Texas Data Privacy and Security Act
ON THIS PAGE
The Texas Data Privacy and Security Act (TDPSA) was signed on June 18, 2023. The TDPSA will come into effect on July 1, 2024.
While the TDPSA comes into force on July 1, 2024, global opt-out technology provisions will take effect on January 1, 2025. Starting from this date, businesses will have to recognize universal opt-out signal provisions, such as the Global Privacy Control.
Texas becomes the 11th state to pass a comprehensive consumer data privacy law, joining California, Virginia, Colorado, Connecticut, Utah, Tennessee, Iowa, Indiana, Montana, and Florida. The TDPSA is a business-friendly privacy law, like the state privacy laws in Utah, Virginia, and Iowa. Businesses that comply with these privacy laws should be well-positioned to comply with the TDPSA as well.
Read an overview of the TDPSA, what it means for businesses and other data processors of Texas consumers, and how to comply with it.
What Is the Texas Data Privacy and Security Act?
The Texas Data Privacy and Security Act (TDPSA) is a law that regulates the collection, storage, processing, and selling or sharing of personal data of Texas residents. The TDPSA also establishes clear guidelines for the collection, storage, and use of personal information by businesses operating within the state. Businesses that violate its regulations are subject to civil penalties.
Like other US state laws, the TDPSA uses an opt-out consent model, meaning that personal data can be collected, processed, used, or sold to third parties without asking for consumers’ consent, except for a child. However, if consumers do not want their data to be processed, they have such a right and must be provided with the option to opt out of the sale of their data or use it for targeted advertising.
The Texas Privacy Act gives residents the following rights:
- Right to access. The consumer has the right to confirm if a controller is processing their personal data and accessing the personal data collected about them.
- Right to correction. The consumer has the right to ask for correcting inaccuracies in their data, considering the nature of it and the purpose of processing.
- Right to deletion. The consumer has the right to ask to delete the data provided by or obtained about the consumer.
- Right to portability. The consumer has the right to obtain a portable copy of their data if it’s available in a portable and readily usable format.
- Right to opt-out. The consumer has the right to ask to opt-out of processing personal data for targeted advertising, the sale of personal data, or its use for profiling.
- Right to exercise. The consumer has the right to exercise the guaranteed rights by submitting a request to the businesses.
- Right to non-discrimination. The consumer cannot be discriminated against for exercising their rights under this law. Businesses cannot deny goods or services, charge different prices, or compromise the quality of products. However, if goods or services require the processing of the data consumers choose to opt out of, these goods or services could be refused deliver.
- Right to appeal. The consumer has the right to appeal a controller's refusal to take action on requests to exercise their rights. The appeal procedure is similar to initiating an action under the act. Businesses should respond within 60 days to an appeal.
Who Must Comply With the TDPSA?
The TDPSA applies to entities that meet the following criteria:
- Conduct business in Texas or provide products or services that are consumed by Texas residents. In this type of legislation, the law introduces a new word “consumed”, which is used instead of the word “targeted” that other similar laws include. The word “consumed” is broader than the word “targeted”.
- Process or engage in the sale of personal data.
- Is not a small business as defined by the United States Small Business Administration (SBA). The definition of the SBA varies by industry and is usually defined by the number of employees or average annual receipts.
In contrast to most other state data privacy laws, the TDPSA does not expressly provide any data processing or revenue thresholds for applicability purposes. This means that the law will potentially impact many or even most companies that do business in Texas.
The TDPSA applies generally to the consumers. A consumer is a Texas resident acting in an individual or household context but not in a business or employment context.
Like other privacy laws, the Texas Privacy Act has certain exclusions and exemptions including:
- State agencies or political subdivisions of the state.
- Financial institutions that are data subject to Title V of the Gramm-Leach-Bliley Act.
- Covered entities or business associates that are governed by the privacy, security, and breach notification rules issued by the HIPAA.
- Nonprofit organizations.
- Higher-education institutions.
- Electric utility and power generation companies.
The TDPSA also expressly excludes the collection or processing of personal data from individuals acting in an employment or commercial context (e.g., business-to-business activities), or the processing of personal data by a person "in the course of a purely personal or household activity."
Controller Obligations under the TDPSA
The TDPSA, like certain other state data privacy laws, distinguishes roles and obligations between controllers and processors. The TDPSA defines a data controller as an individual or other person who, alone or jointly with others, determines the purpose and means of processing personal data, and a data processor as an individual who processes personal data on behalf of a controller.
Data controllers have the following responsibilities under the TDPSA:
- Data minimization. Controllers must limit the collection of personal data to what is "adequate, relevant, and reasonably necessary" to achieve the purposes of data collection as disclosed to the consumer.
- Purpose limitation. In addition to data minimization, entities must ensure that the processing of personal data is also restricted to the purpose disclosed to consumers. If you need to process additional personal data, you must first get consent from consumers.
- Data security. Entities must implement reasonable security measures to protect the confidentiality of the personal data. This includes technical, administrative, and physical data security practices. The data security requirement also applies to third parties used by the controller for data processing and must be included in contracts between controllers and third-party processors.
- Non-discrimination. Controllers must not discriminate against consumers who exercise their consumer rights. Businesses may not deny or vary the quality of goods or services or set a different price for such consumers.
- Privacy notice and Privacy Policy. Controllers must provide consumers with a reasonably accessible and clear privacy notice containing information about the categories of personal data processed by the controller, including the processing of any sensitive data; the purpose for processing personal data; the categories of personal data the controller shares with third parties, if any; and the third parties with whom the controller shares personal data, if any. The privacy notice must also inform the methods about how consumers may exercise their rights, including their appeal rights.
Businesses must also have a reasonably accessible and clear Privacy Policy so that consumers can see the information about controllers’ data processing activities and the methods by how consumers may exercise their rights at any time. - Opt-in cookie consent. Opt-in Cookie Consent is needed for sales, targeted advertising, and profiling of personal data, for sensitive data, and for processing children’s data.
- Contract with data processors. Dara processing activities performed by a processor on behalf of a controller must be governed by contract. Processors must ensure that they comply with the instructions of data controllers in the TDPSA.
- Data Protection Assessment. Controllers must conduct a Data Protection Assessment (DPA) on the processing of personal and sensitive data, processing of personal data for target advertising and profiling, sale of personal data, and processing of data involving high risks. Data Protection Assessments must be kept confidential and exempt from public view.
- Breach report. Controllers must report breaches of security systems affecting more than 250 Texas residents to the Texas Attorney General within 30 days of its discovery.
User Consent under TDPSA
The TDPSA requires opt-in user consent in the following scenarios:
- Opt-in Cookie Consent for sales, targeted advertising, and profiling. Controllers that sell personal data to third parties or process data for purposes of targeted advertising or perform consumer profiling must clearly and conspicuously disclose consumers' right to opt-out and get user consent to sell or process personal data.
- Opt-in Cookie Consent for sensitive data. Controllers can’t process sensitive personal data without explicit user consent. If controllers process children’s sensitive personal data, they must also comply with the Children’s Online Privacy and Protection Act, 1998.
- Opt-in Cookie Consent for processing children’s data. For this act, children are minors under the age of 13.
Businesses can process the consumers’ data without their consent if the purpose of processing the data is the same as the purpose disclosed to them. If the purpose is different than disclosed, consent is necessary.
If a controller sells or shares sensitive personal data to third parties, the TDPSA requires the controller to include the following notice: "NOTICE: We may sell your sensitive personal data." Similarly, if a controller sells or shares biometric personal data to third parties, they must include the following notice: "NOTICE: We may sell your biometric personal data." These notices must be posted in the same location and in the same manner as the main cookie notice.
Use CookieScript Consent Management Platform, which provides a Privacy Policy Generator and helps to create a cookie notice and Privacy Policy, get cookie consent, and comply with all major privacy laws, including the TDPSA.
In order to be valid under the Act, the consent must satisfy the following criteria:
- The consumer was informed of the collection, storage, and processing of personal data.
- The consent was freely given.
- The consent was given unambiguously and specifically.
A consent is not valid if:
- A consumer granted general consent, and not a specific one for handling or processing personal data.
- A consumer just scrolled, hovered over, muted, or closed a cookie notice banner without selecting their consent choice.
- The consent was obtained through dark patterns.
The Act also creates a global opt-out technology mechanism to opt out of the processing of their personal data. However, this will take effect on January 1, 2025.
Sensitive data
The TDPSA prohibits businesses from collecting and processing personal sensitive data without obtaining explicit user consent for this action. The TDPSA defines personal sensitive data as data that includes:
- Racial or ethnic origin.
- Religious beliefs.
- Mental or physical health history.
- Sexual orientation.
- Citizenship and immigration status.
- Genetic and biometric data that is processed to uniquely identify an individual.
- Precise geolocation data (location within a radius of 1,750 feet).
- Personal data collected from a known child (under the age of 13).
Biometric data
The TDPSA defines biometric data as data generated by automatic measurements of an individual's biological characteristics, such as fingerprint, voiceprint, eye retina or iris, or other unique biological patterns or characteristics.
The term expressly excludes physical and digital photographs, video or audio recordings, and any data generated therefrom.
Enforcement of the TDPSA
The Texas Attorney General is the designated enforcement authority under the Texas Data Privacy and Security Law.
Penalties for Violations under the TDPSA
There could be three sanctions in the event of any violation of the provisions of this act:
- A fine of up to $7500 for each violation.
- Injunction or restraining from violation.
- Both penalty and injunction.
Note, that the fine depends upon the number of violations. The greater the number of consumers violated, the higher the penalty.
In the case of the violation, the enforcing authority will issue a notice to the defaulter describing the specifics of the violation. Upon the receipt of such notice, businesses can evade legal action if the problem is resolved within 30 days and a statement is given to the Attorney General informing that:
- The violation was cured. This statement should be accompanied by supportive documents showing how it was cured.
- Consumers were notified of the occurrence of the issue if the business knew their contact details.
- Changes have been made to internal policies to prevent further violations.
Consumers have no right to private action. Only the Attorney General can initiate an action against defaulters of the Act.
How to Comply with the TDPSA?
To comply with the TDPSA, businesses should:
- Conduct a Data Protection Assessment of their data handling practices to identify areas of potential risk.
- Implement data security measures, such as encryption and access controls, to protect personal information from unauthorized access.
- Develop and implement policies and procedures for responding to data breaches, including timely notification of affected individuals and regulatory authorities.
- Provide clear and transparent disclosures to consumers regarding the collection, use, and sharing of their personal information.
- Regularly review and update their data privacy policies and procedures to ensure compliance with evolving regulations and best practices.
The easiest way to notify consumers and get their consent is through a Consent Management Platform (CMP). CookieScript CMP is a comprehensive solution that allows you to easily display a Cookie Banner on your website, allows banner customization, provides a Privacy Policy Generator, records all user consents for proof of compliance, and much more.
CookieScript CMP also offers geo-targeting functionality that allows the delivery of different privacy notices to consumers based on their geographic locations (States).
Frequently Asked Questions
Does Texas have a privacy law?
Yes. Texas has the Data Privacy and Security Act (TDPSA) that will come into effect on July 1, 2024. It aims to regulate the collection, usage, and processing of consumer’s personal data. Use CookieScript CMP to comply with the TDPSA.
Who has to comply with the Texas Data Privacy and Security Act?
The law applies to those entities that conduct business in Texas or provide products or services that are consumed by Texas residents, process or engage in the sale of personal data, and is not a small business as defined by the United States Small Business Administration (SBA). Use CookieScript to comply with the TDPSA and other privacy laws.
When does the TDPSA take effect?
The Texas Data Privacy and Security Act (TDPSA) will come into effect on July 1, 2024. In addition, global opt-out technology provisions such as the Global Privacy Control will take effect on January 1, 2025. Use CookieScript to be TDPSA and other privacy laws compliant.
What is Global Privacy Control (GPC)?
Global Privacy Control is a browser setting that notifies website owners of users' privacy preferences regarding selling or sharing their personal information. The main purpose of the GPC is to inform websites not to sell or share user personal data. Use CookieScript CMP to activate the GPC signal.
What is the fine for not complying with the TDPSA?
In the event of any violation of the provisions of this act, a fine of up to $7500 for each violation could be set. The fine depends upon the number of violations. The greater the number of consumers violated, the higher the penalty. However, businesses can evade legal action if the problem is resolved within 30 days and evidence of the cure is given to the Attorney General. Use CookieScript CMP to comply with the TDPSA and avoid penalties.
What is the threshold for the Texas Data Privacy and Security Act?
There is no threshold limit for the applicability of the TDPSA. The law applies to those entities that conduct business in Texas or provide products or services that are consumed by Texas residents, process or engage in the sale of personal data, and is not a small business as defined by the United States Small Business Administration (SBA).