Articles

The Texas Data Privacy and Security Act (TDPSA): All the Basics

Written by Matt Davis, CIPM (IAPP) | October 4, 2023

In the absence of a federal privacy law, states have been enacting their own, creating a patchwork of compliance laws with their own nuances.  

On June 18, 2023, Texas Gov. Greg Abbot signed the Texas Data Privacy and Security Act (TDPSA) into law, bringing the Lone Star state into the fold of U.S. states with a comprehensive data privacy law aimed at protecting consumers.  

While the Texas privacy law is similar to those that came before it, there are some provisions that are unique. We’ll dive into the TDPSA, what it means for businesses and others that process data of Texas consumers, and how to become compliant, 

What Is the TDPSA? 

After California, which is first both in size and adoption of a state-level privacy law, Texas is the second largest state to adopt a comprehensive law related to data privacy.   

The Texas Data Privacy and Security Act regulates the collection, use, processing, and treatment of consumers’ personal data. Businesses subject to the law who violate its regulations are subject to civil penalty. 

 The TDPSA takes notes from existing laws, with the Virginia Consumer Data Protection Act serving as its foundation. The statute was designed to protect the privacy and personal data rights of the state’s residents while holding businesses accountable for how they use the data of Texans. 

Like other state privacy laws, the Texas privacy act gives residents a number of familiar rights, including the right to:  

  • Confirm whether a controller is processing personal data and access the personal data. 
  • Correct inaccuracies in their personal data. 
  • Delete personal data provided by or obtained about the consumer. 
  • Obtain a copy of their personal data, if available, in a portable and readily usable format. 
  • Opt out of processing personal data for targeted advertising, the sale of personal data, or its use for profiling.  

While the TDPSA takes effect July 1, 2024, businesses will have a slightly longer grace period to comply with the global opt-out technology provision, which takes effect Jan. 1, 2025. After this point, businesses will have to recognize universal opt-out signals, such as the Global Privacy Control. 

Scope: Who Must Comply With the TDPSA? 

One of the major deviations from similar data privacy laws is the TDPSA’s applicability. Instead of applying to businesses based on their annual revenue, how much data is processed, or how much revenue the company generates from the sale of such data, the law introduces a new set of guidelines.   

TDPSA applies to entities that meet the following criteria:  

  • Conduct business in Texas or generate products or services “consumed” by Texas residents. Consumed is a new word in this type of legislation, and it has not gone without notice, as it replaces the word “targeted” that most similar laws include.  
  • Process or engage in the sale of personal data. 
  • Do not identify as a small business as defined by the U.S. Small Business Administration (SBA), which varies by industry “usually stated in number of employees or average annual receipts,” the SBA outlines. 

The small business provision is the first of its kind and could mean that the law will impact many (or most) companies that do business in the state.  

Like other privacy laws, the Texas privacy act has exclusions, including state agencies or political subdivisions of the state; financial institutions or data subject to Title V of the Gramm-Leach-Bliley Act; or covered entities or business associates governed by the privacy, security, and breach notification rules issued by the U.S. Department of Health and Human Services established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Nonprofit organizations, higher-education institutions, and electric utility companies are also exempt.   

Texas Data Privacy Law Requirements 

The TDPSA outlines duties for controllers related to collecting personal data, including limiting collection to what is adequate, relevant, and reasonably necessary, and requiring them to establish data security practices.  

Controllers cannot:  

  • Collect personal data for reasons not disclosed to the consumer without consent. 
  • Process data in violation of state and federal laws that prohibit unlawful discrimination or discriminate against a consumer for exercising their rights. 
  • Process sensitive data without consent or process sensitive data of a child unless it's in accordance with the Children’s Online Privacy Protection Act of 1998 (COPPA). 

The Texas privacy law also requires businesses to gain consent before processing sensitive personal data and provide notice if they sell sensitive or biometric data. 

Once a controller receives a data subject access request (DSAR; such as the rights requests listed previously), they must respond “without undue delay,” but no later than 45 days after the receipt of the request. Additionally, a controller can extend the response period by 45 days when reasonably necessary as long as they notify the consumer within the initial 45-day response period.  

The law also states that information must be provided free of charge at least twice annually per consumer, unless the request is manifestly unfounded, excessive or repetitive. The controller must establish a process for a consumer to appeal if the controller doesn’t take action within a reasonable period of time. 

Other Unique Provisions in the Texas Privacy Law 

Though the TDPSA is still considered more business-friendly than privacy legislation in other states (namely, California, Virginia, and Connecticut), there are some other changes in the law’s language that are important to note. 

For example, the law requires additional disclosures for companies or entities that sell sensitive or biometric information, even going as far as to require the notice, “NOTICE: We may sell your sensitive (or biometric) personal data.” The notice must be posted in the same location and in the same matter as the privacy notice. 

Businesses that sell personal data for targeted advertising also must make additional disclosures and provide a way for consumers to opt out of the sale of their data. 

Though the act more closely aligns with Virginia’s privacy act, the Texas law’s definition of “sale of personal data” is more similar to the California Privacy Rights Act than Virginia’s privacy law. The act defines it as “sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.”  

The definition of “controller” applies to all non-exempt entities that conduct business in the state and process or sell personal data. 

Additionally, the 30-day cure period (i.e., a grace period in which violators have the opportunity to “cure” a violation following notification) is slightly different than with other laws. After the attorney general notifies a person in writing, no action will be brought against the violator if the violation has been cured. What differs is that the entity must also provide the attorney general with a written statement that they have: 

  • Cured the violation.  
  • Notified the consumer their privacy violation was addressed (if their contact information was made available).  
  • Made changes to internal policies, if necessary, to ensure the violation won’t be repeated.  

Furthermore, the cure period does not sunset, as is the case with other laws—businesses subject to the TDPSA will enjoy a 30-day cure period in perpetuity.  

If an entity does not remediate the violation, the attorney general can issue a $7,500 penalty for each violation.  

Finally, there is no private right of action, which means private citizens cannot bring action against those who violate the law. 

Staying Compliant With the Texas Data Privacy and Security Act 

The TDPSA aligns in many areas with other state-level privacy laws. That said, when a new privacy law takes effect, it’s important for companies to re-evaluate their compliance mechanisms with legal counsel.   

And, with many new laws taking effect over the next 12 to 18 months, it may be time to consider a consent management platform (CMP) to help manage consent—no matter where your website visitors are from. 

 Finally, staying in the know about new laws will also benefit you and your company in the long term. The Osano newsletter is a great resource for all things data privacy. 

FAQs About the Texas Privacy Law 

When does the TDPSA take effect? 

The Texas privacy law takes effect July 1, 2024; however, businesses and other entities have until Jan. 1, 2025, to recognize universal opt-out mechanisms, such as the GPC.  

What is Global Privacy Control (GPC)?  

Global Privacy Control is an initiative aimed at creating a global web browser setting that enables users to control their privacy online, including whether they consent to the sale of their personal data.  

Who has to comply with the law?  

The law applies to those who conduct business in the state or produce a product or service consumed by residents of the state; process or engage in the sale or personal data; and are not a small business, as defined by the U.S. Small Business Administration.  

How does the law address sensitive and biometric data?  

The law requires disclosures when a company plans to sell sensitive or biometric data. 

How does TDPSA address the personal data of children?  

If a business processes the sensitive data of a “known child,” (or an individual younger than 13), it must be in accordance with the Children’s Online Privacy Protection Act of 1998. The definition of “known child” is a child under circumstances where a controller has actual knowledge of or willfully disregards the child’s age. Personal data collected from a known child is also classified as sensitive data. 

What is the fine for not complying with the law?  

If violators don’t cure the violation within the cure period and provide the attorney general with evidence of the cure, they can be fined $7,500 per violation.