Background brief: Texas Data Privacy and Security Act

Texas has followed California’s lead and adopted the Texas Data Privacy and Security Act (TDPSA), a set of consumer privacy laws similar to the California Consumer Privacy Act (CCPA) giving consumers greater protections for their personal data and more control over how organizations may collect and process that data.

TDPSA was signed into law on June 18, 2023, and most of its provisions are effective from July 1, 2024.

Texas Data Privacy and Security Act: Key Dates

• March 8, 2019 – responding to growing demand among Texans for stronger consumer privacy protections like those in California, two Texan Representatives file privacy bills in the House on the same day. Rep. Giovanni Capriglione files HB 4390 (aka the) ‘Texas Privacy Protection Act’ and Rep. Trey Martinez Fischer files HB 4518 (aka the) ‘Texas Consumer Privacy Act’.
• April 2, 2019 – both bills are heard during a public meeting of the Texas House Committee on Business and Industry. During his presentation, Rep. Caprigliogne says, “What my bill aims to do is to provide a little bit more regulation, a little bit more oversight, into the information that is being collected on us, about us, every single day without our knowledge – a lot of times without our permission.”
  • As Rep. Martinez Fischer’s presentation is second, he notes, “I fully appreciate and recognize that there might be higher-ups in the federal government that could grade our papers on this, and come up with a solution that can be applied to the entire nation. But unless and until that happens, I think we can’t just sit on our hands and watch time go by.”
  • Reps. Martinez Fischer and Capriglione then collaborate on revising HB 4390 to get it ready for a vote in the House.
• May 7, 2019 – Texas House Bill 4390 goes to vote in the House and passes with a unanimous 140-0 vote in favor.
• May 9, 2019 – Rep. Martinez Fischer explains to the San Antonio Report why he backed HB 4390: “Data privacy is becoming a big issue. More importantly, as we continue to see pretty much nothing happening in the United States Congress, it’s incumbent upon the states to act.”
  • A statement from Rep. Capriglione published in the same article says: “Today, data privacy initiatives require unique and robust solutions to defend people’s right to privacy. A Texas solution would not burden businesses, but would put Texans first.”
• June 18, 2023 – Texas Governor Greg Abbott signs into law the Texas Data Privacy and Security Act.
• July 1, 2024 – Texas Data Privacy and Security Act becomes effective.
• January 1, 2025 – Additional provision in TDSPA for universal opt-out signals (e.g. Global Privacy Control) becomes effective.

Texans’ Personal Data Privacy Rights Under TDPSA

Consumers are defined in the Texas Data Privacy and Security Act as residents of Texas acting as individuals (on their behalf) or a households. This definition excludes individuals acting in a business or employment capacity.

Personal data is defined as any information “linked or reasonably linkable to an identified or identifiable individual”. This definition of personal information covers pseudonymous data when “the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. The term does not include de-identified data or publicly available information.”

The main personal data privacy rights gained by Texans include:

• Right to know/confirm whether a data controller is processing their personal data.
• Right to access their own data held and processed by a controller.
• Right to data portability, allowing a consumer to obtain a copy of their personal data they’ve previously given the provider.
• Right to correct inaccuracies in records of personal data held by a controller.
• Right to delete records of personal data held by a controller, whether that data was provided by the consumer, or obtained about them through other means (such as data sharing arrangements).
• Right to opt-out from processing of personal data, including opting-out from having their personal data processed for sale, profiling and/or targeted advertising.
• Right not to be discriminated against for exercising privacy rights (the Act also covers consumers’ rights not to have personal data processed in violation of state and federal laws that prohibit unlawful discrimination against consumers).
• Right to only have sensitive data collected by prior informed and unambiguous consent – this provision restricts controllers from collecting or processing any personal data defined as ‘sensitive’.

Sensitive data is defined as information about a person’s:

• Race or ethnicity
• Religious belief
• Mental or physical health diagnosis
• Sexuality
• Citizenship or immigration status
• Genetic or biometric data that could be used to identify a person
• Precise geolocation (i.e. data identifying where a person is located within a radius of 1,750 feet).

Consumers can exercise their personal data rights under the Texas Data Privacy and Security Act by lodging requests with data controllers, noting which consumer right/s they want to exercise. Parents and legal guardians of children (defined as children under age 13) can exercise a child’s rights on their behalf.

Universal Opt-out Signals / Global Privacy Control Under TDPSA

From January 1, 2025, some provisions for consumers to assign (or submit) universal opt-out signals via authorized third parties (for example, via Global Privacy Control) will become effective.

Controllers must comply with opt-out requests from authorized agents if they can verify “with commercially reasonable effort” a consumer’s identity and the authorized agent’s authority to act on the consumer’s behalf.

The rules for opt-out signals state:

• “A consumer may designate another person to serve as the consumer’s authorized agent and act on the consumer ’s behalf to opt out of the processing of the consumer’s personal data.”
• “A consumer may designate an authorized agent using a technology, including a link to an Internet website, an Internet browser setting or extension, or a global setting on an electronic device, that allows the consumer to indicate the consumer ’s intent to opt out of the processing.”

Which Businesses Are Subject to Texas Privacy Law?

The Texas Data Privacy and Security Act has a very broad definition of business organizations and individuals who must comply with its rules – and unlike similar privacy laws in other states, it does not have thresholds based on revenue or other numbers (such as the size of customer base).

The text in Section 541.002 of the TDPSA states the act “applies only to a person” that:

• Conducts business in Texas; or
• Produces a product or service consumed by residents of Texas; or
• Processes or engages in the sale of personal data (note: this part of the definition means more individuals or small businesses are not excluded by the next qualifier; though it is restated anyway); or
• Is not defined as a small business by the United States Small Business Administration (the SBA defines a small business as “an independent business having fewer than 500 employees”) – “except to the extent that Section 541.107 applies to a person described by this subdivision”
  Note: Sec. 541.107 states that a person covered by the definitions listed above “may not engage in the sale of personal data that is sensitive data without receiving prior consent from the consumer”.

Which Organizations Are Not Subject to TDPSA?

The Act includes exemptions for several types of organizations under Sec. A541.002 (3)(b), which states its rules do not apply to any:

• Texas state agency; or
• Political subdivision of Texas; or
• Financial institution or data subject to Title 10 V of the Gramm-Leach-Bliley Act (15 U.S.C. Section 6801 et seq.), which already “requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data”; or
• Covered entity or business associate already governed by the Health Insurance Portability and Accountability Act (HIPAA) and other applicable federal and state healthcare and medical laws; or
• Nonprofit organization; or
• Higher education institution; or
• Electricity industry organization such as an electric utility, power generation company or retail electric provider.

Texas Data Privacy and Security Law Compliance Obligations

The key compliance obligations for controllers subject to TDPSA aim to give Texans more control over how much personal information and what that data is used for.

Controllers are required to:

• Limit processing of personal information only to what is adequate, relevant and necessary for the stated purposes of processing (i.e. to deliver a product or service).
• Notify consumers – with a clear, easy-to-understand privacy notice – of their privacy rights, including rights to opt out, the categories of personal information that may be collected, and the purposes of collecting and processing that data. Controllers must also notify consumers with separate notices and gain consent if the controller intends to collect and sell sensitive data or biometric data; or sell personal data for targeted advertising.
• Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers.
• Not discriminate against a consumer for exercising their privacy rights.
• Gain a consumer’s informed and unambiguous consent (or in the case of a child under 13, consent from their parent/guardian) before collecting any sensitive data (see notes above outlining Texans’ Personal Data Privacy Rights).
• Ensure security of personal data by implementing and maintaining “reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue”.
• Conduct data protection assessments to reduce risks associated with any of the following: processing data for targeted advertising or profiling, selling personal data, and processing sensitive data.
• Maintain contracts with any third-party processors that ensure they are also compliant with TDPSA requirements for processing data.
• Respond to consumer personal data requests within 45 days (in some cases a 45-day extension is allowed).
• Publicly disclose any data breach within two months.

Penalties For Non-Compliance with Texas Data Privacy and Security Law

The Texas Attorney General is the only office in Texas with authority to enforce TDPSA compliance. Individuals cannot initiate a private right of action, but they can notify the Attorney General of alleged violations.

The Attorney General must give a person (i.e. controller or processor) alleged to violate TDPSA:

• At least 30 days written notice it intended to take enforcement action – the notice will explain the specific provision/s of the Act that have been or are being violated; and
• Opportunity to cure the alleged violation/s within 30 days.

Cures of alleged violations must be completed within the 30 days and the persona must deliver a written statement to the AG detailing:

• Action taken to cure the violation/s;
• Changes made to internal policies (if necessary) to prevent further violations;
• Notices given to consumer/s whose privacy was violated about the actions taken to address privacy violation/s (if the consumer’s contact information has been made available to the person alleged to violate the Act);

An individual or organization failing to cure any violation/s can be fined up to $7,500 per violation.

TrustArc Solutions for Compliance with Texas Data Privacy Laws

TrustArc helps businesses manage compliance with all relevant privacy regulations, including the Texas Data Privacy and Security Act.