On May 28, 2023, the Texas Data Privacy and Security Act (TDPSA) was passed and later signed by the Texas State House and Senate. It has been sent to Governor Greg Abbott for signature before becoming law. Assuming the TDPSA does pass into law, it will be the fifth comprehensive privacy act to become law in 2023 and the tenth piece of the patchwork of US state privacy laws.
While the TDPSA holds many similarities to existing state privacy laws – consumer rights, opt-in consent for sensitive data, and data protection assessments – it also contains several provisions, including enhance disclosure requirements and a broader scope of application, that organizations should be aware of ahead of an expected effective date of July 1, 2024.
The TDPSA widely aligns with the Virginia Consumer Data Protection Act (CDPA) but has some key differences to this and other existing US state privacy laws. Notably a broader scope of application will envelope businesses outside of Texas and that does not cover non-profits or make additional protections for Children’s data. Let’s take a closer a look at some of the key areas of the TDPSA.
Scope of application
The TDPSA has a broad scope of application including an extra-territorial application that will bring organizations outside of Texas into scope for certain processing activities.
The TDPSA will apply to organizations that:
Unlike other US state laws, the TDPSA does not contain a specific monetary application threshold or one related to the number of consumers’ data must be controlled or processed. Instead it introduces a small business exception as defined by the United States Small Business Administration, which varies by annual turnover, employee count, and industry.
As with many US state privacy laws, the TDPSA includes exemptions for organizations that are covered by sectoral privacy laws including the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA), as well as exemptions for certain organizations (e.g. state government agencies) and specified types of information (e.g. research data).
Enhanced disclosure requirements
As with most modern privacy laws, the TDPSA includes transparency requirements that will obligate organizations to disclose certain information about their personal data processing activities to the consumer through a “reasonably accessible and clear” privacy notice. However, the TDPSA also includes enhanced notice requirements when an organization sells sensitive or biometric data, or sells personal data to a third party for targeted advertising.
All organizations covered by the TDPSA will be required to present the consumer with a privacy notice that contains information relating to:
In addition to general privacy notice obligations, if an organization sells sensitive data, it will be required to make a further disclosure to consumers by including “NOTICE: We may sell your sensitive personal data" within their privacy notice. There is also a similar obligation for the sale of biometric data that requires organizations to include "NOTICE: We may sell your biometric personal data" within their privacy notice.
Organizations that sell personal data for the purposes of targeted advertising will also need to make additional disclosures to individuals in the form of clear and conspicuous notice as well as a method for opting out of the sale.
Consumer rights under the TDPSA are mostly similar to what we already see in other states with Texas sitting on the more prescriptive end of the spectrum. Consumers in Texas will be able to exercise the following rights:
Although not explicitly called out as consumer rights, consumers will have the ability to appeal decisions made by the data controller as well as the right to non-discrimination.
Organizations will have 45 days to respond to a verifiable consumer request with the possibility of a 45-day extension.
Data Protection Assessments
The TDPSA contains requirements for organizations to conduct Data Protection Assessments. Again, the requirement is similar to that found under other US state privacy laws and organizations must balance the benefits of the processing activity against the potential risks that it may pose to individuals.
In particular, organizations will be required to conduct and document a data protection assessment for the follow processing activities:
The TDPSA does offer a more business-friendly approach to data protection assessments, not widely seen in US state privacy laws, by highlighting that a single data protection assessment may address a comparable set of processing operations and that data protection assessment conducted in compliance with other laws or regulations may satisfy requirements under the TDPSA if the processing activities are comparable.
Once effective, the TDPSA will be exclusively enforced by the Texas Attorney General. The Attorney General will have the authority to instigate investigations into potential violations of the TDPSA where copies of Data Protection Assessment can be requested and checked to ensure compliance with the law.
Organizations that are found to be in violation of the TDPSA will have a 30-day cure period to remedy any such violation. If after 30 days, no remediation has taken place the Attorney General can issue civil up to $7,500 for each violation.
The TDPSA does not provide a private right of action.
Pending the Governor’s signature, organizations that will fall under the TDPSA will have just over 12 months to prepare for its entry into effect and as the TDPSA does not contain a rulemaking provision, organizations can begin to prepare against the provisions contained in the act in its current form.
The OneTrust Privacy & Data Governance Cloud offers a range of solutions that can get your privacy program up to speed with the requirements of the TDPSA. OneTrust DataGuidance Research includes news and resources from a network of expert local contributors to keep you up to date with the latest developments in US privacy. OneTrust Privacy Notice Management will help you to prepare for the TDPSA’s enhance disclosure requirements to ensure that you can presented individuals in Texas with the correct notices for how their personal data is being used. Additionally, the PIA & DPIA Automation solution can help you with the TDPSA’s data protection assessment requirements by offering a range of US privacy specific assessment templates as well as giving you the ability to document the assessment for auditing purposes should you need to present them to the Attorney General.
Request a demo to learn more about how OneTrust can help get you started on your journey toward compliance with the Texas Data Privacy and Security Act and other US state privacy laws.