Data protection in Texas (TDPSA): New requirements for companies

by Martha Wanat
11 min read
9/2/24 7:46 AM

With the Texas Data Privacy and Security Act (TDPSA), Texas became the eleventh state with its own data privacy and security law on July 1, 2024.

Through the TDPSA, Texas is demonstrating its commitment to reconciling the technological and economic advances of the digital age with the privacy rights of its citizens. With its own definitions and far-reaching implications, the TDPSA is a testament to the evolving landscape of privacy laws in the United States. As digitization continues to advance, the importance of these regulations will also increase, as a model for other states considering similar measures.

The TDPSA regulates how companies collect, use and process the personal information of Texas consumers. It also outlines the rights these consumers have with respect to their information and the civil penalties businesses face if they violate the requirements of this new state law.

Although the TDPSA is already law, the specific provisions regarding universal opt-out mechanisms for consumers will not go into effect until January 1, 2025.

As experience has shown that it pays off in many ways for companies to deal with the issue of data protection at an early stage, we provide information on the provisions and special features of the TDPSA, when you are affected and what you need to do now. If you would like a free initial consultation, please click here. 

What does the TDPSA generally include?

The TDPSA applies to personal information of individuals who are residents of Texas, and only to personal or household information. Individuals acting in a commercial or employment context are not considered “consumers” under the law.

It also mandates that businesses may only collect personal information from consumers that is reasonably necessary and proportionate to the purposes of the processing that must be disclosed to consumers.

The TDPSA sets forth several requirements that businesses must meet in order to lawfully collect, process, and use personal information from Texas consumers.

For example, the TDPSA uses an opt-out model, similar to several other states that have adopted comprehensive privacy regulations. This requires businesses to provide consumers with a transparent way to opt out of data collection and processing.

 

Core definitions and terminology of the TDPSA

Personal data: The TDPSA takes a conventional approach to defining personal data. This includes any information, whether sensitive or not, that can be linked (or can be linked) to an identifiable individual.

While the Act does not list specific examples, traditional details such as names, phone numbers, IP addresses and social security numbers fall under this category.

Consent: Following the European Union's GDPR, the TDPSA defines consent as a clear and unambiguous act indicating a consumer's voluntary agreement to the processing of their personal data.

This can take the form of written statements or other overt affirmative acts. However, the law differs from many others in that certain special cases - such as the acceptance of general terms of use - are excluded from being classified as valid consent.

Sensitive data: This category is reserved for personal data that could lead to significant harm if not handled properly. This includes data revealing racial or ethnic origin, religious beliefs, health diagnoses, sexuality, citizenship status, genetic or biometric data, information of children under the age of 13 and precise geolocation data.

Controller and processor: Companies that determine the manner and purpose of the processing of personal data are referred to as “controllers”. Meanwhile, third-party companies that process data on behalf of these companies are referred to as “processors”.

Sell-out: This is defined as the transfer or disclosure of personal data for material or other valuable gain. However, there are several exceptions: such as the sharing of data for the requested product/service delivery or in the context of mergers.

Targeted advertising: This refers to advertising that is curated based on consumer data (collected over time on different platforms) and aims to predict consumer preferences.

 

What consumer rights does the TDPSA cover?

Texan consumers can exercise several rights under this law:

Right of access: this allows consumers to verify whether a controller is processing their data and gain access to it.

Right to rectification: Consumers can correct inaccurate or outdated information.

Right to erasure: Consumers can instruct the controller to erase their personal data, subject to certain exceptions.

Right to data portability: This ensures that consumers can retrieve their data in a usable format.

Right to non-discrimination: Controllers must not unreasonably discriminate against consumers when exercising their rights.

Right to opt-out: This includes opting out of the sale of personal data, targeted advertising or major decisions based on profiling.

Parents or legal guardians can also represent children under the age of 13. Notably, unlike the California law, the TDPSA does not grant consumers the right to take legal action against data breaches.

 

What conditions does the TDPSA impose?

1. The right to information: authenticated consumer requests

As just mentioned, the TDPSA gives consumers the right to make authenticated requests that you as a business must respond to in a certain way (sections 541.051(a) and (b)). A consumer (or a parent or guardian of a child) may make this request by indicating which right they wish to exercise. As the responsible party, you must respond promptly, i.e., within 45 days – at least twice a year without charge - although in some cases a 45-day extension is possible.

Consumer requests include:

  • Confirmation as to whether a data controller is processing their data
  • Access to the personal data collected about them
  • Correct inaccuracies in their data, taking into account the nature of the data and the purpose of the processing
  • Erasure of data provided by or obtained about them by the consumer
  • Obtain a portable copy of their data if it is available in a digital format

Consumers also have the right to non-discrimination and the right to object to the processing of personal data for targeted advertising, the sale of their data or profiling.

The approved procedures for submitting consumer applications include certain provisions that are explained in section 541.055. First, you must establish two or more secure and reliable ways (on your website) for consumers to make these requests, taking into account the following:

  • The way your customers normally interact with you
  • The possibility of secure and reliable communication
  • Ensuring that you can authenticate the identity of the requesting consumer

2. Ensuring transparency about the purpose of data processing

Companies that are considered data controllers must ensure transparency in the sense that they limit the collection of personal data to what is appropriate, relevant and reasonably necessary.

To this end, the consumer must be informed of the purpose for which their data is being processed - unless the customer has given their express consent to handle their data differently.

 

3. Data protection assessments: Weighing up the benefits and risks

If you process data in any of the following ways, you must conduct and document privacy assessments (section 541.105 of the Act). In doing so, you must weigh the direct and indirect benefits arising from the processing against the potential risks, particularly with regard to consumer rights:

  • Processing personal data for targeted advertising
  • Participation in the sale of personal data
  • Processing of personal data for profiling purposes
  • Processing of sensitive data
  • Processing of data that poses an increased risk to consumers

The following criteria must also be taken into account in your assessments:

  • The use of anonymized data
  • The legitimate expectations of your consumers
  • The context of the processing
  • The relationship between the controller and the consumer
The resulting privacy assessments must be made available to the Attorney General to assist with civil investigations. Otherwise, they should remain confidential.

The TDPSA allows the same privacy assessment to be used that has already been used to comply with other privacy laws, as long as those other laws have similar requirements.

 

4. Appropriate protective measures against unauthorized data access

Data controllers must protect the personal information they collect from cybercrime and unauthorized data access.

Consequently, the TDPSA requires (section 541.101 part (a)(2)) to protect the security and confidentiality of the data collected through administrative, technical and physical data security practices that are appropriate to the amount and nature of the personal data involved.

 

5. Consent requirement: only under certain circumstances

The TDPSA stipulates that as a data controller, you are only required to obtain consent from users in certain circumstances:

  • Consent is required if you want to process personal data for purposes that are neither reasonably necessary nor compatible with the disclosed purposes for which the personal data was originally processed.
  • You also need the consent of users to process sensitive personal data.
  • You must obtain the consent of a parent or legal guardian if you want to process personal data about a child under the age of thirteen.

6. Contractual obligations when you use external partners as processors

If you engage an external data processor, both parties must sign a contract that contains all the listed provisions of the TDPSA. These include (section 541.104, part (b):

  • Clear instructions for data processing
  • The purpose and nature of the processing
  • The type of data that is subject to processing
  • The duration of the processing
  • The rights and obligations of both parties
  • The requirement that the processor must ensure that any person processing the data is subject to confidentiality obligations
  • The obligation of the processor to delete or return all data to the controller upon request
  • A requirement that the processor provide the controller with all information in its possession to demonstrate compliance with the TDPSA
  • An obligation on the processor to allow and cooperate with appropriate assessments by the controller and the controller's designated auditor
  • The requirement that the processor only contracts with subcontractors who meet the same conditions

 

Who is affected by the TDPSA?

The TDPSA applies to all businesses and individuals that meet the following (Section 541.002):

  • Doing business in Texas or producing goods or services consumed by residents of the state
  • Processing or selling personal information
  • It is not a small business as defined by the U.S. Small Business Administration (SBA). A small business, as defined by the SBA Table of Size Standards, is a business that falls within certain criteria based on the North American Industry Classification System (NAICS) codes. These criteria vary significantly from industry to industry and include a range of business revenues from $1 million to over $40 million and from 100 to over 1,500 employees.

This is a unique legal framework, especially when compared to other privacy laws in the U.S., which traditionally rely on specific revenue and data volume thresholds. This means that it applies to most businesses in Texas. 

All of the following persons or entities are exempt from complying with the requirements set forth in the Texas Privacy and Security Act:

  • Covered entities or business associates subject to the HIPAA Privacy, Security and Notification Rules
  • Texas state agencies or political subdivisions
  • Financial institutions covered by Title V of the Gramm-Leach-Bliley Act (GLBA)
  • Non-profit organizations
  • Institutions of higher education
  • Electric utilities, electric generation companies and retail electric companies

 

What are the implications and obligations for companies?

In addition to creating a process for authenticating consumer requests and conducting privacy assessments, this law outlines several rights that will change your privacy policy and the configuration of your consent banner.

It also requires websites to create a way to honor universal opt-out settings in users' browsers.

Below we explain the main consequences:

1. Clear provisions for your privacy policy

Section 541.102 of the TDPSA requires you to provide consumers with an easily accessible and clear privacy notice that explains all of the following information:

  • The categories of personal data processed, including sensitive data
  • The purpose of processing the data
  • How consumers can exercise their rights and how they can challenge the decision
  • Where applicable, the categories of data shared with third parties
  • The categories of third parties you share the data with, if any
  • A description of how consumers can make requests to exercise their rights under the TDPSA

In addition, if you sell sensitive personal data or biometric information, you must include the following notice in the same place and manner as the privacy notice:

  • Notice: we may sell your sensitive personal data.
  • Notice: We may sell your biometric

 

2. Important: opt-out option in the cookie banner

As mentioned above, you as the controller must actively inform your users about the processing of the respective data, as consumers have the right to object to the sale of their personal data, targeted advertising and profiling.

A common solution to this legal requirement are cookie banners, where you can offer an opt-out option and include a link to a corresponding privacy or cookie policy. This allows consumers to control whether they are tracked and/or profiled by your website. Opt-out options are also necessary in the case of sensitive personal data or children's information.

Here, close attention must be paid to the TDPSA definition of consent, in particular the avoidance of dark patterns and automatic opt-in through hovering, in order not to violate the law.

 

3. Universal opt-out signals

In section 541.055 parts (e) and (f), the TDPSA sets requirements for controllers and consumers regarding the use of universal opt-out mechanisms:

“[Consumers may] designate another person to act as the consumer's authorized agent and to act on the consumer's behalf to object to the processing of the consumer's personal information.”

This includes universal opt-out mechanisms such as Global Privacy Controls (GPC) or the Google Privacy Sandbox. These features allow individuals to opt-out directly in their browsers, which then send signals to the websites they visit indicating their preferences.

Further, “...[a consumer] may designate an agent to communicate their intent to opt-out of data processing through technology, including a link to an Internet website, a setting or extension of the Internet browser, or a global setting on an electronic device.”

This means that you must honor these opt-out requests as long as you can prove, with commercially reasonable effort, the identity of the consumer and the authority of the agent to act on their behalf.

These provisions on universal opt-out mechanisms for consumers will come into force on January 1, 2025.

 

How do I achieve TDPSA compliance?

Organizations can prepare for the TDPSA in the following ways to be successful.

Requests for access to personal data: Data Subject Access Request (DSAR) forms are a good way to ensure that data protection rights can be claimed by consumers - referencing your privacy policy.

Privacy policy: Creating and maintaining a privacy policy is essential to fulfill all legal obligations described in the legal text.

Data security: You must take appropriate security measures to protect this personal data.

Data Processing Agreement: If you engage an external data processor, their contracts should include all of the above in accordance with TDPSA.

Consent management: Similarly, you must include opt-out options in your cookie banner configuration, especially if you use them for targeted advertising, as Texas consumers have the right to opt out of this type of data processing. If you collect sensitive data, you must first obtain consent from your users. As mentioned above, a cookie policy should also be in place.

 

What are the consequences for companies that fail to comply with the TDPSA?

If the Texas Attorney General has reasonable cause to believe that you are in violation of the TDPSA, he or she may make a civil investigative demand and require that a controller disclose all privacy assessments relevant to the investigation in order to assess compliance.

You then have 30 days to remedy the violation and provide a written explanation to the Attorney General:

  • You have remedied the breach
  • You have notified the consumer that you have addressed their privacy concern
  • Supporting documentation showing how you have remedied the breach
  • Changes to internal policies to ensure that further breaches of this nature do not occur

Generally, individuals who fail to comply with the Texas Privacy and Security Act after the 30-day period may face a fine of up to $7,500 per violation.

The Attorney General may also take the following actions:

  • Recovery of civil penalties
  • Restrain or enjoin the person from violating the TDPSA
  • Seek injunctive relief
  • Reimbursement of attorneys' fees and other reasonable costs incurred in the investigation
However, consumers protected by this law do not have a private right of action.

 

TDPSA compliance through a Consent Management Platform (CMP)

The implementation of a Consent Management Platform (CMP) offers companies numerous advantages when handling personal data and helps them to comply with the TDPSA. A CMP enables the efficient and legally compliant management of user consent. It not only improves the transparency and understanding of data processing processes for users by providing clear information about opt-ins and opt-outs, but also optimizes the user experience and strengthens their trust. In addition, automating the consent process with a CMP saves time and reduces errors. 

CMP Usercentrics 3-1

As data protection and digital analytics experts, we offer companies the implementation and configuration of the Consent Management Platform (CMP) from Usercentrics, the leading provider in Europe. Our expertise in data protection and digital analytics enables us to provide a customized solution that not only meets legal requirements, but also offers the highest opt-in rates and is optimally tailored to the specific needs and processes of your company.

Download our free TDPSA checklist now

TDPSA Checkliste Cover EN

 

References

Law: https://capitol.texas.gov/tlodocs/88R/billtext/pdf/HB00004F.pdf#navpanes=0