An extensive data privacy law enacted by the state legislature of Texas to regulate the handling of consumers’ personal data by certain business entities. TDPSA protects the privacy of Texans and imposes penalties of up to $7500 on businesses/controllers in case of any violation.
Effective date: July 1, 2024
Official text: Texas Data Privacy and Security Act
What is the Texas Data Privacy and Security Act?
The Texas Data Privacy and Security Act (TDPSA) was enacted on the 18th of June 2023 and is expected to come into force on the 1st of July, 2024. TDPS guarantees privacy rights to consumers, imposes obligations upon businesses, and lays down sanctions for violations.
The act also directs businesses to conduct regular data protection assessments, provide privacy notices to consumers, and have a contractual relationship with data processors.
Unlike other US Privacy laws like CPRA or VCDPA, the Texas data privacy law is not applicable on a threshold basis, instead, it applies generally to the consumers.
A consumer is a resident of Texas acting in an individual/ household context but not in a business/ employment context.
The Texas Attorney General is the designated enforcement authority under the Texas Data Privacy and Security Law.
Who does TDPSA Apply to?
The Texas Data Privacy and Security Act applies to you if:
- You are a business in Texas or elsewhere whose products/services are consumed by the residents of Texas.
- You process/sell the personal data of Texans.
It is interesting to note that the word ‘targeted’ like in most privacy laws is replaced by ‘consumed’. This means the law applies to your business only if your product or service is consumed by Texans and not just targeted to them. However, it is always safe to comply with the law if you handle personal data belonging to the residents of Texas.
The Texas Data Privacy and Security Act does not apply to,
- The consumption of personal data for household or personal use
- Small businesses as defined by the United States Small Business Administration unless you engage in the sale of sensitive data
without the consent of the consumer - Publicly available information: any information that is either in the government records or publicized by a consumer or by any person to whom the consumer disclosed the information. However, if the information disclosed by the consumer is for a specified audience, it does not count.
Who is exempt from the TDPSA?
The following entities are exempted from the TDPSA’s scope:
- State agency or political subdivisions of Texas.
- Financial institutions covered under Gramm-Leach-Bliley Act.
- A covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, the Health Information Technology for Economic and Clinical Health Act, and HIPAA.
- Non-profit organizations.
- An institution of higher education.
- An electric utility, a power generator company, or a retail electric provider.
What is personal data in TDPSA?
Personal data under the Texas Data Privacy law is defined as any information including sensitive data that is linked or reasonably linkable to an identified or identifiable individual.
- Deidentified data and publicly available information are not personal data.
- Pseudonymous data is considered personal data if it is used with additional information that negates the anonymity of such information.
What is sensitive data under TDPSA?
Sensitive data is any personal data that reveals:
- racial or ethnic origin, religious beliefs, mental or physical health diagnosis, or sexuality.
- citizenship or immigration status.
- genetic or biometric data that identifies an individual.
- personal data collected from a child if the business is aware that the child is below 13 years of age (known child).
- precise geolocation data.
What is deidentified data under TDPSA?
Data that cannot be linked to an identifiable /identified individual/ their device.
What are the obligations of data controllers under TDPSA?
Under TDPSA, data controllers have certain obligations to fulfill:
Data minimization
Make sure that you collect personal data that is necessary for the purpose disclosed to the consumers. Do not collect additional personal data without the consent of consumers.
Security safeguards
Implement reasonable security measures to protect the confidentiality of the personal data. This includes technical, administrative, and physical data security practices. The measures adopted must be proportional to the data you collect and process.
Purpose limitation
In addition to limiting the personal data collected, always ensure that the processing of such data is also restricted to the purpose disclosed to consumers. You can process additional personal data once you have the consent of such consumers.
Legal compliance
Businesses must comply with federal and state laws prohibiting unlawful discrimination. For Eg: Title VII and Title II of the Civil Rights Act of 1964.
Non-discrimination
Do not discriminate against consumers who exercise their consumer rights. That is, businesses are under an obligation to not deny or vary the quality of goods or services or set a different price. Nothing in this law prevents businesses from giving offers based on consumers’ voluntary participation in programs like loyalty, discounts, rewards, club cards, or premium features.
Opt-in for Sensitive data
Do not process sensitive personal data without the consent of the consumer. To process children’s sensitive personal data, comply with the Children’s Online Privacy and Protection Act,1998.
Privacy notice
The privacy notices help businesses build trust in consumers. Therefore they must be posted conspicuously. Ensure that your privacy notice is clear, adequate, and accessible
Skip to privacy notice requirements
Contract with Data Processors
Enter into a contractual relationship with the data processors and ensure that they comply with the law. Data processors are bound to comply with the instructions of businesses.
Data Protection Assessment
Businesses are obliged to conduct a Data Protection Assessment on the processing of personal and sensitive data, processing of personal data for target advertising and profiling, sale of personal data, and processing of data involving high risks. Data Protection Assessments are confidential and exempt from public inspection.
Breach report
Report breaches of security systems affecting more than 250 Texans to the Texas Attorney General within 30 days of its discovery.
Privacy notice requirements under TDPSA
The act mandates businesses to provide a clear and accessible privacy notice that contains :
- Categories of personal data including any sensitive data.
- Purpose of processing the collected data.
- Procedure to exercise consumer rights.
- Procedure to appeal against a decision of the controller.
- Categories of personal data shared with third parties if any.
- Methods through which consumers can make requests. There should be a minimum of two methods. Businesses should not mandate the creation of a new account to submit requests.
- A disclaimer that says “We may sell your sensitive data” and “We may sell your biometric personal data” if applicable.
- Link to opt out of the sale of personal data.
Generate a custom privacy policy
for your website
Create a free privacy policy Generate instantlyNo signup required
Consent under TDPSA
The act confers a special status for sensitive personal data. To process sensitive personal data, the consent of consumers is necessary.
Similarly, businesses/controllers should obtain verifiable parental consent before processing children’s data. For this act minors under the age of 13 will be construed as a child.
Businesses can process the data of consumers without their consent if the purpose of processing is the same as the purpose disclosed to them. However, if the purpose is different than disclosed, consent is necessary.
Under The Texas Data Privacy and Security Act, the consent of a consumer is valid only if :
- it is obtained is freely given, without any coercion.
- the consumer was informed of the collection, storage, and processing of personal data by the business.
- the consent was given unambiguously and specifically.
A consent is not valid if:
- it was given generally rather than specifically for handling/processing personal data.
- a consumer just hovered over, muted, paused, or closed a piece of content that intended to obtain consent.
- the consent was obtained through dark patterns.
The law also creates provisions for consumers to appoint another person or implement a global opt-out mechanism to opt out of the processing of their personal data. This is mentioned under 541.055 (e) and will come into effect only in 2025. However, it is ideal to implement measures to recognize global opt-out mechanisms now rather than waiting till their enforcement.
Manage cookie consent
without any hassle
Add a cookie consent banner and manage cookie consent to comply with Texas Privacy Law
Try for free14-day free trialCancel anytime
In the case of children, verifiable consent is valid if it was given by their parents or legal guardians in conformity with the Children’s Online Privacy Protection Act of 1998(COPPA).
What are the rights of consumers under TDPSA?
Let’s look at the rights granted by TDPSA to Texas residents:
Right to confirm / Right to access
A consumer has the right to verify whether or not a business is handling their personal data. The law also guarantees the consumers the right to access such data.
Businesses must respond to consumer requests including the right to access within 45 days. Considering the complexity and number of requests from the consumer, businesses can extend the time period to another 45 days if necessary. However, notify the consumer regarding the extension within the initial response period.
Right to correction
A consumer has the right to request a correction of any inaccuracies in their personal data.
Right to confirm / Right to access
A consumer has the right to verify whether or not a business is handling their personal data. The law also guarantees the consumers the right to access such data.
Businesses must respond to consumer requests including the right to access within 45 days. Considering the complexity and number of requests from the consumer, businesses can extend the time period to another 45 days if necessary. However, notify the consumer regarding the extension within the initial response period.
Right to correction
A consumer has the right to request a correction of any inaccuracies in their personal data.
Right to deletion
A consumer has the right to request businesses to delete their data regardless of how they were obtained. In other words, consumers can request businesses/controllers to delete the personal data collected not only from them but also from other sources.
Right to portability
The consumer can request the businesses that process their data to provide them with a copy of such data in a transmittable, portable, technically feasible, and readily usable format.
Right to Opt-Out
Consumers can opt out from selling their personal data, targeted advertising, or its use for profiling. Once a consumer opts out, businesses must wait for 12 months before a follow-up.
Right to exercise
Consumers or in the case of a child, his parents /legal guardians are entitled to exercise the guaranteed rights by submitting a request to the businesses.
Right to non-discrimination
A consumer cannot be discriminated against for exercising their rights under this law. Businesses cannot deny goods or services, charge different prices, or compromise the quality of products. This does not mean that consumers are entitled to receive goods or services that require the processing of the data they choose to opt out of.
Right to appeal
The consumers can prefer an appeal in case their request is not adequately and lawfully met. The appeal procedure is similar to initiating an action under the act. Businesses should respond within 60 days to an appeal.
A data principal cannot give up their consumer rights guaranteed under the act. Any such agreement drawn by data controllers is invalid and unenforceable.
What is the Penalty for violations under the Act?
The act provides for three sanctions in the event of any violation of the provisions of this act:
- A fine of up to $7500 for each violation
- Injunction/restrainment from violation
- Both penalty and injunction
It is significant to note that the fine depends upon the number of violations. The greater the number of consumers violated, the higher the penalty.
The enforcing authority will issue a notice to the defaulter containing the specifics of the violation. Upon the receipt of such notice, businesses can evade legal action if the problem is resolved within 30 days and a statement is given to the Attorney General informing that:
- The violation is cured along with supportive documents to show how it was cured.
- The consumer was notified of the addressal of the issue if contact details are known to the business.
- Changes have been made to internal policies to prevent further violations.
Consumers have no right to private action. Only the Attorney General can initiate an action against defaulters.
How to comply with TDPSA? [Checklist]
- Do not process sensitive data without the opt-in consent of the consumer.
- Maintain a data map.
- Maintain transparency regarding the collection and processing of personal data.
- Maintain an accurate and specific Privacy notice on your website.
- Provide a notice that contains “We may sell your sensitive personal data” and “We may sell your biometric personal data” if your business engages in the sale of any or both.
- If your business engages in the sale of personal data, provide a clear notice with an “opt out of sale” button.
- Respond to consumer requests within 45 days; notify of any extensions promptly.
- In the event of declining a consumer request, inform such declinal or any extension promptly.
- Comply with consumers’ requests free of charge up to twice a year.
- Do not discriminate against the consumers for the exercise of consumer rights.
- Provide at least two methods for the consumer to submit requests. For example, a toll-free number or a web page dedicated to the same.
- Establish a contractual relationship with the data processor.
- Conduct regular Data Protection Assessments.
- Report data breaches promptly.
Infographic: TDPSA vs CPRA
Related infographics: CCPA vs CPRA
FAQ on TDPSA
Does Texas have a privacy law?
Yes. Texas Data Privacy and Security Act is the privacy law of Texas. It aims to regulate the collection, handling, and processing of consumer’s personal data.
What is the threshold for the Texas Data Privacy and Security Act?
There is no particular threshold limit for the applicability of the Texas Data Privacy and Security Act. TDPSA applies to certain businesses whose products or services are consumed by the residents of Texas.
Does the privacy law of Texas apply to small businesses?
Small businesses are exempt from complying with TDPSA unless they engage in selling sensitive personal data. If small businesses engage in the selling of sensitive personal data without the prior consent of the consumer, legal consequences including hefty penalties will arise.
Is there a need to recognize global opt-out mechanisms under Texas Privacy law?
It is better to implement a recognition of global opt-out mechanisms for your business. However, it is not a requirement until January 2025. After the act comes into force in July, a 6-month transitional period will be granted for businesses to comply with it.
