Texas Data Privacy and Security Act (TDPSA)

The Texas Data Privacy and Security Act (TDPSA) is a comprehensive privacy law that was passed on June 19, 2023 and will take effect partly on July 1, 2024 and partly on January 1, 2025.

The Texas TDPSA is similar to privacy laws in U.S. states such as Virginia, Colorado, and Connecticut. But there are some crucial differences, and Texas has arguably passed the most unique state privacy law outside of California.

This article provides an overview of every aspect of the Texas TDPSA, including who the law applies to, what it requires, how it will affect online advertising, and how businesses can meet their obligations and avoid enforcement action.

When Does the Texas Data Privacy and Security Act (TDPSA) Take Effect?

Most parts of the Texas Data Privacy and Security Act (TDPSA) will take effect from July 1, 2024. Certain rules around online tracking will take effect from January 1, 2025.

A review process might lead to changes in the law. The review period runs from January 1, 2025, to September 1, 2025.

Who Does the Texas Data Privacy and Security Act (TDPSA) Apply to?

The Texas Data Privacy and Security Act (TDPSA) applies to any company conducting business in Texas that processes personal data (defined below) unless covered by an exemption.

Under the Texas TDPSA, there's no minimum number of consumers whose personal data a business must process before it's covered by the law.

However, "small businesses" are exempt from most obligations.

Does the Texas Data Privacy and Security Act (TDPSA) Apply to Small Businesses?

As noted above, small businesses are exempt from most obligations under the Texas Data Privacy and Security Act (TDPSA).

The definition of a "small business" under the Texas TDPSA is tied to the United States Small Business Administration (SBA)'s definition. At present, the SBA defines a small business as "an independent business having fewer than 500 employees."

The Texas TDPSA has only one requirement for "small businesses:" Getting consent before selling sensitive data. We'll look at what this means below.

What Businesses are Exempt From the Texas Data Privacy and Security Act (TDPSA)?

Businesses meeting the following descriptions are not covered by the Texas TDPSA:

• Non-profits
• State agencies
• Financial institutions under the Gramm-Leach-Bliley Act (GBLA)
• "Covered entities" and "business associates" under the federal Health Insurance Portability and Accountability Act (HIPAA)
• Utilities and other energy-related companies covered by Section 31.002 of the Texas Utilities Code

The law also does not cover personal data processed in the context of employment or business-to-business communications.

Key Definitions of the Texas Data Privacy and Security Act (TDPSA)

Now let's explore some of the Texas TDPSA's key definitions to help you determine whether you're covered by the law or have any obligations under it.

What is Personal Data Under the Texas Data Privacy and Security Act (TDPSA)?

Personal data means any information that is "linked or reasonably linkable to an identified or identifiable individual."

The definition excludes "de-identified data" and "publicly available information". However, "personal data" includes "pseudonymous data" under some conditions.

"Processing" personal data means collecting it, storing it, sharing it, deleting it, or performing any other "operation" on it.

What is Sensitive Data Under the Texas Data Privacy and Security Act (TDPSA)?

The Texas TDPSA defines "sensitive data" as the following types of information:

• Personal data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexuality
  • Citizenship or immigration status.
• Biometric or genetic data processed for the purpose of uniquely identifying an individual.
• Personal data collected from a known child.
• Precise geolocation data (location data accurate within a radius of 1,750 feet).

What is Pseudonymous Data Under the Texas Data Privacy and Security Act (TDPSA)?

The Texas TDPSA's "personal data" definition" includes "pseudonymous data." This means data such as cookie IDs, mobile IDs, and other unique IDs can be "personal data" under the law.

To "pseudonymize" personal data means removing the identifiers from a data set, and storing them separately and securely. A person cannot identify individuals from pseudonymized data unless they have access to the additional information.

Under the Texas TDPSA, pseudonymized data is only personal data when processed by someone who has access to the additional information and who could combine it with the pseudonymized data to identify individuals.

Remember that "identifying" a person doesn't necessarily mean figuring out their offline identity or full name. Identifying someone could mean singling them out or tracking their activities in different contexts.

What are Data Controllers and Data Processors Under the Texas Data Privacy and Security Act (TDPSA)?

The Texas TDPSA's focuses on two types of organizations:

• Data Controller: An entity that "determines the purpose and means of processing personal data". This means deciding why and how to process personal data (e.g., to deliver your services to consumers).
• Data Processor: An entity that processes personal data on behalf of a controller. Common types of processors include cloud service providers, email marketing companies, and cookie consent platforms.

Most responsibilities under the Texas TDPSA fall on data controllers.

Data controllers may only share personal data with processors subject to a compliant and legally binding agreement. We'll explain this obligation below.

What is Consent Under the Texas Data Privacy and Security Act (TDPSA)?

Consent under the Texas Data Privacy and Security Act (TDPSA) means a "clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer."

What is Not Consent Under the Texas Data Privacy and Security Act (TDPSA)?

"Consent" does not include:

• The acceptance of a broad Terms and Conditions or similar agreements that may include some information about how personal data is processed, but also include a lot of unrelated information as well
• Hovering over or muting a piece of content
• Agreement obtained via dark patterns (manipulative design)

Parents or guardians can exercise and provide consent on behalf of their children.

What Consumer Rights Does the Texas Data Privacy and Security Act (TDPSA) Grant?

Under the Texas Data Privacy and Security Act (TDPSA), consumers have the right to:

• Confirm whether a controller is processing their personal data
• Access their personal data

• Correct inaccuracies in their personal data, considering:

  • The nature of the personal data
  • The purposes of the processing
• Delete their personal data, whether the controller obtained the personal data from the consumer or from another source.
• Obtain a copy of any personal data they provided to the controller in a portable, if possible, machine-readable format, enabling the consumer to transfer the data to another controller.

• Opt out of:

  • The sale of their personal data
  • Targeted advertising
  • Profiling "in furtherance of decisions that produce legal or similarly significant effects"

Parents or guardians can exercise these rights on behalf of their children.

How Does the Texas Data Privacy and Security Act (TDPSA) Affect Your Privacy Policy?

Under the Texas Data Privacy and Security Act (TDPSA), data controllers must publish a Privacy Policy (or Privacy Notice) explaining how personal data is processed.

Your Privacy Policy must explain:

• Which types of personal data the controller processes
• Which types of sensitive data the controller processes
• The controller's purposes for processing personal data
• What consumer rights are available under the Texas TDPSA, and the methods provided by the controller enabling consumers to exercise their rights
• The controller's consumer rights appeal process
• Which types of personal data the controller shares with third parties
• The types of third parties with whom the controller shares personal data

How Do You Comply With the Texas Data Privacy and Security Act (TDPSA)?

Here are the details on what you need to do to comply with Texas Data Privacy and Security Act (TDPSA).

Update Your Privacy Policy

Your Privacy Policy must disclose the following, noted above:

• Which types of personal data the controller processes
• Which types of sensitive data the controller processes
• The controller's purposes for processing personal data
• What consumer rights are available under the Texas TDPSA, and the methods provided by the controller enabling consumers to exercise their rights
• The controller's consumer rights appeal process
• Which types of personal data the controller shares with third parties
• The types of third parties with whom the controller shares personal data

Here's an example of a Privacy Policy clause that discloses the types of personal data collected:

Here's an example of how you can disclose what rights users have, and how they can exercise them:

And here's an example of a clause that discloses what types of data is disclosed to what types of third parties:

A Texas TDPSA Privacy Policy must be "reasonably accessible, clear, and meaningful."

Under certain circumstances, a controller must include additional disclaimers in its Texas TDPSA Privacy Policy:

• Any controller that sells sensitive data must include a disclaimer reading: "NOTICE: We may sell your sensitive personal data."
• Any controller that sells biometric information must include a disclaimer reading: "NOTICE: We may sell your biometric personal data."

Facilitate Consumer Rights Requests Under the Texas Data Privacy and Security Act (TDPSA)

Controllers must facilitate consumer rights requests. Here are some of the rules:

• Controllers must set up two or more "secure and reliable" methods for submitting consumer rights requests (for example, a web form and a dedicated email address).
• Controllers may not charge a fee for facilitating a consumer rights request unless the request is "manifestly unfounded, excessive, or repetitive", in which case the controller may charge a reasonable administrative fee.
• Consumers can submit a request at least once every 12 months.
• Controllers must respond to a request within 45 days. A 45-day extension period available where reasonably necessary, if the controller notifies the consumer within the original deadline.
• Controllers must set up an appeals process for consumers who are unhappy with the handling of their request. Controllers must respond to appeals within 60 days.
• Consumers can complain to the Texas Attorney General if they are unhappy with the outcome of an appeal.

Provide a Way to Opt Out of Selling of Personal Data

Under the Texas DSPA, consumers may opt out of the "sale" of their personal data.

A "sale" of personal data is "the exchange of personal data for monetary or other valuable consideration by the controller to a third party."

So, exchanging personal data with a third party for virtually any benefit (not just money) can constitute a "sale." This might include sharing personal data for purposes such as targeted advertising.

A "sale" does not include sharing personal data:

• With a processor
• To provide a service requested by the consumer
• With the controller's affiliate
• That the consumer intentionally made public and without restricting to a specific audience
• As an asset during a merger or acquisition

Provide a Way to Opt Out of Targeted Advertising

Under the Texas TDPSA, consumers may opt out of targeted advertising. "Targeted advertising" means displaying an online ad to a consumer, if:

• The ad is chosen based on the consumer's personal data

• The personal data is obtained from the consumer's activities:

  • Over time, and
  • Across non-affiliated websites or applications
• The personal data is used to predict the consumer's preferences or interests

From January 1, 2025, controllers will need to configure their websites and apps to turn off targeted ads if the consumer's device or browser sends a "global opt-out" signal, such as the Global Privacy Control (GPC).

Controllers will not need to honor opt-out signals that are "identical" to those used to opt out of targeted advertising under other laws, such as the California Consumer Privacy Act (CCPA) or the Colorado Privacy Act (CPA).

Provide a Way to Opt Out of Profiling

Consumers may opt out of "profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer."

This right allows a consumer to stop controllers making important decisions about the consumer without human intervention.

"Profiling" means:

• "Solely automated" (i.e., entirely computer or AI-driven) processing
• Performed on personal data

• To "evaluate, analyze, or predict" a consumer's:

  • Economic situation
  • Health
  • Personal preferences
  • Interests
  • Reliability
  • Behavior
  • Location
  • Movements

A decision based on profiling that produces "a legal or similarly significant effect" is used to provide or deny a consumer any of the following:

• Financial and lending services
• Housing, insurance, or health care services
• Education enrollment
• Employment opportunities
• Criminal justice
• Access to basic necessities, such as food and water

Get Consent When Required

Under the Texas TDPSA, you must obtain consent in 3 specific circumstances:

1. To process the personal data of a child under the age of thirteen
2. To process personal data for purposes that are not "reasonably necessary" or "compatible with the disclosed purposes for which the personal data was processed initially"
3. To process sensitive personal data

Small businesses need consent before "selling" sensitive data. This is the only Texas TDPSA obligation for a small business.

When obtaining consent, we suggest using a checkbox method next to an "I Agree" or "I Consent" statement. This ensures that you obtain undoubtable consent that you can keep a legal record of.

Here's an example of this:

Have Data Processing Agreements in Place

A data controller must have a legally binding agreement in place before sharing personal data with a processor. The data processor must adhere to the terms of this agreement.

The Texas TDPSA sets out specific clauses that must be included in a data processing agreement, including the following:

• Instructions and guidelines on how data is to be processed
• Information about the types of data that are to be processed
• A prohibition on the processor using the data for its own purposes and in any way not outlined in the agreement

Here's an excerpt from a data processing agreement that sets out the limits to how data can be processed, and for what explicit purposes:

These agreements will also include clauses on how security and data breaches are to be handled, and other parameters for the relationship between the parties.

Here's an example of how the topic of data breaches can be addressed in a data processing agreement:

Conduct Data Protection Assessments

A controller must conduct a data protection assessment before conducting certain activities, including:

• Targeted advertising
• Selling personal data

• Profiling that could result in a "reasonably foreseeable risk" of:

  • Unfair or deceptive treatment
  • Offensive intrusion upon the consumer's privacy
  • Financial, physical, reputational, or any other substantial injury
• Processing sensitive data
• Any other processing presenting "a heightened risk of harm to consumers"

A data protection assessment involves:

• Identifying the benefits of the intended activities
• Weighing the benefits against the risks
• Taking any reasonable mitigations into account

Controllers must document the data protection assessment. The Texas Attorney General can request a copy of the assessment.

Engage in Data Minimisation and Purpose Limitation

The Texas TDPSA requires data controllers to:

• Limit the processing of personal data to that which is adequate, relevant, and reasonably necessary for a disclosed purpose.
• Implement reasonable security measures to protect the confidentiality, accessibility, and integrity of the personal data.
• Not process personal data in unlawful or discriminatory ways or in a way that is incompatible with the purpose for which the personal data was collected (unless the consumer has provided consent).

Who is Responsible for Enforcement of the Texas Data Privacy and Security Act (TDPSA)?

If a controller or processor violates the Texas TDPSA, the Texas Attorney General can bring a case against the controller or processor in court.

However, before bringing a case, the Attorney General must give the controller or processor 30 days' notice. If the controller can "cure" its alleged violation within 30 days, the Attorney General must drop the case.

Only the Attorney General can bring a case under the Texas TDPSA. The Texas TDPSA does not provide a private right of action, meaning that consumers cannot sue a controller or processor merely for violating the law.

What are the Penalties for Not Complying With the Texas Data Privacy and Security Act (TDPSA)?

Civil penalties under the Texas Data Privacy and Security Act (TDPSA) can reach up to $7,500 per violation, plus costs. Every time a violation affects an individual consumer, this is likely to be considered a single violation.

Summary

Here's an overview of what the Texas Data Privacy and Security Act (TDPSA) requires:

• Publish a Texas TDPSA-compliant Privacy Policy
• Facilitate consumer rights to access, correct, delete, and obtain a copy of personal data
• Comply with requests to opt out of the sale of personal data, targeted advertising, and certain forms of profiling
• Obtain consent when required
• Always create a data processing agreement when working with data processors
• Conduct data protection assessments before conducting risky processing activities
• Do not collect more data than necessary for a disclosed purpose
• Implement reasonable security measures to protect personal data