Texas Data Privacy and Security Act (TDPSA): Everything you need to know

In today’s digital landscape, the data privacy act and security have become critical concerns for businesses and consumers alike. With the increasing volume of personal data being collected and processed, including sensitive data and personal data for targeted advertising, the need for robust data protection measures has never been greater. To address these concerns, Texas has enacted the Texas Data Privacy and Security Act (TDPSA), a comprehensive law aimed at safeguarding the personal data of its residents. TThis guide provides an in-depth look at the TDPSA’s key provisions, covering aspects such as the sale of personal data and data protection assessments. It also offers practical steps for businesses to ensure compliance.

Effective July 1, 2024, the Texas Data Privacy and Security Act (TDPSA) establishes stringent guidelines for handling consumer data. This act is designed to protect the personal data of Texas residents. It applies to businesses and individuals engaged in collecting, using, processing, selling, and sharing this data, regardless of the business’s location.

The TDPSA sets out a comprehensive framework for how businesses should manage personal data, grant rights to individuals, and impose specific obligations on organizations, including complying with consumer data subject requests, conducting data protection assessments, providing privacy notices, and establishing contracts with third-party data processors

These requirements include:

• Complying with consumer data subject requests.
• Conducting data protection assessments.
• Providing privacy notices.
• Establishing contracts with third-party data processors.

1. Scope and Applicability

The TDPSA applies to any business that processes the personal data of Texas residents. This broad applicability means that businesses, whether located within Texas or outside the state, must comply if they handle data belonging to Texas residents.

Exemptions from the TDPSA

The following entities are not subject to the TDPSA:

• State Agencies and Political Subdivisions: Any state agency or political subdivision of Texas.
• Financial Institutions: Entities covered under the Gramm-Leach-Bliley Act.
• Healthcare Entities: Covered entities or business associates regulated by the privacy, security, and breach notification rules of the U.S. Department of Health and Human Services, the Health Information Technology for Economic and Clinical Health Act, and HIPAA.
• Non-Profit Organizations: Any non-profit organizations.
• Institutions of Higher Education: Colleges and universities.
• Electric Utilities: Electric utility companies, power generator companies, and retail electric providers.

2. Personal Data Definition

Under the TDPSA, personal data is defined as any information that can identify an individual, either directly or indirectly. This encompasses a wide range of data types, including but not limited to:

• Names and Addresses: Full names, home addresses, email addresses, and phone numbers.
• Online Identifiers: IP addresses, device identifiers, and other digital footprints.
• Biometric Data: Fingerprints, facial recognition data, retinal scans, and other unique biological characteristics.
• Financial Information: Bank account numbers, credit card details, and financial transaction data.
• Health Information: Medical records, health insurance information, and genetic data.

Businesses must recognize and manage all forms of personal data they collect and process, ensuring they adhere to TDPSA guidelines for data protection and privacy. This includes implementing robust data management practices, maintaining accurate records of data processing activities, and ensuring that personal data is handled securely and transparently throughout its lifecycle.

3. Data Subject Rights

Texas residents have several rights concerning their personal data under the TDPSA.

They can:

• Request access to their personal data held by a business (Right to Access).
• Request corrections to any inaccurate data (Right to Correction).
• Request deletion of their data (Right to Deletion).
• Request their data in a portable format to transfer to another service provider (Right to Data Portability).

4. Consent Requirements

Businesses must obtain explicit consent from individuals before collecting or processing sensitive personal data. This category of data includes, but is not limited to:

• Racial or Ethnic Origin: Information that reveals racial or ethnic background.
• Health Data: Medical history, health conditions, treatments, and genetic information.
• Financial Details: Bank account numbers, credit card information, and financial transactions.

Requiring explicit consent ensures that individuals are fully informed about the specific types of sensitive data being collected and how it will be used. Explicit consent must be clear, affirmative, and freely given, indicating that individuals have been provided with all necessary information to make an informed decision. This process guarantees that individuals are aware of and agree to processing of their sensitive information, enhancing transparency and trust between consumers and businesses.

5. Data Security Measures

The TDPSA mandates that businesses implement appropriate security measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. These measures include technical safeguards (e.g., encryption, access controls, firewalls), administrative safeguards (e.g., policies, procedures, training), and physical safeguards (e.g., security cameras, locks) to ensure comprehensive data protection.

6. Data Breach Notification

In the event of a data breach, businesses are required to notify affected individuals and the Texas Attorney General within a specified timeframe. The notification must include details about the breach and the steps taken to mitigate its impact. Prompt notification is crucial for maintaining consumer trust and transparency.

To comply with the Texas Data Privacy and Security Act, businesses must take several proactive steps. Key compliance requirements include:

1. Data Mapping & Inventory: Document all personal data collected, processed, and stored, creating a detailed inventory of data sources, types, and flows.
2. Privacy Policy Updates: Reflect Texas residents’ rights under the TDPSA in updated privacy policies, providing clear information about data practices.
3. Consent Mechanisms: Implement systems for obtaining and managing explicit consent before collecting sensitive data.
4. Enhanced Data Security: Strengthen security measures with encryption, access controls, intrusion detection, and regular audits.
5. Data Breach Response Plans: Develop procedures for detecting, responding to, and notifying about data breaches.
6. Employee Training: Educate employees on the TDPSA, best practices, and data safeguarding.

The TXDPSA is enforced by the Texas Attorney General. Before initiating any action under the TXDPSA, the Attorney General will give the controller a written notice of thirty (30) days, specifying the provision(s) allegedly violated. During this period, the controller and/or processor has the opportunity to address and rectify the alleged violations. If the violations are not remedied within the thirty (30) days, the Texas Attorney General may proceed with legal action against the controller and/or processor, potentially recovering civil penalties of up to $7,500 per violation.

The Texas Data Privacy and Security Act (TDPSA) introduces crucial measures to safeguard personal data, including sensitive information and data used for targeted advertising. In today’s digital landscape, compliance with the TDPSA is more than a legal obligation’it’s an opportunity for businesses to build trust and enhance their reputation.

By understanding and adhering to key provisions such as the sale of personal data and conducting thorough data protection assessments, businesses can ensure they meet the TDPSA’s stringent guidelines. These include obtaining explicit consent for sensitive data, providing clear privacy notices, and implementing robust data security measures.

Staying informed about data privacy laws and implementing comprehensive data protection measures will help businesses comply with the TDPSA and foster a culture of privacy and security that benefits both the organization and its customers. Adhering to these requirements is essential for maintaining a good reputation and avoiding legal repercussions.

The TDPSA provides a solid framework for data privacy and security, emphasizing transparency, accountability, and consumer rights.