What is the Texas Data Privacy And Security Act (TDPSA)?
The Texas Data Privacy and Security Act (TDPSA) was enacted on June 18, 2023, making Texas the tenth U.S. state to authorize a comprehensive privacy law that protects resident consumers.
The TDPSA borrows many statutes from other state privacy laws, mainly the Virginia Consumer Data Protection Act (VCDPA) and the California Consumer Privacy Act (CCPA). Almost all provisions passed as a part of the TDPSA will go into effect on July 1, 2024, the same day the Florida Digital Bill of Rights (FDBR) becomes effective.
Entities that conduct business in Texas or produce a product that state residents consume will be the most affected by the TDPSA.
Learn how UpGuard’s all-in-one cybersecurity solution can help your business achieve compliance >
Texas Data Privacy and Security Act effective date
While most statutes of the TDPSA will go into effect on July 1, 2024, controllers have until January 1, 2025, to provide consumers with a process to opt out of the sale of their data, targeted advertising, or profiling. After the effective date, controllers must present consumers with an address (email, toll-free phone number, or link) where they can complete the opt-out process.
Does Your Business Need to Comply with the Texas Data Privacy and Security Act (TDPSA)?
Unlike other data privacy laws in the United States, the applicability of the TDPSA does not only include large businesses that process a significant amount of consumer data. Instead, the TDPSA applies broadly to a wide variety of organizations and individuals (outlined as controllers in the act) who meet ALL of the following criteria:
- Conduct business in Texas or sell a product or service that Texas residents consume
- Participate in the processing or sale of personal data
- Are not defined as a small business by the United States Small Business Administration (SBA)
Important Note: The U.S. Small Business Administration defines a small business as an organization with fewer than 500 employees. However, the SBA also carries a variety of industry-level definitions of “small business,” which may include a gross income requirement.
Who is Exempt From the Texas Data Privacy Act?
Additional businesses, including some limited liability partnerships (LLP), may be exempt from the TDPSA if they fall into one of the following general exemption categories:
- Nonprofit Organizations
- Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA)
- Healthcare providers subject to the Health Insurance Portability and Accountability Act (HIPAA)
- Higher education providers
- Electric utility providers
The TDPSA also does not apply to de-identified data, protected employee information, healthcare information (HIPAA), information regulated by the Fair Credit Reporting Act, or any of these types of information a business associate processes.
Consumer Rights Granted Under the TDPSA
The TDPSA provides residents of Texas with several rights regarding their sensitive personal data and data collection.
Consumer rights granted under the TDPSA include:
- The right to know if a controller is collecting consumer data, what categories of personal data are being collected, and if the controller is participating in processing activities (all outlined in a privacy notice)
- The right to correct and delete inaccuracies in data that has been collected
- The right to receive a portable, digital report of the data that has been collected (data portability)
- The right to opt out of the sale of personal data, advertising, or profiling that is the result of a legal concern on behalf of the consumer
- The right to appeal the refusal of any other protection granted by the TDPSA
Personal Data vs. Sensitive Data (TDPSA)
The TDPSA broadly defines what constitutes personal data. According to the TDPSA, personal data includes any information, including sensitive data, that may be reasonably linked to an identifiable individual.
The TDPSA also explicitly states that pseudonymous data used alongside additional information is considered personal data.
The act defines sensitive data more narrowly as any personal data that falls into one of the following categories:
- Reveals a person’s racial or ethnic origin, citizenship status, or immigration status
- Indicates a person’s mental or physical health diagnosis
- Describes a person’s religious beliefs
- Genetic or biometric personal data used to identify an individual
- Displays a person’s precise geolocation
- Data collected from a known child
How Do Controllers Remain Compliant Under the Texas Privacy Law?
To remain compliant with the TDPSA, controllers must follow several data security regulations to protect a consumer’s personal data. Under the Senate’s privacy bill, controllers must:
- Provide consumers with a privacy policy that explicitly states what types of data are being collected or processed and the data’s intended use,
- Include a statement in their privacy policy that says, “NOTICE: We may sell your sensitive data” if they intend to sell biometric or other sensitive data
- Practice data minimization, avoid secondary uses of data not listed in the public privacy notice, and conduct periodic data protection assessments
- Take reasonable measures to ensure de-identified data cannot be retraced to any individual or data subject
- Authenticate consumer requests promptly
How Can UpGuard Help Entities Achieve TDPSA Compliance?
As more and more states pass privacy legislation, businesses can expect compliance to become increasingly confusing. UpGuard offers organizations of all sizes a comprehensive cybersecurity solution to help combat this confusion, among other security concerns.
UpGuard’s Vendor Risk technology allows businesses to automate their vendor risk assessment process, receive real-time updates to their security posture, and manage compliance across all vendors in one central workflow.
UpGuard’s BreachSight technology allows businesses to proactively monitor their attack surface around the clock, gain confidence in their cybersecurity protections, and protect their organization’s reputation.
Additionally, UpGuard offers security questionnaires that can allow organizations to take stock of their vendor’s security compliance and make a plan to remediate any critical risks and vulnerabilities.
Contract Requirements Between Controllers & Processors
The state of Texas has outlined the contract requirements controllers and processors must follow under the TDPSA.
The TDPSA states controllers must:
- Outline clear instructions for the processing of personal data
- Indicate the purpose of all processing activities
- The types of data that are subject to processing
- The duration in which processing will occur
The TDPSA states processors must:
- Ensure confidentiality of all personal data
- Delete and return all data to the controller after completing the service
- Make available all information in their possession to demonstrate compliance
- Cooperate with data assessments scheduled by the controller
- Restrict subcontractors to the same regulations as themselves under the contract
Enforcing the Texas Data Privacy and Security Act
Governor Greg Abbott has tasked the Texas Attorney General (AG) with enforcing the TDPSA. The AG will carry out all regulatory action associated with the bill’s state laws. The TDPSA does not grant consumers the private right of action against covered entities.
If the AG’s office deems a controller is violating the TDPSA, the AG must provide a 30-day notice to the entity. Any entity that doesn’t cure a breach within the 30-day cure period may receive a civil penalty of up to US$7500.
Fines can add up quickly under the TDPSA; the AG tallies violations for every consumer affected. For example, if 100 consumers were affected by a particular breach, the civil penalty would be multiplied by 100.
Data Privacy Laws Around the United States
The data privacy movement currently circling the United States was primarily a response to the legislation set forth by the European Union. The EU’s General Data Protection Regulation (GDPR) set a precedent for how U.S. states would respond to controllers collecting personal data and other consumer privacy concerns.
The following states have passed comprehensive privacy protection legislation:
Connecticut (CTDPA)
Indiana (INCDPA)
Iowa (ICDPA)
Montana (MTCDPA)
Tennessee (TIPA)
Texas (TDPSA)
Utah (UCPA)
