rights, including the process by which a consumer may appeal a controller's decision regarding the consumer's request and a description of methods for submitting requests.
• If applicable, the categories of personal data that the controller shares with third parties.
• If applicable, the categories of third parties with whom the controller shares personal data.

How to Create a Comprehensive Data Privacy Notice to Comply with All the US State Privacy Laws?

All US state data privacy laws mandate the provision of nearly identical information to all consumers in a clear and reasonably accessible privacy notice.

You should take into account the small differences between the laws in terms of consumer rights and address those in the policy. 

Alternatively, you can utilize the Secure Privacy feature to customize your privacy policy for each customer based on their location. That would be the hassle-free option.

Do I Need to Obtain Consent from Consumers for Data Processing?

You only need to obtain users’ consent for the processing of sensitive data, including children’s data, biometric data, precise geolocation data, or any data that reveals a person’s ethnic origin, religious beliefs, mental or physical health diagnosis, or citizenship or immigration status.

The consent must be:

• Freely given.
• Specific, meaning it's given only for a specific processing purpose.
• Informed, meaning that you must inform users about how you handle the data.
• Unambiguous, meaning that the user must take affirmative action to consent, such as clicking an 'ACCEPT' button.

For children’s data, you can also rely on the consent request methods described in the COPPA, which include verifiable methods for obtaining parental consent.

In all other cases, you don’t need consent. You're free to process personal data until the consumer opts out of the processing or requests deletion of their data.

What Are the TDPSA Data Sales Disclosure Requirements?

If you sell sensitive personal data, you must include the following statement within your privacy notice: "We may sell your sensitive personal data." If you are involved in the sale of biometric data, you must include the following statement in your notice: "We may sell your biometric personal data." Post these notices in the same location and manner as the privacy notice.

Do We Need to Respect Universal Opt-Out Mechanisms to Conform with the Texas Privacy Law?

The TDPSA requires businesses to respect universal opt-out mechanisms, such as Global Privacy Controls. This requirement is enforceable starting January 1, 2025.

What are TDPSA Personal Data Rights?

Consumer rights under the TDPSA align with those found in other states, with Texas leaning toward a more detailed approach. Texas consumers will have the following rights at their disposal:

• Right to confirm processing.
• Right to access.
• Right to correction.
• Right to deletion.
• Right to data portability.
• Right to opt out of: Targeted advertising. The sale of personal data. Profiling.

Although not explicitly labeled as consumer rights, individuals will also have the power to challenge decisions made by data controllers and will be entitled to non-discrimination.

What are TDPSA Personal Data Requests?

TDPSA requests are the tools with which consumers can hold businesses accountable in relation to their privacy practices.

Consumers have the ability to submit consumer rights requests to you at any time, and it is your responsibility to respond to them. Businesses will have 45 days to respond to verifiable consumer requests, and the complexity of the request may require an additional 45 days.

What is a Privacy Impact Assessment (PIA) under the TDPSA?

The Texas privacy legislation requires organizations to carry out Privacy Impact Assessments in some cases.

You must conduct and document data protection assessments for the following processing activities:

• Processing personal data for targeted advertising purposes.
• Sale of personal data.
• Processing personal data for profiling purposes.
• Processing sensitive data.
• Processing activities involving personal data that pose an elevated risk of harm to consumers.

You can cover all the activities with a single assessment.

Attorney General Enforcing the Texas Comprehensive Data Privacy Law

The Texas Attorney General enforces the TDPSA. The Texas Attorney General may initiate investigations regarding potential breaches of the TDPSA, as well as requesting and examining Data Protection Assessments to verify compliance with the legislation. Unlike California, Texas will not have a dedicated data protection agency. It's important to note that the TDPSA does not grant individuals a private right of action.

How Much Are the Fines Under the Texas Data Privacy and Security Act?

The TDPSA grants you a 30-day grace period to address any violations. Failure to take corrective action within this timeframe may result in the Attorney General imposing civil penalties of up to USD 7,500 for each violation. A violation of one consumer’s rights counts as one violation. Violation of 1,000 consumer’s rights counts as 1,000 violations, multiplied by up to USD 7,500. Fines can add up quickly.