On May 28, 2023, the Texas Data Privacy and Security Act (TDPSA) was passed and later signed by the Texas State House and Senate. It has been sent to Governor Greg Abbott for signature before becoming law. Assuming the TDPSA does pass into law, it will be the fifth comprehensive privacy act to become law in 2023 and the tenth piece of the patchwork of US state privacy laws.
While the TDPSA holds many similarities to existing state privacy laws – consumer rights, opt-in consent for sensitive data, and data protection assessments – it also contains several provisions, including enhance disclosure requirements and a broader scope of application, that organizations should be aware of ahead of an expected effective date of July 1, 2024.
Key areas of the Texas Data Privacy and Security Act
The TDPSA widely aligns with the Virginia Consumer Data Protection Act (CDPA) but has some key differences to this and other existing US state privacy laws. Notably a broader scope of application will envelope businesses outside of Texas and that does not cover non-profits or make additional protections for Children’s data. Let’s take a closer a look at some of the key areas of the TDPSA.
Scope of application
The TDPSA has a broad scope of application including an extra-territorial application that will bring organizations outside of Texas into scope for certain processing activities.
The TDPSA will apply to organizations that:
- Do business in the state of Texas or produce products or services that are consumed by residents of Texas
- Process or engage in the sale of personal data
- Are not a small business as defined by the United States Small Business Administration
Unlike other US state laws, the TDPSA does not contain a specific monetary application threshold or one related to the number of consumers’ data must be controlled or processed. Instead it introduces a small business exception as defined by the United States Small Business Administration, which varies by annual turnover, employee count, and industry.
As with many US state privacy laws, the TDPSA includes exemptions for organizations that are covered by sectoral privacy laws including the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA), as well as exemptions for certain organizations (e.g. state government agencies) and specified types of information (e.g. research data).
Enhanced disclosure requirements
As with most modern privacy laws, the TDPSA includes transparency requirements that will obligate organizations to disclose certain information about their personal data processing activities to the consumer through a “reasonably accessible and clear” privacy notice. However, the TDPSA also includes enhanced notice requirements when an organization sells sensitive or biometric data, or sells personal data to a third party for targeted advertising.
All organizations covered by the TDPSA will be required to present the consumer with a privacy notice that contains information relating to:
- The categories of personal data processed, include any sensitive data, where applicable
- The purpose for processing personal data
- How consumers may exercise their consumer rights
- The categories of personal data shared with third parties
- The categories of third parties that personal data is shared with
- How consumers can exercise their consumer rights under the TDPSA
In addition to general privacy notice obligations, if an organization sells sensitive data, it will be required to make a further disclosure to consumers by including “NOTICE: We may sell your sensitive personal data" within their privacy notice. There is also a similar obligation for the sale of biometric data that requires organizations to include "NOTICE: We may sell your biometric personal data" within their privacy notice.
Organizations that sell personal data for the purposes of targeted advertising will also need to make additional disclosures to individuals in the form of clear and conspicuous notice as well as a method for opting out of the sale.
Consumer rights
Consumer rights under the TDPSA are mostly similar to what we already see in other states with Texas sitting on the more prescriptive end of the spectrum. Consumers in Texas will be able to exercise the following rights:
- Right to confirm processing
- Right to access
- Right to correction
- Right to deletion
- Right to data portability
- Right to opt-out of:
- Targeted advertising
- The sale of personal data
- Profiling
Although not explicitly called out as consumer rights, consumers will have the ability to appeal decisions made by the data controller as well as the right to non-discrimination.
Organizations will have 45 days to respond to a verifiable consumer request with the possibility of a 45-day extension.
Data Protection Assessments
The TDPSA contains requirements for organizations to conduct Data Protection Assessments. Again, the requirement is similar to that found under other US state privacy laws and organizations must balance the benefits of the processing activity against the potential risks that it may pose to individuals.
In particular, organizations will be required to conduct and document a data protection assessment for the follow processing activities:
- Processing of personal data for purposes of targeted advertising
- Selling personal data
- Processing of personal data for purposes of profiling
- Processing sensitive data
- Processing activities involving personal data that present a heightened risk of harm to consumers
The TDPSA does offer a more business-friendly approach to data protection assessments, not widely seen in US state privacy laws, by highlighting that a single data protection assessment may address a comparable set of processing operations and that data protection assessment conducted in compliance with other laws or regulations may satisfy requirements under the TDPSA if the processing activities are comparable.
How will the TDPSA be enforced?
Once effective, the TDPSA will be exclusively enforced by the Texas Attorney General. The Attorney General will have the authority to instigate investigations into potential violations of the TDPSA where copies of Data Protection Assessment can be requested and checked to ensure compliance with the law.
Organizations that are found to be in violation of the TDPSA will have a 30-day cure period to remedy any such violation. If after 30 days, no remediation has taken place the Attorney General can issue civil up to $7,500 for each violation.
The TDPSA does not provide a private right of action.
How can OneTrust help get you prepared for the TDPSA?
Pending the Governor’s signature, organizations that will fall under the TDPSA will have just over 12 months to prepare for its entry into effect and as the TDPSA does not contain a rulemaking provision, organizations can begin to prepare against the provisions contained in the act in its current form.
The OneTrust Privacy & Data Governance Cloud offers a range of solutions that can get your privacy program up to speed with the requirements of the TDPSA. OneTrust DataGuidance Research includes news and resources from a network of expert local contributors to keep you up to date with the latest developments in US privacy. OneTrust Privacy Notice Management will help you to prepare for the TDPSA’s enhance disclosure requirements to ensure that you can presented individuals in Texas with the correct notices for how their personal data is being used. Additionally, the PIA & DPIA Automation solution can help you with the TDPSA’s data protection assessment requirements by offering a range of US privacy specific assessment templates as well as giving you the ability to document the assessment for auditing purposes should you need to present them to the Attorney General.
Request a demo to learn more about how OneTrust can help get you started on your journey toward compliance with the Texas Data Privacy and Security Act and other US state privacy laws.
