In recent years, there has been a significant increase in state-level privacy legislation across the United States. The Texas Data Privacy and Security Act (TDPSA), effective from July 1, 2024, is part of an ongoing trend. It establishes comprehensive privacy standards that businesses must follow to ensure the protection of consumer information.

Who Does the Texas Data Privacy and Security Act (TDPSA) Apply To?

The TDPSA applies to businesses that conduct business in Texas or target residents of Texas, provided they meet certain thresholds. Specifically, it covers businesses that:

• Conducts business in this state or produces a product or service consumed by residents of this state.
• Processes or engages in the sale of personal data.
• Is not a small business as defined by the United States Small Business Administration.

Non-Applicability of TDPSA

• A state agency or a political subdivision of this state.
• A financial institution or data subject to Title V of the Gramm-Leach-Bliley Act.
• A covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, defined under the HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH Act).
• A nonprofit organization.
• An institution of higher education.
• An electric utility, a power generation company, or a retail electric provider defined under the Utilities Code.

Key Definitions

1. “Consumer” includes residents of Texas acting as individuals or households and does not include individuals acting in a commercial or employment context.
2. “Controller” means a person who, alone or jointly with others, determines the purpose and means of processing personal data.
3. “Processor” means a person who processes personal data on behalf of a controller.
4. “Personal data” means information that is linked or reasonably linkable to an identified or identifiable individual.
5. “Sensitive Data” includes:
   • Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status.
   • Genetic or biometric data processed for unique identification
   • Personal data collected from a known child
   • Precise geolocation data
6. “Sale of personal data” means sharing, disclosing, or transferring personal data for monetary or other valuable consideration.
7. “Targeted advertising” refers to displaying advertisements based on personal data obtained from a consumer’s activities over time and across non-affiliated websites or online applications.
8. “Pseudonymous data” means any information that cannot be linked to a specific individual unless additional information is used, provided that the additional information is stored separately and secured with appropriate technical and organizational measures to prevent the personal data from being linked to an identified or identifiable individual.

What are the Requirements of the TDPSA?

Scope of “Personal Data” (Including Sensitive Data)

“Personal data” under the TDPSA refers to any information that can be linked to a specific individual. This includes names, addresses, identification numbers, and other identifying details. Additionally, sensitive data, such as racial or ethnic origin, religious beliefs, and health information, must be handled with stricter requirements.

Exemptions:
The Texas Data Privacy and Security Act (HB 4) exempts certain types of data and activities from its regulations. These exemptions include:

• Personal Data in Purely Personal or Household Activities: The Act does not apply to the processing of personal data by a person during a purely personal or household activity.
• Protected Health Information: The Act does not apply to protected health information regulated by the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.).
• Biometric Data for Public Health Activities: Biometric data collected or used only for public health activities and purposes as authorized by the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.) is exempt.
• Data Regulated by Specific Federal Laws: Data regulated by the Fair Credit Reporting Act (15 U.S.C. Section 1681 et seq.), the Driver’s Privacy Protection Act of 1994 (18 U.S.C. Section 2721 et seq.), the Family Educational Rights and Privacy Act of 1974 (20 U.S.C. Section 1232g), and the Farm Credit Act of 1971 (12 U.S.C. Section 2001 et seq.) are exempt.
• Data for Emergency Contact Purposes: Data processed or maintained as emergency contact information is exempt.
• Data for Benefit Administration: Data processed or maintained to administer benefits for another individual is exempt.
• Deidentified Data: Deidentified data is not considered personal data under the Act.
• Publicly Available Information: Information that is lawfully made available through government records or widely distributed media is exempt.
• Data for Political Organizations: Data processed or maintained by political organizations is exempt.
• Data for Trade Secrets: Trade secrets are exempt from the Act.

Permissible Purposes for Data Processing

Businesses must ensure that personal data is processed for legitimate and specified purposes. These purposes must be disclosed to consumers through a clear privacy notice. Processing data for other purposes without consumer consent is prohibited.

Consumer Rights Under the TDPSA

Consumers have several rights under the TDPSA, including:

• Right to Access: Consumers can request information about the personal data collected about them.
• Right to Correction: Consumers can request corrections to inaccurate personal data.
• Right to Deletion: Consumers can request the deletion of their personal data.
• Right to Portability: Consumers can obtain a copy of their personal data in a portable format.
• Right to Opt-out of Sale: Consumers can opt out of the sale of their personal data, targeted advertising and Profiling.

Data Security Obligations for Businesses

Businesses must implement reasonable data security measures to protect personal data from unauthorized access, destruction, use, modification, or disclosure. This includes technical and organizational measures such as encryption, access controls, and regular security assessments.

Obligations of Controllers and Processors

Controllers must:

1. Limit collection of personal data to what is adequate, relevant, and reasonably necessary.
2. Establish, implement, and maintain reasonable data security practices.
3. Not process personal data for purposes incompatible with the disclosed purposes.
4. Not process personal data on the basis of race, color, ethnicity, religion, or union membership without consent.
5. Provide an effective mechanism for consumers to revoke consent.
6. Conduct and document Data Protection Assessment.

Processors must:

1. Adhere to the instructions of a controller.
2. Assist the controller in meeting its obligations under the Act.
3. Enter into a contract with the controller governing data processing procedures.

What are the Compliance Challenges and Considerations?

Integration with Existing Practices

Integrating TDPSA requirements into existing business practices can be hard, especially for businesses already subject to other privacy regulations. Ensuring that everything is the same across different places requires careful planning and coordination to align different compliance programs.

Managing Opt-out Requests

Handling opt-out requests efficiently is crucial for compliance. They must set up strong processes to track and fulfill these requests within the specified time frame. This involves updating internal systems and ensuring third-party partners respect opt-out requests.

How Can Businesses Develop a TDPSA Compliance Program?

Data Mapping and Risk Assessment

The first step in developing a TDPSA compliance program is to conduct a comprehensive data mapping exercise. This involves identifying all personal data collected, processed, and stored by the business. Subsequently, a risk assessment should be carried out to evaluate the potential impact of data breaches or non-compliance.

Drafting a Compliant Privacy Notice

A clear and comprehensive privacy notice is essential for TDPSA compliance. The notice should inform consumers about the types of personal data collected, the purposes for which it is used, and their rights under the TDPSA. It should be easily accessible and written in simple, easy-to-understand language.

Establishing Data Subject Request (DSR) Procedures

Businesses must establish procedures to handle data subject requests efficiently. This includes setting up systems for receiving, tracking, and responding to requests for access, correction, deletion, and portability within the required 45-day period, with possible extensions if necessary.

Employee Training and Awareness Programs

Training employees on TDPSA requirements and data protection best practices is crucial for compliance. Conducting regular training sessions and awareness programs helps ensure that all staff members comprehend their roles and responsibilities in safeguarding personal data.

What are the Enforcement and Penalties Under the TDPSA?

Non-compliance with the TDPSA can result in heavy fines. The Texas Attorney General has the exclusive authority to enforce the TDPSA. Businesses that violate the law may face civil penalties of up to $7,500 per violation.

The TDPSA includes a 30-day cure period for businesses to address and resolve any alleged violations after receiving notification from the Attorney General.