Texas Data Privacy and Security Act: Does It Apply to Your Organization?

In the rapidly evolving landscape of data privacy legislation across the United States, businesses are grappling to stay ahead of the curve, often feeling overwhelmed by the frequent updates and changes. As businesses wade through these legislative waters, their primary concern is understanding which laws apply to them directly, and more importantly, how these laws impact their operations and customer interactions.

With this in mind, we're going to dissect the newly enacted Texas Data and Privacy Security Act (TDPSA), providing a clear and concise upfront assessment of its relevance to your business. If you find this law pertinent to your operations, you're encouraged to read on to gain a comprehensive understanding of the key responsibilities it imposes on data controllers and processors.

Does the TDPSA Apply to My Organization? An Applicability Exercise.

Here is an at-a-glance applicability exercise to determine if the law applies to your organization.

Step 1: Does your organization collect and process personal data?

• If NO, the law does not apply to your organization.
• If YES, proceed to Step 2.

Step 2: Does your organization conduct business in Texas or produce products or services consumed by residents of Texas?

• If NO, the law does not apply to your organization.
• If YES, proceed to Step 3.

Step 3: Is the personal data collected by your organization from Texas residents who are acting in an individual or household context (i.e., consumers), and not in a business-to-business (B2B) or employment setting?

• If NO, the law does not apply to your organization.
• If YES, proceed to Step 4.

Step 4: Is your organization classified as a "small business" as defined by the United States Small Business Administration (SBA)?

• If YES, the law generally does not apply to your organization, unless your small business processes personal data and engages in the sale of sensitive data. In that case, your organization would still need to obtain prior consent from consumers before selling their sensitive data.
• If NO, proceed to Step 5.

Step 5: Is your organization exempt because it falls into one of the following categories: non-profit, healthcare entity subject to HIPAA, institution of higher education, utility provider, or financial institution under the Gramm-Leach-Bliley Act?

• If YES, the law does not apply to your organization.
• If NO, the TDPSA applies to your organization.

Remember, this applicability exercise may not cover all scenarios, but it's a helpful at-a-glance check for most situations.

Consumer Rights

The TDPSA grants Texas residents a variety of rights concerning their personal data. These include the right to know if a controller is processing their personal data, to receive a portable copy of their personal data, to request deletion and correction of their personal data, and to opt out of the sale of personal data, targeted advertising, and profiling. The law also introduces a mechanism for consumers to appeal refusals of their rights requests.

Moreover, the law requires consent to be obtained for collecting sensitive personal data and data from users under the age of 13. It also imposes limitations on geolocation collection without consent.

Controller Obligations

Under the TDPSA, entities controlling data, referred to as "controllers," must adhere to a set of obligations. These include providing consumers with a privacy notice, limiting the collection of personal data to what is adequate and relevant, safeguarding personal data, and obtaining consent before processing sensitive personal data.

Controllers also need to practice data minimization, ensuring they only use personal data as reasonably necessary and avoiding secondary uses. High-risk processing activities, such as the sale of personal data, processing of sensitive data, or processing that presents a heightened risk of harm to consumers, must undergo data protection assessments.

Compliance Checklist for the Texas Data and Privacy Security Act

Here is an at-a-glance compliance checklist for the TDPSA. This is not comprehensive, but covers the main points.

1. Determine Applicability: Ensure your organization falls under the purview of the TDPSA, that is, if you conduct business in Texas or produce a product or service consumed by Texas residents and process or sell personal data.
2. Identify Personal Data: Identify what personal data your organization collects, where it comes from, where it is stored, and with whom it is shared.
3. Consumer Rights Compliance: Implement procedures to handle requests from consumers to access, correct, delete, or port their personal data, or to opt out of the sale of their personal data, targeted advertising, and profiling.
4. Consent for Sensitive Personal Data: Establish a mechanism to obtain explicit consent before collecting or processing sensitive personal data or data from users under age 13.
5. Implement Data Minimization Practices: Ensure that your organization only collects personal data that is adequate, relevant, and reasonably necessary for the purposes for which it was collected.
6. Privacy Notice: Update your organization's website privacy notice to comply with TDPSA requirements, including the necessary disclosures about the collection, use, sharing, and sale of personal data.
7. Security Measures: Implement reasonable security measures to protect personal data from unauthorized access, disclosure, or use.
8. Data Protection Assessment: Conduct data protection assessments for high-risk processing activities, such as the sale of personal data, processing of sensitive data, or processing that presents a heightened risk of harm to consumers.
9. Vendor Management: Review and update contracts with third-party vendors who process personal data on your behalf to ensure they meet TDPSA requirements.
10. Employee Training: Train employees about the provisions of the TDPSA and their role in ensuring compliance, particularly those who handle personal data.
11. Prepare for Enforcement: Develop a process to respond to and cure potential violations within the 30-day window provided under the TDPSA.

Enforcement and Penalties

Enforcement of the TDPSA rests solely with the Texas Attorney General. Controllers found in violation of the TDPSA will be given a 30-day notice and opportunity to cure the violation. Failure to cure within this period may result in a civil penalty of up to $7,500 per violation.

Moving Forward

As more states pass comprehensive privacy laws, it is important for businesses to implement a systematic and harmonized approach to privacy compliance. The TDPSA, considered by some as one of the stronger privacy laws in the country, is hoped to serve as a model for other states to follow. With Texas showing their desire to extend privacy rights to Texans, this may well signal a new direction for other privacy laws across the nation.