In the absence of a federal privacy law, states have been enacting their own, creating a patchwork of compliance laws with their own nuances.
On June 18, 2023, Texas Gov. Greg Abbot signed the Texas Data Privacy and Security Act (TDPSA) into law, bringing the Lone Star state into the fold of U.S. states with a comprehensive data privacy law aimed at protecting consumers.
While the Texas privacy law is similar to those that came before it, there are some provisions that are unique. We’ll dive into the TDPSA, what it means for businesses and others that process data of Texas consumers, and how to become compliant,
After California, which is first both in size and adoption of a state-level privacy law, Texas is the second largest state to adopt a comprehensive law related to data privacy.
The Texas Data Privacy and Security Act regulates the collection, use, processing, and treatment of consumers’ personal data. Businesses subject to the law who violate its regulations are subject to civil penalty.
The TDPSA takes notes from existing laws, with the Virginia Consumer Data Protection Act serving as its foundation. The statute was designed to protect the privacy and personal data rights of the state’s residents while holding businesses accountable for how they use the data of Texans.
Like other state privacy laws, the Texas privacy act gives residents a number of familiar rights, including the right to:
While the TDPSA takes effect July 1, 2024, businesses will have a slightly longer grace period to comply with the global opt-out technology provision, which takes effect Jan. 1, 2025. After this point, businesses will have to recognize universal opt-out signals, such as the Global Privacy Control.
One of the major deviations from similar data privacy laws is the TDPSA’s applicability. Instead of applying to businesses based on their annual revenue, how much data is processed, or how much revenue the company generates from the sale of such data, the law introduces a new set of guidelines.
TDPSA applies to entities that meet the following criteria:
The small business provision is the first of its kind and could mean that the law will impact many (or most) companies that do business in the state.
Like other privacy laws, the Texas privacy act has exclusions, including state agencies or political subdivisions of the state; financial institutions or data subject to Title V of the Gramm-Leach-Bliley Act; or covered entities or business associates governed by the privacy, security, and breach notification rules issued by the U.S. Department of Health and Human Services established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Nonprofit organizations, higher-education institutions, and electric utility companies are also exempt.
The TDPSA outlines duties for controllers related to collecting personal data, including limiting collection to what is adequate, relevant, and reasonably necessary, and requiring them to establish data security practices.
Controllers cannot:
The Texas privacy law also requires businesses to gain consent before processing sensitive personal data and provide notice if they sell sensitive or biometric data.
Once a controller receives a data subject access request (DSAR; such as the rights requests listed previously), they must respond “without undue delay,” but no later than 45 days after the receipt of the request. Additionally, a controller can extend the response period by 45 days when reasonably necessary as long as they notify the consumer within the initial 45-day response period.
The law also states that information must be provided free of charge at least twice annually per consumer, unless the request is manifestly unfounded, excessive or repetitive. The controller must establish a process for a consumer to appeal if the controller doesn’t take action within a reasonable period of time.
Though the TDPSA is still considered more business-friendly than privacy legislation in other states (namely, California, Virginia, and Connecticut), there are some other changes in the law’s language that are important to note.
For example, the law requires additional disclosures for companies or entities that sell sensitive or biometric information, even going as far as to require the notice, “NOTICE: We may sell your sensitive (or biometric) personal data.” The notice must be posted in the same location and in the same matter as the privacy notice.
Businesses that sell personal data for targeted advertising also must make additional disclosures and provide a way for consumers to opt out of the sale of their data.
Though the act more closely aligns with Virginia’s privacy act, the Texas law’s definition of “sale of personal data” is more similar to the California Privacy Rights Act than Virginia’s privacy law. The act defines it as “sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.”
The definition of “controller” applies to all non-exempt entities that conduct business in the state and process or sell personal data.
Additionally, the 30-day cure period (i.e., a grace period in which violators have the opportunity to “cure” a violation following notification) is slightly different than with other laws. After the attorney general notifies a person in writing, no action will be brought against the violator if the violation has been cured. What differs is that the entity must also provide the attorney general with a written statement that they have:
Furthermore, the cure period does not sunset, as is the case with other laws—businesses subject to the TDPSA will enjoy a 30-day cure period in perpetuity.
If an entity does not remediate the violation, the attorney general can issue a $7,500 penalty for each violation.
Finally, there is no private right of action, which means private citizens cannot bring action against those who violate the law.
The TDPSA aligns in many areas with other state-level privacy laws. That said, when a new privacy law takes effect, it’s important for companies to re-evaluate their compliance mechanisms with legal counsel.
And, with many new laws taking effect over the next 12 to 18 months, it may be time to consider a consent management platform (CMP) to help manage consent—no matter where your website visitors are from.
Finally, staying in the know about new laws will also benefit you and your company in the long term. The Osano newsletter is a great resource for all things data privacy.
The Texas privacy law takes effect July 1, 2024; however, businesses and other entities have until Jan. 1, 2025, to recognize universal opt-out mechanisms, such as the GPC.
Global Privacy Control is an initiative aimed at creating a global web browser setting that enables users to control their privacy online, including whether they consent to the sale of their personal data.
The law applies to those who conduct business in the state or produce a product or service consumed by residents of the state; process or engage in the sale or personal data; and are not a small business, as defined by the U.S. Small Business Administration.
The law requires disclosures when a company plans to sell sensitive or biometric data.
If a business processes the sensitive data of a “known child,” (or an individual younger than 13), it must be in accordance with the Children’s Online Privacy Protection Act of 1998. The definition of “known child” is a child under circumstances where a controller has actual knowledge of or willfully disregards the child’s age. Personal data collected from a known child is also classified as sensitive data.
If violators don’t cure the violation within the cure period and provide the attorney general with evidence of the cure, they can be fined $7,500 per violation.