Data Points: Privacy & Data Security Blog

In June, Texas became the tenth state with a comprehensive privacy law. The Texas Data Privacy and Security Act (“TDPSA”) contains familiar provisions from other state privacy laws regulating the collection, use, processing, and treatment of consumers’ personal data, but also has Texas-specific provisions. The TDPSA will be effective as of July 1, 2024, allowing a one-year compliance period.

Businesses Covered

The TDPSA applies to individuals and entities that (1) conduct business in Texas or produce a product or service consumed by Texas residents; (2) process or engage in the sale of personal data; and (3) are not a small business as defined by the US Small Business Administration. However, even small businesses are prohibited from selling sensitive personal data absent consumer consent. 

Notably, the TDPSA’s applicability threshold distinguishes it from other state privacy laws. Specifically, it applies more broadly because it does not have a revenue or data processing minimum. 

Information Covered

The TDPSA defines “personal data” broadly to include any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. The term includes

“pseudonymous data” when the data is used in conjunction with additional information that reasonably links the data to an identified or identifiable individual. The term does not include deidentified data or publicly available information.  The term also excludes information when the individual is acting in a commercial or employment context. 

“Sensitive data” requires additional protections and consent from consumers before being processed, and includes personal data, racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, citizenship or immigration status; genetic or biometric data; personal data collected from a known child; and precise geolocation data.

Consumers’ Rights

Mirroring other state privacy laws, the TDPSA’s consumer rights include:

• the right to confirm whether a controller is processing personal data;
• the right to access personal data;
• the right to correct inaccuracies;
• the right to delete personal data;
• the right to obtain a portable copy of personal data; and
• the right to opt out of the processing of data for purposes of targeted advertising, sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.

Businesses’ Obligations

Similar to other state privacy laws, the TDPSA classifies two primary categories of businesses: controllers and processors. 

Controllers are those who determines the purpose and means of processing personal data.  Controllers are subject to the following obligations:

• Data minimization: limiting data collection to what is adequate, relevant, and reasonably necessary. Consent is required to process data that is not reasonably necessary or compatible with the disclosed purposes;
• Non-discrimination: prohibiting discrimination against a consumer for exercising rights under the Act, including by denying goods or services, imposing different pricing, or delivering different standard of quality;
• Privacy notice: providing a privacy notice that includes (1) the categories of personal data processed by the controller (including any sensitive data), (2) the purposes for the processing, (3) how consumers may exercise their individual rights under the Act, including the right of appeal, (4) any categories of personal data that the controller shares with third parties and the categories of those third parties, and (5) a description of the methods available to consumers to exercise their rights; and
• Targeted Advertising: clearly and conspicuously disclosing a consumer’s right to opt out if the controller sells personal data for targeted advertising. Controllers must respond to universal opt-out signals, similar to the California, Colorado, Connecticut, and Montana laws.

Processors are entities that carry out operations on personal data (including collection, use, storage, disclosure, analysis, deletion, or modification) on behalf of a controller. They must adhere to the instructions of a controller, and assist the controller in complying with the controller’s duties.

Enforcement and Penalties

The TDPSA specifically excludes a private right of action. Enforcement is vested in the Texas Attorney General, who may seek civil penalties up to $7,500 per violation. There is a 30-day cure period, which requires the business to notify the consumer that privacy violations occurred and provide documentation to show how the violation was cured.

The enactment of the TDPSA reflects the growing trend of state comprehensive privacy laws. Texas is now the fifth state in 2023 to pass such a law, joining Iowa, Indiana, Montana, and Tennessee. Although the state comprehensive privacy laws are largely consistent with each other, the disparate standards and requirements may motivate Congress to pass federal privacy legislation that would preempt state law and ease compliance issues. Congress already has been holding hearings this year on the issue.