Texas Data Privacy and Security Act

Texas has a rich history, from the prehistoric Clovis culture, which shared the landscape with ice age mammals like giant sloths and dire wolves, to cowboys with 10-gallon hats wrangling Longhorn cattle to today’s booming technology industry that’s spread across Austin, San Antonio, Dallas, and beyond.

But it’s not just its vibrant history that distinguishes Texas. The Lone Star State currently has the second highest population and GDP in the United States, second only to California.

For good reason, they say that everything is bigger in Texas. The latest big development? The Texas Data Privacy and Security Act (TDPSA).

Texas’s New Consumer Data Privacy Law

On June 18th, 2023, Texas passed the Texas Data Privacy and Security Act (TDPSA). It’s scheduled to take effect July 1, 2024. Like other state privacy laws, TDPSA obligates businesses that use the personal data of Texas residents to adopt specific measures:

1. Protect residents’ personal data
2. Extend certain rights to the subjects of such personal data

Learn more about each state’s regulations with RCA’s state privacy law map.

What You Need to Know About TDPSA

Does TDPSA apply to you?

For the most part, TDPSA aligns with Colorado’s CPA and Connecticut’s CTDPA. Notably, there are no financial thresholds that define which businesses must comply with TDPSA.

TDPSA applies to you if you:

Are a business that conducts business in the state, or
Are a business that produces a product or service consumed by residents of the state, and
Process or engage in the sale of personal data, and
Are not a small business as defined by the U.S. Small Business Administration

(EXCEPT that small businesses are not permitted to sell Sensitive Personal Data without prior consent).

When does the TDPSA NOT apply?

TDPSA does not apply to:

Texas state agencies
Financial institutions and data subject to the Gramm-Leach-Bliley Act
A Covered Entity or Business Associate as defined by HIPAA
Non-profits
Institutions of higher education
Utility companies

How to Prepare for TDPSA

Implement or update your process for receiving and responding to Individual Rights Requests (including appeals!)
Prepare to accept a Universal Opt-Out Mechanism
Review and update Privacy Notices to include all required information (including, if relevant, a notice about the sale of sensitive personal data and/or biometric data)
Ensure you have consent to process Sensitive Personal Data
Provide opt-out opportunities for the sale of Personal Data and behavioral advertising
Review vendor contracts to ensure all required clauses are included
Conduct Data Protection Assessments on high-risk activities (specifically including behavioral advertising, sale of personal data, profiling, and processing of Sensitive Personal Data) generated after the effective date of the law

TDPSA is currently slated to take effect July 1, 2024.

Key Components of TDPSA

Who is a consumer?

TDPSA defines a consumer as “an individual who is a resident of this state acting only in an individual or household context.” A consumer under Texas law, like most other state laws, excludes individuals acting in a commercial or employment context.

What rights do consumers have under TDPSA?

For companies subject to TDPSA, Texas requires that certain rights be extended to individuals about whom the company has personal data. These rights generally align with those found in other state laws.

Under TDPSA, consumers have the right—with some limitations—to:

Confirm whether a company is processing personal data about them, and access it
Correct inaccuracies in personal data about them
Delete personal data
If the data is available in a digital format, get a copy of the personal data they provided in a portable and readily usable format
Opt-out of behavioral advertising (targeted ads based on user preferences)
Opt-out of any sale of personal data about them (TDPSA, like CCPA and unlike most of the more recent laws, defines ‘sale’ to include sharing in exchange for valuable consideration, not just money)
Out-out of automated profiling that produces a significant effect
As of January 1, 2025, use a Universal Opt-Out Mechanism to opt out of
o The processing of personal data for targeted advertising, and
o The sale of personal data
Appeal a business’s denial to act on any of the above rights

TDPSA requires that businesses respond to authenticated requests no later than 45 days after receipt of the request. There is a permissible 1-time 45-day extension if the business meets certain criteria.

Like other recently passed state data privacy laws, TDPSA requires businesses to establish an appeal process and notify consumers of the process when declining to take action on a request. If a consumer files an appeal, the business must respond within 60 days. If denying an appeal, the business must provide the consumer with an online mechanism for contacting the Texas Attorney General to file a complaint.

Notably, like the CCPA—and unlike the other state privacy laws—TDPSA requires businesses to establish at least two secure and reliable methods for consumers to exercise their rights, including via its website if the business operates a website. For businesses operating solely online and that have a direct relationship with their customers, only an email address is required.

How will TDPSA be Enforced?

TDPSA is enforceable by the Texas Attorney General, with no private right of action provided. If the AG identifies any alleged violations, they must provide no less than 30 days’ notice to the business, and the business has a 30-day cure period to fix the alleged violation(s). If the violation(s) remain, the AG may bring a civil action and recover up to $7,500 per violation.

Data Protection Assessments, aka Privacy Impact Assessments

Texas, like several other states that enacted privacy laws in recent years, requires that businesses conduct Data Protection Assessments to identify and weigh the risks and benefits to all parties, as mitigated by safeguards that the business can use to reduce risk.

The TDPSA requires assessments for all activities that involve personal data and present a heightened risk of harm, namely:

Processing of personal data for behavioral advertising
Sale of personal data
Processing of personal data for automated profiling that produces a significant effect
Processing of sensitive personal data (see below for definition)

Personal data and sensitive personal data
Texas has followed the lead of the more recent laws, like those of Virginia, Colorado, Connecticut, and Indiana, by:

Expanding the list of data elements that are considered sensitive
Requiring businesses to have consent to collect and use Sensitive Personal Data.

Texas also goes one step further, requiring specific notice if a business sells Sensitive Personal Data, particularly biometric data.

Under TDPSA, “Sensitive Personal Data” includes information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status; genetic or biometric data that is processed for the purpose of uniquely identifying an individual; personal data collected from a known child; and precise geolocation data.

Pseudonymous Data

Texas’s approach to ‘Pseudonymous Data’ differs from what we’ve seen with other state privacy laws, and the EU’s GDPR.

Pseudonymous Data is defined as “personal data that cannot be attributed to a specific individual without the use of additional information, provided that the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual.”

Texas departs from GDPR in that TDPSA excludes Pseudonymous Data from many of the requirements applicable to Personal Data so long as it remains pseudonymized.

Whereas other state laws—including, to varying degrees, Virginia, Utah, and Indiana—make certain exceptions for de-identified and pseudonymous data, Texas goes a step further by implicitly excluding Pseudonymous Data from the definition of Personal Data.

To put a fine point on it, GDPR includes Pseudonymous Data (called “Pseudonymised Data” in EU parlance) within the definition and under the umbrella of Personal Data, applying all requirements and restrictions applicable to Personal Data to Pseudonymous Data because of the potential for it to be re-identified. For most of the requirements of TDPSA, this is not the case.

This exclusion may provide an exciting opportunity for many businesses: because if a business has processes for which direct identifiers are not necessary (e.g., name, contact information, customer number, etc.), removing these identifiers from businesses processes and the systems could result in said data being outside the purview of the TDPSA.

To reiterate: Pseudonymous Data on its own is not considered Personal Data for many of the requirements under the TDPSA.

Like recent state privacy laws in Virginia and some other states, under TDPSA, a business does not need to include pseudonymous data in its response to Individual Rights Requests.

One of the most common uses of pseudonymous data is in the clinical trial context, where each trial participant is assigned a random ID that stands in for their actual identity (their actual identity is only known to medical staff and not the sponsor/manufacturing company, labs, and other supporting entities).

Can Pseudonymous Data Help My Company?

Other types of organizations may want to consider whether they can store customer data in a pseudonymized way, especially those that already assign identifiers through, for example:

Loyalty or participation rewards programs such as frequent flier/renter/buyer/guest numbers
Membership IDs (like libraries and fitness centers)
Player ID (for online and mobile games)

By separating identifying data (such as contact information and payment details) from other information (such as company-specific identifiers, transactional history, profile information, etc.), a company may be able to decrease its burden in responding to individual rights requests by limiting the data and databases to which the requests must be applied.

As mentioned, this treatment of Pseudonymous Data is distinctly different from GDPR, and it will be interesting to see whether other states adopt Texas’s approach.

Data Privacy is Just Good Business

Managing privacy compliance, especially with the proliferation of state privacy laws in the U.S., can feel like a Texas-sized task—but just because a task is big doesn’t mean it’s unmanageable.

With the right help, you can make data privacy measures a sustainable part of your operations. Red Clover Advisors delivers actionable, business-friendly privacy strategies to help you achieve data privacy compliance and establish yourself as a consumer-friendly privacy leader.

Book a Free Consultation