Texas Data Privacy and Security Act
On June 18th, 2023, Texas passed the Texas Data Privacy and Security Act (TDPSA). It’s scheduled to take effect July 1, 2024. Like other state privacy laws, TDPSA obligates businesses that use the personal data of Texas residents to adopt specific measures:
1. Protect residents’ personal data
2. Extend certain rights to the subjects of such personal data
What You Need to Know About TDPSA
For the most part, TDPSA aligns with Colorado’s CPA and Connecticut’s CTDPA. Notably, there are no financial thresholds that define which businesses must comply with TDPSA.
TDPSA applies to you if you:
- Are a business that conducts business in the state, or
- Are a business that produces a product or service consumed by residents of the state, and
- Process or engage in the sale of personal data, and
- Are not a small business as defined by the U.S. Small Business Administration
(EXCEPT that small businesses are not permitted to sell Sensitive Personal Data without prior consent).
- TDPSA does not apply to:
- Texas state agencies
- Financial institutions and data subject to the Gramm-Leach-Bliley Act
- A Covered Entity or Business Associate as defined by HIPAA
- Non-profits
- Institutions of higher education
- Utility companies
- Implement or update your process for receiving and responding to Individual Rights Requests (including appeals!)
- Prepare to accept a Universal Opt-Out Mechanism
- Review and update Privacy Notices to include all required information (including, if relevant, a notice about the sale of sensitive personal data and/or biometric data)
- Ensure you have consent to process Sensitive Personal Data
- Provide opt-out opportunities for the sale of Personal Data and behavioral advertising
- Review vendor contracts to ensure all required clauses are included
- Conduct Data Protection Assessments on high-risk activities (specifically including behavioral advertising, sale of personal data, profiling, and processing of Sensitive Personal Data) generated after the effective date of the law
Key Components of TDPSA
TDPSA defines a consumer as “an individual who is a resident of this state acting only in an individual or household context.” A consumer under Texas law, like most other state laws, excludes individuals acting in a commercial or employment context.
For companies subject to TDPSA, Texas requires that certain rights be extended to individuals about whom the company has personal data. These rights generally align with those found in other state laws.
Under TDPSA, consumers have the right—with some limitations—to:
- Confirm whether a company is processing personal data about them, and access it
- Correct inaccuracies in personal data about them
- Delete personal data
- If the data is available in a digital format, get a copy of the personal data they provided in a portable and readily usable format
- Opt-out of behavioral advertising (targeted ads based on user preferences)
- Opt-out of any sale of personal data about them (TDPSA, like CCPA and unlike most of the more recent laws, defines ‘sale’ to include sharing in exchange for valuable consideration, not just money)
- Out-out of automated profiling that produces a significant effect
- As of January 1, 2025, use a Universal Opt-Out Mechanism to opt out of
o The processing of personal data for targeted advertising, and
o The sale of personal data - Appeal a business’s denial to act on any of the above rights
TDPSA requires that businesses respond to authenticated requests no later than 45 days after receipt of the request. There is a permissible 1-time 45-day extension if the business meets certain criteria.
Like other recently passed state data privacy laws, TDPSA requires businesses to establish an appeal process and notify consumers of the process when declining to take action on a request. If a consumer files an appeal, the business must respond within 60 days. If denying an appeal, the business must provide the consumer with an online mechanism for contacting the Texas Attorney General to file a complaint.
Notably, like the CCPA—and unlike the other state privacy laws—TDPSA requires businesses to establish at least two secure and reliable methods for consumers to exercise their rights, including via its website if the business operates a website. For businesses operating solely online and that have a direct relationship with their customers, only an email address is required.
TDPSA is enforceable by the Texas Attorney General, with no private right of action provided. If the AG identifies any alleged violations, they must provide no less than 30 days’ notice to the business, and the business has a 30-day cure period to fix the alleged violation(s). If the violation(s) remain, the AG may bring a civil action and recover up to $7,500 per violation.
Data Protection Assessments, aka Privacy Impact Assessments
Texas, like several other states that enacted privacy laws in recent years, requires that businesses conduct Data Protection Assessments to identify and weigh the risks and benefits to all parties, as mitigated by safeguards that the business can use to reduce risk.
The TDPSA requires assessments for all activities that involve personal data and present a heightened risk of harm, namely:
- Processing of personal data for behavioral advertising
- Sale of personal data
- Processing of personal data for automated profiling that produces a significant effect
- Processing of sensitive personal data (see below for definition)
Personal data and sensitive personal data
Texas has followed the lead of the more recent laws, like those of Virginia, Colorado, Connecticut, and Indiana, by:
- Expanding the list of data elements that are considered sensitive
- Requiring businesses to have consent to collect and use Sensitive Personal Data.
Texas also goes one step further, requiring specific notice if a business sells Sensitive Personal Data, particularly biometric data.
Under TDPSA, “Sensitive Personal Data” includes information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status; genetic or biometric data that is processed for the purpose of uniquely identifying an individual; personal data collected from a known child; and precise geolocation data.
Pseudonymous Data
Texas’s approach to ‘Pseudonymous Data’ differs from what we’ve seen with other state privacy laws, and the EU’s GDPR.
Pseudonymous Data is defined as “personal data that cannot be attributed to a specific individual without the use of additional information, provided that the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual.”
Texas departs from GDPR in that TDPSA excludes Pseudonymous Data from many of the requirements applicable to Personal Data so long as it remains pseudonymized.
Whereas other state laws—including, to varying degrees, Virginia, Utah, and Indiana—make certain exceptions for de-identified and pseudonymous data, Texas goes a step further by implicitly excluding Pseudonymous Data from the definition of Personal Data.
To put a fine point on it, GDPR includes Pseudonymous Data (called “Pseudonymised Data” in EU parlance) within the definition and under the umbrella of Personal Data, applying all requirements and restrictions applicable to Personal Data to Pseudonymous Data because of the potential for it to be re-identified. For most of the requirements of TDPSA, this is not the case.
This exclusion may provide an exciting opportunity for many businesses: because if a business has processes for which direct identifiers are not necessary (e.g., name, contact information, customer number, etc.), removing these identifiers from businesses processes and the systems could result in said data being outside the purview of the TDPSA.
To reiterate: Pseudonymous Data on its own is not considered Personal Data for many of the requirements under the TDPSA.
Like recent state privacy laws in Virginia and some other states, under TDPSA, a business does not need to include pseudonymous data in its response to Individual Rights Requests.
One of the most common uses of pseudonymous data is in the clinical trial context, where each trial participant is assigned a random ID that stands in for their actual identity (their actual identity is only known to medical staff and not the sponsor/manufacturing company, labs, and other supporting entities).
Can Pseudonymous Data Help My Company?
Other types of organizations may want to consider whether they can store customer data in a pseudonymized way, especially those that already assign identifiers through, for example:
- Loyalty or participation rewards programs such as frequent flier/renter/buyer/guest numbers
- Membership IDs (like libraries and fitness centers)
- Player ID (for online and mobile games)
By separating identifying data (such as contact information and payment details) from other information (such as company-specific identifiers, transactional history, profile information, etc.), a company may be able to decrease its burden in responding to individual rights requests by limiting the data and databases to which the requests must be applied.
As mentioned, this treatment of Pseudonymous Data is distinctly different from GDPR, and it will be interesting to see whether other states adopt Texas’s approach.
Data Privacy is Just Good Business
Managing privacy compliance with all these new state privacy laws popping up in the U.S., might seem like a daunting task. But just because the task appears daunting, it doesn’t mean that it’s impossible to handle.
You don’t have to go at it alone! With the right support, you can make data privacy measures a sustainable part of your daily operations. That’s where Red Clover Advisors comes in – to deliver practical, actionable, business-friendly privacy strategies to help you achieve data privacy compliance and establish yourself as a consumer-friendly privacy champion that customers will appreciate.