Texas Data Privacy and Security Act (TDPSA): Everything you need to know

In today’s digital landscape, the data privacy act and security have become critical concerns for businesses and consumers alike. With the increasing volume of personal data being collected and processed, including sensitive data and personal data for targeted advertising, the need for robust data protection measures has never been greater. To address these concerns, Texas has enacted the Texas Data Privacy and Security Act (TDPSA), a comprehensive law aimed at safeguarding the personal data of its residents. This guide provides an in-depth look at the TDPSA’s key provisions, covering aspects such as the sale of personal data and the importance of conducting a thorough data protection assessment. It offers practical steps for businesses to ensure compliance.

Effective July 1, 2024, the Texas Data Privacy and Security Act (TDPSA) establishes stringent guidelines for handling consumer data. Designed to protect the personal data of Texas residents, it applies to businesses and individuals engaged in the collection, use, processing, sale, and sharing of this data, regardless of the business’s location.

The TDPSA sets out a comprehensive framework for how businesses should manage personal data, grant rights to individuals, and impose specific obligations on organizations. These requirements include:

• Complying with consumer data subject requests.
• Conducting data protection assessments.
• Providing privacy notices.
• Establishing contracts with third-party data processors.

1. Scope and Applicability

The TDPSA applies to any business that processes the personal data of Texas residents. This broad applicability means that businesses, whether located within Texas or outside the state, must comply if they handle data belonging to Texas residents.

Exemptions from the TDPSA

The following entities are not subject to the TDPSA:

• State Agencies and Political Subdivisions: Any state agency or political subdivision of Texas.
• Financial Institutions: Entities covered under the Gramm-Leach-Bliley Act.
• Healthcare Entities: Covered entities or business associates regulated by the privacy, security, and breach notification rules of the U.S. Department of Health and Human Services, the Health Information Technology for Economic and Clinical Health Act, and HIPAA.
• Non-Profit Organizations: Any non-profit organizations.
• Institutions of Higher Education: Colleges and universities.
• Electric Utilities: Electric utility companies, power generator companies, and retail electric providers.

2. Personal Data Definition

Under the TDPSA, personal data is defined as any information that can identify an individual, either directly or indirectly. This encompasses a wide range of data types, including but not limited to:

• Names and Addresses: Full names, home addresses, email addresses, and phone numbers.
• Online Identifiers: IP addresses, device identifiers, and other digital footprints.
• Biometric Data: Fingerprints, facial recognition data, retinal scans, and other unique biological characteristics.
• Financial Information: Bank account numbers, credit card details, and financial transaction data.
• Health Information: Medical records, health insurance information, and genetic data.

Businesses must recognize and manage all forms of personal data they collect and process, ensuring they adhere to TDPSA guidelines for data protection and privacy. This includes implementing robust data management practices, maintaining accurate records of data processing activities, and ensuring that personal data is handled securely and transparently throughout its lifecycle.

3. Data Subject Rights

The TDPSA grants several rights to Texas residents concerning their personal data:

• Right to Access: Individuals can request access to their personal data held by a business.
• Right to Correction: Individuals can request corrections to any inaccurate personal data.
• Right to Deletion: Individuals can request the deletion of their personal data.
• Right to Data Portability: Individuals can request their data in a portable format to transfer it to another service provider.

4. Consent Requirements

Businesses must obtain explicit consent from individuals before collecting or processing sensitive personal data. This category of data includes, but is not limited to:

• Racial or Ethnic Origin: Information that reveals racial or ethnic background.
• Health Data: Medical history, health conditions, treatments, and genetic information.
• Financial Details: Bank account numbers, credit card information, and financial transactions.

This requirement ensures that individuals are fully informed about the specific types of sensitive data being collected and how it will be used. Explicit consent must be clear, affirmative, and freely given, indicating that individuals have been provided with all necessary information to make an informed decision. This process guarantees that individuals are aware of and agree to the processing of their sensitive information, enhancing transparency and trust between consumers and businesses.

5. Data Security Measures

The TDPSA mandates that businesses implement appropriate security measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. These measures include technical, administrative, and physical safeguards to ensure comprehensive data protection.

6. Data Breach Notification

In the event of a data breach, businesses are required to notify affected individuals and the Texas Attorney General within a specified timeframe. The notification must include details about the breach and the steps taken to mitigate its impact. Prompt notification is crucial for maintaining consumer trust and transparency.

To comply with the Texas Data Privacy and Security Act, businesses must take several proactive steps. Here’s a detailed breakdown of the primary compliance requirements:

1. Conduct Data Mapping and Inventory

Businesses need to identify and document all personal data they collect, process, and store. This involves creating a detailed inventory of data sources, data types, and data flows within the organization. Proper data mapping ensures that all personal data is accounted for and managed appropriately.

2. Update Privacy Policies

Privacy policies must be updated to reflect the rights of Texas residents under the TDPSA. This includes providing clear information about data collection practices, purposes of data processing, data sharing, and the mechanisms for exercising data subject rights. Transparency in privacy policies is key to building consumer trust.

3. Implement Consent Mechanisms

Businesses need to establish mechanisms for obtaining and managing explicit consent from individuals before collecting sensitive personal data. This can be achieved through consent forms, opt-in checkboxes, and consent management platforms. Effective consent mechanisms help ensure that individuals are fully informed about how their data will be used.

4. Enhance Data Security

Organizations must assess and enhance their security measures. This involves implementing encryption, access controls, intrusion detection systems, and regular security audits to protect personal data. Strong security measures are vital for comprehensive data privacy and security.

5. Establish Data Breach Response Plans

A robust data breach response plan is essential for compliance. Businesses should develop procedures for detecting, responding to, and notifying affected parties about data breaches. Regular drills and updates to the response plan can help ensure preparedness.

6. Train Employees

Employee training is critical for compliance. Businesses should provide regular training sessions to educate employees about the TDPSA, data protection best practices, and the importance of safeguarding personal data. Well-informed employees are the first line of defense against data breaches.

The TXDPSA is enforced by the Texas Attorney General. Before initiating any action under the TXDPSA, the Attorney General will give the controller a written notice of thirty (30) days, specifying the provision(s) allegedly violated. During this period, the controller and/or processor has the opportunity to address and rectify the alleged violations. If the violations are not remedied within the thirty (30) days, the Texas Attorney General may proceed with legal action against the controller and/or processor, potentially recovering civil penalties of up to $7,500 per violation.

The Texas Data Privacy and Security Act (TDPSA) introduces crucial measures to safeguard personal data, including sensitive information and data used for targeted advertising. In today’s digital landscape, compliance with the TDPSA is more than a legal obligation—it’s an opportunity for businesses to build trust and enhance their reputation.

By understanding and adhering to key provisions such as the sale of personal data and conducting thorough data protection assessments, businesses can ensure they meet the TDPSA’s stringent guidelines. These include obtaining explicit consent for sensitive data, providing clear privacy notices, and implementing robust data security measures.

Staying informed about data privacy laws and implementing comprehensive data protection measures will help businesses comply with the TDPSA and foster a culture of privacy and security that benefits both the organization and its customers. Adhering to these requirements is essential for maintaining a good reputation and avoiding legal repercussions.

The TDPSA provides a solid framework for data privacy and security, emphasizing transparency, accountability, and consumer rights.