Navigating the Digital Landscape: A Look at the Texas Data Privacy and Security Act

Compliance Hub

Compliance Hub

8 min read
Navigating the Digital Landscape: A Look at the Texas Data Privacy and Security Act
Photo by Faith Nuckels / Unsplash

In a world increasingly defined by digital interactions, the protection of personal data has emerged as a paramount concern. As technology continues to evolve at a rapid pace, so too do the methods by which businesses collect, process, and utilize the information of individuals. In recognition of the growing need for robust data privacy regulations, the 88th Texas Legislature passed House Bill 4, known as the Texas Data Privacy and Security Act (TDPSA), ushering in a new era for privacy in the Lone Star State. This comprehensive legislation, which took effect on July 1, 2024, aims to empower Texas residents with greater control over their personal data and to establish clear guidelines for businesses handling sensitive information.

Texas Attorney General Ken Paxton Sues TikTok for Sharing Minors’ Personal Data in Violation of Texas Parental Rights
In a significant legal move, Texas Attorney General Ken Paxton has filed a lawsuit against TikTok, accusing the social media giant of violating the privacy rights of minors and breaching the state’s laws designed to protect parental authority. This lawsuit comes amidst increasing scrutiny of TikTok’s data collection practices
Compliance Hub WikiCompliance Hub

Understanding the Scope: Who and What Does the TDPSA Protect?

The TDPSA applies to businesses that operate within Texas or provide products and services to Texas residents, engaging in the processing or sale of personal data. However, the law exempts small businesses, defined by the U.S. Small Business Administration as those with fewer than 500 employees, from most of its provisions, with the exception of restrictions on selling sensitive data.

Ken Paxton Secures $1.4 Billion Settlement with Meta Over Biometric Data Violations
Overview: In a landmark legal case, Texas Attorney General Ken Paxton achieved a historic $1.4 billion settlement with Meta (formerly Facebook) over unauthorized biometric data capture. This marks the largest settlement obtained by a single state action and signifies a major victory for privacy rights. Capture or Use of
My Privacy BlogMy Privacy Blog

The Act also excludes certain entities from its jurisdiction, including:

  • State government agencies and political subdivisions
  • Financial institutions regulated by the Gramm-Leach-Bliley Act (GLB)
  • Covered entities and business associates governed by the Health Insurance Portability and Accountability Act (HIPAA)
  • Nonprofit organizations
  • Institutions of higher education

In essence, the TDPSA focuses on regulating the data practices of larger companies that handle the personal information of Texas consumers.

At the heart of the TDPSA lies the concept of "personal data," defined as any information that can be linked or reasonably linked to an identified or identifiable individual. This encompasses a broad range of data points, including:

  • Online activity
  • Purchase history
  • Location data
  • Biometric data (e.g., fingerprints, facial scans)
  • Email addresses
  • Phone numbers
  • Device settings

However, the TDPSA does not protect "publicly available information" or "de-identified data," which cannot be reasonably linked to an individual.

Furthermore, the TDPSA provides heightened protection for "sensitive data," a subcategory of personal data that includes information revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnoses
  • Sexuality
  • Citizenship or immigration status
  • Genetic data
  • Precise geolocation data

The TDPSA also classifies the personal data of a "child," defined as an individual under 13 years of age, as sensitive data. Even small businesses are prohibited from selling sensitive data, including that of children, without obtaining explicit consent from the consumer or, in the case of a child, their parent or legal guardian.

Empowering Texans: Key Rights Under the TDPSA

The TDPSA grants Texas residents a comprehensive set of rights designed to provide them with greater control over their personal data. These rights include the ability to:

  • Confirm whether a controller is processing their personal data and access that data. This right allows consumers to know what information companies hold about them and to obtain a copy of that data in a portable and readily usable format.
  • Correct inaccuracies in their personal data. Consumers can request that businesses correct any errors or outdated information in their data records.
  • Delete personal data provided by or obtained about them. This right empowers consumers to request that businesses delete their personal data, giving them more control over their digital footprint.
  • Opt out of the processing of personal data for specific purposes. Consumers can opt out of having their data used for targeted advertising, the sale of personal data, or profiling that could lead to legal or significant decisions affecting them.

Targeted advertising involves using personal data to display advertisements tailored to an individual's preferences or interests. The sale of personal data refers to the exchange of personal data for monetary or other valuable consideration. Profiling involves using automated processing of personal data to evaluate or predict aspects of an individual's behavior, interests, or characteristics.

The TDPSA prohibits companies from retaliating against consumers for exercising any of these rights. Consumers cannot be denied goods or services, charged different prices, or provided with a different level of quality based on their decision to exercise their data privacy rights.

Obligations of Controllers and Processors: Transparency and Accountability

The TDPSA places specific obligations on "controllers," defined as individuals or entities that determine the purpose and means of processing personal data. Controllers must adhere to the following requirements:

  • Transparency: Controllers must provide consumers with a clear and accessible privacy notice outlining the categories of personal data they process, the purpose for processing that data, how consumers can exercise their rights, and the categories of third parties with whom they share data.
  • Purpose Limitation: Controllers must limit the collection of personal data to what is "adequate, relevant, and reasonably necessary" for the disclosed purpose of processing.
  • Data Security: Controllers are responsible for establishing, implementing, and maintaining reasonable administrative, technical, and physical data security practices to safeguard personal data.
  • Data Protection Assessments: Controllers are required to conduct data protection assessments for certain processing activities involving personal data. These assessments evaluate the benefits and risks associated with data processing and consider factors such as the use of de-identified data, consumer expectations, the context of processing, and the relationship between the controller and the consumer.

The TDPSA also outlines requirements for "processors," entities that process personal data on behalf of a controller. Processors must:

  • Adhere to the controller's instructions for data processing
  • Assist the controller in fulfilling its obligations under the TDPSA, including responding to consumer rights requests and maintaining data security
  • Enter into a contract with the controller that outlines the data processing procedures, rights, and obligations of both parties

Enforcement and the Role of the Texas Attorney General

The TDPSA grants the Texas Attorney General exclusive authority to enforce the law. The Attorney General has a range of investigative powers, including the ability to issue civil investigative demands to compel businesses to produce documents or provide testimony.

Before initiating an enforcement action, the Attorney General must notify the business in writing of the alleged violations and provide a 30-day cure period. If the business successfully cures the violation within this timeframe, the Attorney General cannot pursue further action.

However, if a business fails to cure the violation or breaches a written statement provided to the Attorney General during the cure period, it faces a civil penalty of up to $7,500 per violation. The Attorney General can also seek injunctive relief to prevent further violations and may recover reasonable attorney's fees and expenses incurred during the investigation and enforcement process.

The TDPSA explicitly states that it does not provide a private right of action. This means that individuals cannot sue businesses directly for violations of the law. Instead, enforcement rests solely with the Texas Attorney General.

Putting the TDPSA into Action: Real-World Examples

The Texas Attorney General has actively utilized the TDPSA to pursue companies alleged to have violated the data privacy rights of Texas residents, including:

  • TikTok: The Attorney General filed a lawsuit against TikTok, alleging that the social media platform violated the Securing Children Online Through Parental Empowerment Act (SCOPE Act), which went into effect on September 1, 2024. This Act supplements the TDPSA with provisions specifically designed to enhance the protection of children's data online. The lawsuit argues that TikTok failed to implement a commercially reasonable method for verifying the identity of parents using its family pairing feature, shared and sold children's data without parental consent, and engaged in targeted advertising aimed at children. The Attorney General seeks civil penalties of $10,000 per violation, as well as attorney's fees.
  • Meta: In a landmark case predating the TDPSA, the Attorney General secured a $1.4 billion settlement with Meta, the parent company of Facebook, for collecting biometric data from Texas residents without their consent through facial recognition software used on photos uploaded to the platform. While this case did not fall under the TDPSA, it demonstrated the state's commitment to pursuing data privacy violations and set a precedent for holding tech companies accountable.

These cases underscore the significant impact of the TDPSA and the state's proactive approach to enforcing data privacy rights.

Taking Control of Your Digital Footprint: Practical Steps for Texans

While the TDPSA provides a robust legal framework for protecting personal data, individuals also play a vital role in safeguarding their own privacy. Here are some practical steps Texans can take to be more data savvy in their online interactions:

  • Be Aware of Data Collection Practices: Pay attention to the websites you visit and the apps you use. Read privacy policies, cookie banners, and terms of service to understand what information companies collect and how they use it.
  • Exercise Your Rights: Utilize the rights granted to you under the TDPSA. Request access to your data, correct inaccuracies, delete information you no longer want companies to hold, and opt out of data processing for targeted advertising, sales, or profiling.
  • Manage Privacy Settings: Configure the privacy settings on websites and social media platforms to control what information you share and who can see it.
  • Be Mindful of What You Share: Exercise caution when sharing personal information online. Consider the potential consequences before posting sensitive data or participating in online quizzes or surveys.
  • Use Strong Passwords: Create strong and unique passwords for all your online accounts and consider using a password manager to help you keep track of them.
  • Stay Informed: Keep up-to-date on the latest developments in data privacy and online security. The Texas Attorney General's website provides valuable resources and information on the TDPSA.

By being proactive and informed, individuals can actively participate in shaping the future of data privacy and ensure that their personal information remains protected in an increasingly digital world.

Looking Ahead: The TDPSA and the Future of Data Privacy

The TDPSA represents a significant step forward in safeguarding the data privacy rights of Texas residents. It provides a comprehensive legal framework that empowers individuals with greater control over their personal information and imposes clear obligations on businesses handling sensitive data.

As technology continues to advance, the TDPSA serves as a model for other states and jurisdictions seeking to strengthen data privacy protections. Its implementation and enforcement will continue to shape the landscape of data privacy, not only in Texas but potentially across the nation.

The TDPSA underscores the evolving relationship between technology, law, and individual responsibility in the digital age. By raising awareness, fostering dialogue, and promoting proactive engagement, Texas can ensure that the TDPSA remains a vital tool for protecting the privacy of its citizens in an increasingly data-driven world.

Read more

Comparative Analysis of Cybersecurity Frameworks: MOSAICS, CMMC, and FedRAMP

Comparative Analysis of Cybersecurity Frameworks: MOSAICS, CMMC, and FedRAMP

In an era where critical infrastructure systems—such as power grids, water treatment facilities, and transportation networks—are increasingly interconnected, the vulnerability to cyber threats has escalated. Recognizing this pressing issue, the Naval Information Warfare Center (NIWC) Atlantic has developed the More Situational Awareness for Industrial Control Systems (MOSAICS) framework.

By Compliance Hub