Understanding the Texas Data Privacy and Security Act (TDPSA)

Understanding the Texas Data Privacy and Security Act (TDPSA)
Photo by Faith Nuckels / Unsplash
Understanding the Texas Data Privacy and Security Act: A New Era for Privacy in the Lone Star State
The digital landscape is continuously evolving, and with it, the need for robust data privacy laws. In response to this growing necessity, Texas has recently joined the ranks of states with comprehensive data privacy laws. The Texas Data Privacy and Security Act (TDPSA), signed into law by Governor Greg Abbott,

The Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024, represents a significant step in data privacy legislation within the United States. As the tenth state to enact such a law, Texas joins a growing list of states taking action to protect consumer data in the absence of a comprehensive federal privacy law. This article explores the key aspects of the TDPSA, its implications for businesses, and the enforcement landscape.

Scope and Applicability

The TDPSA applies broadly to businesses operating in Texas or providing products or services consumed by Texas residents. Notably, the law does not set a revenue threshold for applicability, distinguishing it from other state privacy laws. Instead, it focuses on whether a business processes or sells personal data and does not qualify as a small business under the U.S. Small Business Administration's definition, which varies by industry[1][3].

Consumer Rights

The TDPSA grants Texas residents several rights concerning their personal data, including:

  • Right to Access: Consumers can confirm whether a business is processing their personal data and access such data.
  • Right to Correction: Consumers can request corrections to inaccuracies in their personal data.
  • Right to Deletion: Consumers can request the deletion of their personal data, regardless of how it was obtained.
  • Right to Data Portability: Consumers can obtain a copy of their personal data in a portable format.
  • Right to Opt-Out: Consumers can opt out of the sale of their personal data, targeted advertising, and profiling[2][5].

These rights empower consumers to exercise greater control over their personal information and require businesses to respond to consumer requests within 45 days, with a possible extension of an additional 45 days if necessary[5].

Business Obligations

Under the TDPSA, businesses must adhere to several obligations:

  • Data Minimization: Collect only data that is adequate, relevant, and reasonably necessary for the disclosed purpose.
  • Consent for Sensitive Data: Obtain explicit consent for processing sensitive personal data, including biometric and geolocation data.
  • Parental Consent: Secure verifiable parental consent for processing children's data under the age of 13.
  • Universal Opt-Out: Recognize universal opt-out signals by January 1, 2025, allowing consumers to opt out of data processing globally[3][5].

Enforcement

The Texas Attorney General's office is tasked with enforcing the TDPSA. The office has established a dedicated task force within its Consumer Protection Division to focus on aggressive enforcement of the state's privacy laws. Businesses found in violation of the TDPSA may face civil penalties of up to $7,500 per violation, along with potential injunctive relief and recovery of attorney’s fees[4][6][8].

The Attorney General's office has signaled its commitment to robust enforcement by issuing letters to over 100 companies suspected of non-compliance with related privacy laws, such as the Data Broker Law. This proactive approach underscores the importance of compliance for businesses operating in Texas[4][7].

Comparison with Other State Laws

While the TDPSA shares similarities with privacy laws in states like Virginia and Colorado, it introduces unique provisions. For instance, the TDPSA's applicability criteria do not rely on revenue thresholds, and it includes a perpetual 30-day cure period for businesses to address violations, which is not common in other state laws[2][3].

Conclusion

The Texas Data Privacy and Security Act marks a significant development in the U.S. privacy landscape, emphasizing consumer rights and business accountability. As the Texas Attorney General ramps up enforcement efforts, businesses must ensure compliance with the TDPSA's requirements to avoid penalties and safeguard consumer trust. This involves updating privacy policies, implementing robust data protection measures, and preparing to honor consumer requests promptly. As state-level privacy regulations continue to evolve, businesses must remain vigilant and proactive in their compliance strategies.

Citations:
[1] https://termly.io/resources/articles/texas-data-privacy-and-security-act/
[2] https://www.grayreed.com/NewsResources/Thought-Leadership/233610/Deep-in-the-Heart-of-Privacy-Understanding-the-Texas-Data-Privacy-and-Security-Acts-Impact-on-Businesses
[3] https://www.osano.com/articles/texas-data-privacy-and-security-act-tdpsa
[4] https://www.perkinscoie.com/insights/update/texas-ag-turns-heat-privacy-and-data-security
[5] https://www.cookieyes.com/blog/texas-data-privacy-and-security-act-tdpsa/
[6] https://www.munsch.com/Newsroom/Blogs/172302/Texas-AG-Signals-Plans-to-Aggressively-Enforce-Texas-New-Data-Privacy-Security-Act
[7] https://www.goodwinlaw.com/en/insights/blogs/2024/07/texas-new-privacy-law-goes-into-effect--and-attorney-general-builds-enforcement-team
[8] https://www.texasattorneygeneral.gov/news/releases/attorney-general-ken-paxton-launches-data-privacy-and-security-initiative-protect-texans-sensitive

Read more