Understanding the Texas Data Privacy and Security Act: A New Era for Privacy in the Lone Star State

The digital landscape is continuously evolving, and with it, the need for robust data privacy laws. In response to this growing necessity, Texas has recently joined the ranks of states with comprehensive data privacy laws. The Texas Data Privacy and Security Act (TDPSA), signed into law by Governor Greg Abbott, is set to reshape the way businesses handle personal data in the Lone Star State.

Who Does the TDPSA Apply To?

The TDPSA applies to any entity that (1) conducts business in Texas or produces a product or service consumed by residents of Texas; (2) processes or engages in the sale of personal data; and (3) is not a small business as defined by the US Small Business Administration. The law defines a small business as one with fewer than 500 employees. The TDPSA is set to go into effect on July 1, 2024.

Consumer Rights Under the TDPSA

The TDPSA grants consumers several rights, similar to those found in other comprehensive data privacy laws. These include:

1. The right to confirm whether a controller is processing the consumer’s personal data and to access that data.
2. The right to correct inaccuracies in their personal data.
3. The right to delete their personal data.
4. The right to obtain a copy of their data in a digital format.
5. The right to opt out of processing for purposes of targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Controller Obligations

Controllers, as defined by the TDPSA, have several obligations. They must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purpose for which that personal data is processed. They must also establish, implement, and maintain reasonable administrative, technical, and physical data security practices. Controllers are required to perform data protection assessments in certain circumstances and must publish a privacy notice that meets specified requirements.

Unique Provisions of the TDPSA

The TDPSA has several unique provisions that set it apart from other data privacy laws. These include a requirement to post prescribed notices regarding the sale of sensitive personal data and biometric personal data. There is also a thirty-day cure period that requires more from the alleged violator than a statement that the alleged violation has been cured. Additionally, the TDPSA prohibits the sale of personal data by small businesses without the prior consent of the consumers.

Preparing for the TDPSA

With the TDPSA set to go into effect in 2024, businesses should begin assessing whether the law applies to them and understanding the personal data they collect. This includes how the data is used, shared, disclosed, and sold. With this information in hand, businesses can start taking steps to comply with the TDPSA.

The enactment of the TDPSA marks a significant step in Texas's journey towards robust data privacy. As the law takes effect, businesses operating in Texas will need to adapt to these new regulations, ensuring they are in compliance and protecting the personal data of their consumers.