Q. What is the TDPSA?
The Texas Data Privacy and Security Act (TDPSA), Chapter 541 of the Texas Business and Commerce Code, is a data privacy consumer protection law signed into law by Governor Greg Abbott in June 2023, making Texas the tenth state to enact comprehensive data privacy legislation.
Q. When does the TDPSA go into effect?
July 1, 2024, with a short grace period until January 1, 2025 to comply with the global opt-out technology provision.
Q. What is the purpose of TDPSA?
The law is intended to protect the privacy rights and personal data of Texas consumers and to hold businesses accountable for how they use such personal data.
Q. Who are Consumers protected under the TDPSA?
“Consumer” means an individual who is a Texas resident acting in an individual or household context. It does not include individuals acting in a commercial or employment context.
Q. What rights do Texas Consumers have under the TDPSA?
Consumers are entitled to exercise the following consumer rights:
- to confirm whether a controller is processing the consumer’s personal data;
- to access the consumer’s personal data that is being processed;
- to correct any inaccuracies in the consumer’s personal data;
- to delete personal data provided by or obtained about the consumer;
- to obtain a copy – in portable and readily usable format – of the consumer’s personal data;
- to opt out of the processing of personal data for (a) targeted advertising, (b) the sale of personal data, or (c) profiling.
Q. What is Personal Data protected under the TDPSA?
“Personal Data” means any information, including Sensitive Data, which is linked or reasonably linkable to an identified or identifiable individual.
- it includes pseudonymous data when used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual;
- it does not include deidentified data or publicly available information;
Q. What is Sensitive Data?
“Sensitive Data” includes:
- personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status;
- genetic or biometric data processed for the purpose of uniquely identifying an individual;
- personal data collected from a known child (meaning younger than 13);
- precise geolocation data.
Q. Who must comply with the TDPSA?
The TDPSA applies to a person that:
- conducts business in Texas or produces a product or service consumed by Texas residents;
- processes or engages in the sale of Personal Data; and
- is not a small business as defined by the U.S. Small Business Administration
- Note: In general a small business is considered to be one which has fewer than 500 employees, subject to average annual receipts and affiliates.
- Note that a small business is subject to TDPSA’s prohibition against sale of sensitive data without consumer’s prior consent.
Q. Is a Waiver or Limitation of Consumer Rights under the TDPSA enforceable?
No. Any provision of a contract or agreement that waives or limits in any way a consumer’s rights under the TDPSA is contrary to public policy and is void and unenforceable.
Q. When and how do Texas Consumers exercise Consumer Rights under the TDPSA?
A consumer may exercise consumer rights at any time by submitting a request to a controller specifying the rights being exercised. A parent or guardian may exercise consumer rights on behalf of a child.
Q. Are there any types of businesses excluded from compliance with the TDPSA?
Yes. The TDPSA does not apply to the following types of businesses or organizations:
- state agencies or political subdivisions;
- financial institutions and data subjects covered by Title V, Gramm-Leach-Bliley Act;
- entities covered by the Health Insurance Portability and Accountability Act of 1996 and Health Information Technology for Economic and Clinical Health Act;
- non-profit organizations;
- institutions of higher education;
- electric utilities, power generation companies, and retail electric providers.
Q. What types of information is exempt from the TDPSA?
Certain types of information covered or regulated by other laws or regulations are exempt from the TDPSA, such as:
- health information and health records protected under HIPAA or other laws;
- identifiable personal data collected, used, or shared for research conducted pursuant to applicable laws;
- personal information regarding creditworthiness collected, maintained, disclosed, sold, or communicated in accordance with FCRA;
- personal data collected, processed, sold or disclosed in compliance with Driver’s Privacy Protection Act;
- personal data regulated by FERPA;
- personal data collected, processed, sold or disclosed in compliance with Farm Credit Act;
- personal data processed or maintained for employment purposes;
- emergency contact information processed or maintained;
- data processed or maintained for administering benefits;
- personal data processed in the course of a purely personal or household activity.
Q. Who is a Controller?
A “Controller” is an individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data.
Q. Who is a Processor?
A “Processor” is a person that processes personal data on behalf of a controller.
Q. What does it mean to Process Personal Data?
“Process” or “processing” means an operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion or modification of personal data.
Q. What do I have to do if I am a Controller who has received a consumer request to exercise Consumer Rights?
A controller must comply with a consumer request to exercise Consumer Rights unless an exemption applies.
- response required no later than the 45th day after receipt of the request;
- response period may be extended one time by additional 45 days if consumer notified of the extension and the reason for the extension within the initial 45-day response period;
- controller shall respond to a consumer request free of charge at least twice annually; a reasonable fee to cover administrative costs may be charged or controller may decline to act if the controller demonstrates that a consumer request is “manifestly unfounded, excessive or repetitive”;
- controller is not required to comply with a consumer request if the controller is unable to authenticate the request using commercially reasonable efforts; controller may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer’s request;
- if the controller has obtained personal data about a consumer from a third party source, the controller will be considered in compliance with a consumer’s request to delete by(a) retaining a record of the deletion request and minimum data necessary to ensure the consumer’s personal data remains deleted and not using the retained data for any other purpose, or (b) opting the consumer out of processing that personal data for any purpose other than an exempt purpose under the TDPSA.
Q. What other duties or obligations does a Controller have under the TDPSA?
Other duties or obligations imposed upon controllers include, but are not limited to:
- to disclose to the consumer the purposes for which personal data is processed;
- to limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the disclosed purposes;
- to establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of personal data collected;
- to provide consumers with a reasonably accessible and clear privacy notice that complies with the TDPSA;
- to provide consumers with a compliant notice if a Controller engages in the sale of sensitive data or biometric data;
- to establish two or more secure and reliable methods to enable consumers to submit a request to exercise their Consumer Rights;
- to establish a process for a consumer to appeal a Controller’s refusal to take action on consumer’s request within a reasonable time after the consumer’s receipt of the decision;
- to clearly and conspicuously disclose to consumers if a Controller sells personal data to third parties or processes personal data for targeted advertising and the manner in which a consumer may exercise the right to opt out;
- to make reasonable efforts to ensure that deidentified data in the controller’s possession cannot be associated with an individual; publicly commit to maintaining and using deidentified data without attempting to reidentify the data; and contractually obligating any recipient to comply as well.
Q. What other prohibitions are imposed on Controllers under the TDPSA?
Controllers may not:
- process personal data for undisclosed purposes without consumer consent;
- process personal data in violation of anti-discrimination laws;
- discriminate against a consumer for exercising consumer rights;
- process sensitive data without obtaining consumer consent or in accordance with COPPA with respect to a known child.
Q. Is a Controller Required to Conduct a Data Protection Assessment (DPA) under the TDPSA?
Yes, a controller shall conduct and document a DPA of each of the following processing activities involving personal data:
- processing personal data for purposes of targeted advertising;
- the sale of personal data;
- processing personal data for purpose of profiling;
- processing sensitive data;
- processing personal data that presents a heightened risk of harm to consumers.
Q. How is the TDPSA enforced?
The Texas Attorney General has exclusive authority to enforce the TDPSA. There is no private right of action for a violation of the TDPSA.
- the AG may issue a civil investigative demand;
- the AG may request disclosure of any DPA relevant to the civil investigative demand;
- the AG must provide written notice, not later than the 30th day before bringing an enforcement action, identifying the specific provisions of the TDPSA alleged to have been violated;
- no action may be brought if, within the 30-day notice period, the person cures the alleged violations and provides the AG with a written cure statement compliant with the TDPSA.
Q. What is the Penalty for Uncured Violation or Breach of Written Cure Statement?
Civil penalty not to exceed $7,500 per violation. In addition to seeking recovery of a civil penalty, the AG may seek injunctive relief and reasonable attorney’s fees and other reasonable expenses incurred in investigating and bringing the enforcement action.
Q. What can my business do to prepare for the TDPSA?
Many businesses currently subject to the more stringent California data privacy and protection laws will find they already meet many, if not all, of the requirements of the TDPSA. Preparing your business for TDPSA compliance is a substantial undertaking and includes the following:
- determine whether your business must comply with the TDPSA;
- perform a compliance gap assessment with respect to existing data collection and privacy policies and procedures;
- evaluate contracts and agreements among controllers, processors, and third parties to ascertain and address existing gaps in compliance with the TDPSA;
- evaluate insurance to determine whether you are covered for costs, expenses, and legal fees associated with responding to a notice of violation, curing a breach of alleged violation, responding to a civil investigative demand or enforcement action, including any penalties assessed;
- evaluate and update or establish the necessary policies and procedures for processing personal data, including sensitive data and biometric data in compliance with the TDPSA;
- review and update Privacy Notices;
- “NOTICE: We may sell your sensitive personal data” is required to be posted if a controller sells sensitive data.
- “NOTICE: We may sell your biometric personal data” is required to be posted if a controller sells biometric data.
- conspicuously disclose that a controller sells personal data to third parties or processes personal data for targeted advertising (if applicable).
- obtain Consumer consent before processing sensitive data, and comply with COPPA with respect to sensitive data of a known child;
- establish the methods to receive, authenticate, and timely respond to requests to exercise Consumer Rights and to handle complaints/appeals;
- establish the method of compliance with consumer “opt out” requests via authorized agent technology (effective January 1, 2025);
- conduct and document a DPA at the appropriate point in time.