Texas Data Privacy and Security Act (TDPSA)

The state privacy law landscape in the United States is continually evolving. Texas has become the tenth state with a consumer data privacy law.

What is the Texas Data Privacy and Security Act (TDPSA)?

The Texas Data Privacy and Security Act (TDPSA) is Texas’ state law that protects consumer privacy by imposing certain obligations on businesses and granting consumers data privacy rights. It was signed on 18 June 2023, and the TDPSA comes into effect on 1 July 2024. However, the provisions on universal opt-out mechanisms come into effect six months later, on 1 January 2025.

Does the TDPSA Apply to Your Business?

Like all other privacy laws in the US states, the TDPSA also sets a threshold for applicability. However, this one differs somewhat. Instead of setting a monetary threshold, it primarily excludes small businesses.

The TDPSA applies to businesses that:

• Operate from Texas or target Texas consumers.
• Process or sell personal data.
• Do not qualify as a small business as defined by the Small Business Administration (SBA).

If you process personal data and target Texas consumers, a common practice for many US and global online businesses, you need to determine whether you qualify as a small business. This determination will establish whether this law applies to you.

The Small Business Administration uses various criteria across different industries to determine a business's size, so we cannot provide a straightforward answer here.

Is Anyone Exempt from the TDPSA?

The TDPSA does not apply to the following, even if they meet the applicability criteria:

• State agencies or political subdivisions of the state of Texas.
• Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA).
• A covered entity and information under HIPAA.
• Nonprofit organizations.
• Higher education institutions.
• Electric power companies or providers.
  

What Is Personal Data Under the TDPSA?

Under the TDPSA, personal data includes any information, including sensitive data, linked or reasonably linkable to an identified or identifiable individual. Unlike some other laws, it doesn’t explicitly list the categories of personal data. As long as a piece of information can identify someone, that information is personal data and falls under the scope of the law.

The TDPSA provisions further clarify that pseudonymous data, when used in conjunction with additional information, also qualifies as personal data because it can reasonably link the data to an identified or identifiable individual.

The law exempts some categories of personal information from its scope, such as:

• De-identified data.
• Data protected under HIPAA.
• Health records.
• Data collected and processed in relation to a criminal investigation.
• Data in an employment context.
  

What is TDPSA Sensitive Personal Data?

The TDPSA differentiates between personal data and sensitive personal data, giving the latter a special regime. Sensitive data includes any of the following:

• Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, or citizenship or immigration status.
• Genetic or biometric data processed for the purpose of uniquely identifying an individual.
• Personal data collected from a known child.
• Precise geolocation data.
  

What Are TDPSA Controllers and Processors and What Are Their Duties?

Controllers are companies that make decisions on data collection, processing, use, storage, etc. Processors are companies that act on behalf of the controllers.

If you run an e-commerce store, you are the data controller. The third-party tools you use to process personal data, such as those used for email communication, targeted ads on social media, or tracking website usage, are your data processors.

If you run a SaaS business, you can be a controller when you use data for your own business, and act as a data processor for businesses that use your SaaS.

The duties of controllers include:

• Processing personal data only for the purposes for which it has been collected.
• Processing only the minimum amount of data necessary for fulfilling the processing purpose.
• Obtaining explicit consent for processing sensitive data.
• Providing consumers with privacy notices.
• Responding to valid consumer requests.
• Entering into contracts with each processor.
• Conducting data protection impact assessments if necessary.
• Ensuring data security.

Processors’ duties include:

• Processing data on behalf of the controller only based on a written contract.
• Assisting the controller in responding to data requests.
• Helping the controller with data security and breach responses.
• Providing the controller with necessary information needed for conducting data protection impact assessments.

What Is a Data Processing Agreement, and Why Do We Need It?

The Data Processing Agreement is the contract between the controller and the processor where the controller instructs the processor on the processing.

This contract governs the processor's data processing procedures concerning processing performed on behalf of the controller. The TDPSA explicitly prescribes that the contract must include:

• Clear instructions for processing data.
• The nature and purpose of processing.
• The type of data subject to processing.
• The duration of processing.
• The rights and obligations of both parties.
• A requirement that the processor must:
  - Keep data confidential.
  - Delete or return the data on the controller’s request.
  - Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor.
  - Hire only subcontractors that meet the requirements applicable to the processor.

What Is a TDPSA-Compliant Privacy Notice?

You owe your users information on how you handle personal data. You need to provide that information through your privacy notice, also widely known as a privacy policy.

The TDPSA, like many other laws, prescribes the essential elements that each privacy policy should contain. These include:

• The categories of personal data processed by the controller, including, if applicable, any sensitive data.
• The processing purposes.
• How consumers may exercise their rights, including the process by which a consumer may appeal a controller's decision regarding the consumer's request and a description of methods for submitting requests.
• If applicable, the categories of personal data that the controller shares with third parties.
• If applicable, the categories of third parties with whom the controller shares personal data.

Do I Need to Obtain Consent from Consumers for Data Processing?

You only need to obtain users’ consent for the processing of sensitive data, including children’s data, biometric data, precise geolocation data, or any data that reveals a person’s ethnic origin, religious beliefs, mental or physical health diagnosis, or citizenship or immigration status.

The consent must be:

• Freely given.
• Specific, meaning it's given only for a specific processing purpose.
• Informed, meaning that you must inform users about how you handle the data.
• Unambiguous, meaning that the user must take affirmative action to consent, such as clicking an 'ACCEPT' button.

For children’s data, you can also rely on the consent request methods described in the COPPA, which include verifiable methods for obtaining parental consent.

In all other cases, you don’t need consent. You're free to process personal data until the consumer opts out of the processing or requests deletion of their data.

What Are the TDPSA Data Sales Disclosure Requirements?

If you sell sensitive personal data, you must include the following statement within your privacy notice: "We may sell your sensitive personal data." If you are involved in the sale of biometric data, you must include the following statement in your notice: "We may sell your biometric personal data." These notices must be posted in the same location and in the same manner as the privacy notice.

Do We Need to Respect Universal Opt-Out Mechanisms?

The TDPSA requires businesses to respect universal opt-out mechanisms, such as Global Privacy Controls. This requirement is enforceable from January 1, 2025.

What are TDPSA Personal Data Rights?

Consumer rights under the TDPSA align with those found in other states, with Texas leaning toward a more detailed approach. Texas consumers will have the following rights at their disposal:

• Right to confirm processing.
• Right to access.
• Right to correction.
• Right to deletion.
• Right to data portability.
• Right to opt out of:
  - Targeted advertising.
  - The sale of personal data.
  - Profiling.

Although not explicitly labeled as consumer rights, individuals will also have the power to challenge decisions made by data controllers and will be entitled to non-discrimination.

What are TDPSA Personal Data Requests?

TDPSA requests are the tools with which consumers can hold businesses accountable in relation to their privacy practices.

Consumers can submit a request to you at any time, and you must respond to it. Businesses will be given a period of 45 days to respond to verifiable consumer requests, which may be extended by an additional 45 days if necessary due to the complexity of the request.

What is a Privacy Impact Assessment (PIA) under the TDPSA?

The TDPSA requires organizations to carry out Privacy Impact Assessments in some cases.

You must conduct and document data protection assessments for the following processing activities:

• Processing personal data for targeted advertising purposes.
• Sale of personal data.
• Processing personal data for profiling purposes.
• Processing sensitive data.
• Processing activities involving personal data that pose an elevated risk of harm to consumers.

You can cover all the activities with a single assessment.

Who Enforces the TDPSA?

The Texas Attorney General will enforce the TDPSA once it becomes effective. They will have the power to initiate investigations regarding potential breaches of the TDPSA, as well as requesting and examining Data Protection Assessments to verify compliance with the legislation. Unlike California, Texas will not have a dedicated data protection agency. It's important to note that the TDPSA does not grant individuals a private right of action.

How Much Are the TDPSA Fines?

If you violate the TDPSA, you will be given a 30-day grace period to remedy the violations. Failure to take corrective action within this timeframe may result in the Attorney General imposing civil penalties of up to $7,500 for each violation. A violation of one consumer’s rights counts as one violation. Violation of 1,000 consumer’s rights counts as 1,000 violations, multiplied by up to $7,500. Fines can add up quickly.