The Texas Data Privacy and Security Act: What Businesses Can Expect

On June 18th, 2023, Governor Abbott passed the Texas Data Privacy and Security Act (TDPSA). Texas joins the ranks of other states like Montana, Tennessee, Indiana, Iowa, and many more regarding implementing Data Protection Laws. The TDPSA will come into effect from July 1st, 2024. It gives businesses time to prepare for the changes that will come with implementing this Act. 

Although the TDPSA shares some similarities to the Virginia Consumer Data Protection Act (VCDPA) and California’s Consumer Privacy Act (CCPA), its updates and provisions are specific to Texas and have some distinctions. The Act is intended to regulate the collection, processing, treatment and use of Texas consumers’ personal data by different businesses.

Who Does The TDPSA Cover?

The Act applies to any individual or entity that:

• Conducts Business Operations in Texas and develops products and services that people in Texas use.
• Processes or engages in selling personal data (‘sale’ means disclosing personal data to third parties for monetary gains or other valuable considerations.)
• It is not a small business as defined by U.S. Small Business Administration – unless the small firm actively participates in distributing and transacting sensitive business data. 

What Are Businesses Obligated To Do Under The Law?

Under the TDPSA, businesses are divided into two main categories: controllers and processors. 

“Controllers” mean any individual or another person that, alone or jointly with others, determines the purpose and means of processing personal data. 

“Personal data” refers to any information, including sensitive data, linked or reasonably linkable to an identified or identifiable individual. 

“Processors,” on the other hand, carry out operations on personal data. They must comply with the controller’s instructions regarding personal data and support the controllers in complying with the requirements of the law. TDPSA also states that there needs to be a contractual agreement between the controller and processor. 

Under the Act, the processors must aid the controllers in meeting all their obligations. It includes responding to customer requests and conducting data protection assessments. Controllers are expected to provide a Privacy Notice or a policy that states what kind of data is collected, the purpose of processing that data, the consumer’s rights, and how to implement those rights. 

Controllers who sell personal data for targeted advertising or other sensitive data must provide additional disclosures. Controllers are also obligated to conduct “data protection assessments.” These assessments are mandatory for controllers that are engaged in the following:

1. Selling personal data.
2. Processing personal data for targeted advertising.
3. Processing sensitive data.
4. Profiling data. (Profiling means any form of automated processing performed on personal data to evaluate, analyze and predict personal aspects related to a person’s economic situation, health, personal preferences, behavior, location, or movements)
5. Engaging in processing activity that could cause harm or pose a risk to customers.

What Is ‘Sensitive Data’ Under The TDPSA?

Controllers need consent before beginning to process the consumer’s sensitive data. Sensitive data includes data on ethnic origin, religious beliefs, sexuality, mental health diagnosis, citizenship or immigration status, genetic or biometric data processed to identify an individual, personal information collected from a known child, and geo-location information.

Suppose you’re collecting information from a known child (considered to be under thirteen). In that case, you are also obliged to comply with the Children’s Online Privacy Protection Act (COPPA). Another thing to note is that while small businesses are exempted from the TDPSA, they still have to obtain prior consent before selling sensitive data.

What Are The Consumer Rights Under TDPSA?

The TDPSA provides various consumer rights like other data protection and legislation laws. The Rights of Consumers are as follows:

• Consumers can confirm whether a controller possesses their personal data and gain access to that data. 
• Consumers have the right to correct any inaccuracies found in their personal data. 
• Consumers have the right to request their personal data be deleted. 
• Consumers have the right to obtain a portable copy of their personal data. 
• Customers have the right to know what personal data is being collected on them.
• Consumers can opt out of processing their personal data because of targeted advertising, selling their personal data, or profiling. 

What Are The Penalties For Not Complying With This Law?

There is no private right of action under this Act. The Texas Authority General is tasked with enforcing the law with civil penalties of up to $7500 for every violation. The Attorney General will set up an online portal where consumers can submit their complaints. All of this is to take effect on July 1st, 2024. Before passing an action for infringement, the Attorney General will notify the offender and give them 30 days to fix and cure the alleged violations. 

""

About The Author

Urfa Sarmad

Urfa is a business management graduate who delved into the world of tech, data privacy and cybersecurity and has been writing tech and privacy related content ever since. In her free time.