Texas Data Privacy and Security Act

What you need to know about the TDPSA:

To Whom Does the TDPSA Apply?

The TDPSA applies to for-profit entities that:

  1. Conduct business or provide products or services to residents of Texas (consumers), and 
    • Processes or engages in the sale of PI, and
    • Is not a small business under the definition of a small business by the U.S. Small Business Administration. (Exception: Under TDSPA, small businesses may not engage in the sale of sensitive personal information without consumer consent.)
Where Does TDPSA NOT Apply?

Exempt Entities: Exempt entities include:

  • Non-profits;
  • State government entities;
  • Higher education Institutions;
  • HIPAA-covered entities;
  • GLBA-covered entities;
  • Certain state defined electric utilities.

Exempt Data: Texas exempts a long list of personal information, including but not limited to:

  • Protected Health Information (PHI) under HIPAA;
  • Data covered by the Gramm-Leach-Bliley Act;
  • Various federally and internationally protected health and patient information, including that protected by the Common Rule, human subject data, and more;
  • Various forms of credit data regulated by the Fair Credit Reporting Act; and
  • Data covered by a wide variety of other federal laws including Family Educational Rights, Farm Credit Act, and Privacy Act, and Driver’s Privacy Protection Act.

Exempt Use Cases: The TDPSA is not applicable in some circumstances, such as:

  • Processing PI in an employment or commercial (B2B) context;
  • Processing PI for emergency contact purposes; and
  • Processing PI of an individual in relation to the provision of benefits.
  • In addition, Texas specifies that its law should not be construed to restrict a business’s collection, use, or retention of PI for:
  • Conducting internal research for development, improvement, and repair of products, services, and technology (R&D);
  • Product recalls;
  • Identifying and repairing technical errors that impair existing or intended functionality; and
  • Performing internal operations.

Key Components of TDPSA

What Constitutes Personal Information in Texas?

The TDPSA covers “personal data,” or PI, which Texas defines as any information that is linked or reasonably linkable to an identified or identifiable individual.

The definition exempts de-identified and information made publicly available by government records, the media, or the consumer. However, pseudonymous data combined with information that can reasonably link it to an identified or identifiable individual is covered as PI.

What Constitutes Sensitive PI?

Texas’s definition of sensitive PI consists of:

  • Racial or ethnic origin;
  • Religious beliefs;
  • Mental or physical diagnosis;
  • Sexuality (Note: most states refer to sex life or sexual orientation);
  • Citizenship or immigration status;
  • PI about a known child;
  • Precise geolocation data; and
  • Genetic or biometric data processed for identification purposes.
Any Other Categories of Data I Should Think About?

Where a controller processes de-identified data, Texas requires it to take reasonable measures to ensure the data cannot be associated with an individual, publicly commit to maintaining such data without an attempt to re-identify it, and contractually obligate any recipients of the data to comply with the TDPSA.

Additionally, Texas exempts pseudonymous data from access, correction, and deletion rights requests where the controller can show it keeps information that would allow the data to be re-identified separate and subject to technical and organizational controls that prevent its use for re-identification.

Is consent Needed to Process Sensitive PI?

In a word: YES!

Is Consent Needed for Any Other Processing?

Parental consent is required to process PI about a known child (under 13) in accordance with COPPA.

Consent is also required prior to processing PI for purposes that are not reasonably necessary to or compatible with the business purpose for which the information was collected and notified to the consumer.

What Needs to Be Included in the Privacy Notice?

Under TDPSA privacy notice must include:

  • Categories of PI, including categories of sensitive PI, processed;
  • Business purpose for processing PI;
  • Privacy rights;
  • Methods for a consumer to exercise their privacy rights (see below) and appeal a rights decision;
  • Categories of PI shared with third parties; and
  • Categories of third parties with which PI is shared.

Specific notifications around sale of PI: Texas has unique notification requirements for businesses that sell PI.

  • Businesses that sell sensitive PI must include the following notice: “NOTICE: We may sell your sensitive personal data.”
  • Businesses that sell biometric data must include the following notice: “NOTICE: We may sell your biometric personal data.”
What Constitutes “Sale” of PI?

Texas follows defines “sale” to include exchange for monetary or other valuable consideration.

There are limits on the definition of “sale” to ensure that certain business functions are not unintentionally impeded by this law. Examples of activities deemed not to be a sale include: the disclosure of PI to provide a product or service requested by the consumer, the disclosure of PI to an affiliate, disclosure of PI intentionally made public, and the disclosure of PI as part of a merger. For more, see the statue.

How Will the TDPSA Be Enforced?

The Texas attorney general (AG) has sole enforcement authority, and the TDPSA obligates the office to create an online complaint mechanism. The AG may bring an enforcement action after providing a 30-day notice and an opportunity for the business to cure the alleged violation(s); the cure period has no sunset. Actions can be brought that seek injunctive relief (the company must stop certain behaviors) and/or civil penalties with fines up to $7,500 per violation, plus attorney’s fees, investigative costs, and any other relief the court determines appropriate.

Data Privacy is Just Good Business