Texas is the 11th US state to introduce a comprehensive state privacy law, known as the Texas Data Privacy and Security Act (TDPSA), following California, Virginia, Montana, Iowa, Indiana, and other states. TDPSA closely resembles the state privacy laws of Virginia, Iowa, Utah, and others, well-positioning businesses and applicable entities for compliance.

Coming into effect from 1st July 2024, the law contains different notable provisions that can affect the privacy compliance programs of applicable entities. Here are the key takeaways from the law.

Scope

Unlike the other state privacy laws focusing on business revenues and the volume of data processed by businesses, the Texas State Privacy Law presents a different application threshold. The law is applicable to :

1. Entities conducting business in the state or delivering a product or service consumed by the state residents.

2. Entities processing or selling personal data irrespective of the data’s volume.

3. Entities that are not small businesses, as defined by the Small Business Administration (SBA).

Moreover, the law uses the same definitions of the controller and processor as defined by non-California privacy laws. ‘Controller’ is an entity determining how and why personal information is being processed. ‘Processor’ is an entity that processes personal information on behalf of a controller (as in third-party vendors).

Exemptions

The law is only applicable when personal data is collected from an individual acting in an individual or household context and does not include commercial and employment-based interactions. This is like most other state privacy laws except for California. The law also provides more expansive exemptions, some of which are like the other state privacy laws.

Financial institutions covered under the Gramm-Leach-Bliley Act have an exemption from this law. Government entities, non-profit organizations, higher education institutions, power generation companies, entities under the HIPAA, and electric utilities also have an exemption.

Enforcement

The Texas Attorney General holds the exclusive authority to enforce the law. The Attorney General must first issue a notice to the controllers along with a 30-day cure period to resolve the allegations. This law provides a more stringent requirement, unlike the other state privacy laws, requiring the controller to do the following:

• Provide a written statement to the Attorney General confirming the resolution of the privacy violation.

• Notify the consumer that their appeal was addressed and provide supporting documents.

• Adjust their internal policies, if necessary, to prevent recurrence.

Failing to cure the alleged violations would require the controllers to pay up to a $7,500 penalty for each violation accompanied by an injunction.

Consumer Rights

Rights provided to the residents under this law are like most other state privacy laws.

Consumers can:

1. Confirm if their personal data is being processed by a controller and can have access to it.

2. Any inaccuracies in personal data can be corrected.

3. Delete personal data related to them, either provided by them or obtained by the controllers.

4. Obtain a portable copy of their personal data.

5. Opt-out of :

   • Targeted advertising

   • Profiling

   • Sale of personal information

Controllers have 45 days to respond to consumer requests to exercise their rights, and consumers can appeal to the enforcers in case the controllers refuse to take necessary actions. Entities falling under the scope of this law are required to implement opt-out preference signals before the 1st of January 2025.

Obligations

Like the other state privacy laws in the US, entities/controllers are imposed with certain obligations like:

• Data Minimization: personal data collection must be limited to what is ‘adequate, necessary, and relevant’ to achieve the purpose of data collection.

• Non-discrimination: avoid discriminating against the consumers for exercising their rights or providing goods and services of different quality.

• Sensitive Data: obtain consent before processing any consumer’s sensitive data, defined as personal data that reveals race or ethnic origin, health diagnosis, sexuality, citizenship information, biometric and genetic information, and precise geolocation.

• DPAs: conduct Data Protection Assessments when personal data is processed for target advertising, profiling, sale of personal data, and anything that can potentially harm the consumers.

• Privacy Notice: privacy notice must be issued to the consumer whenever a controller processes or sells sensitive data informing them of the same.

• Data Security Safeguards: establish, implement, and maintain appropriate physical, administrative, and technical practices for data security.

• Processor Contracts: enter into agreements with the processors (third-party vendors), requiring the processor to maintain data confidentiality and assist the controller in meeting the obligations.

Conclusion

The rapid expansion of comprehensive privacy laws in the United States emphasizes the need for developing a harmonized approach to achieve privacy compliance. Fortunately, Texas state followed a framework like most other state privacy laws, helping companies adapt to the law with better techniques. As the legislative sessions are still open in several other states, there might be more state privacy laws coming shortly.