The future of data privacy in Texas: the Data Privacy and Security Act (TDPSA)
The Texas Data Privacy and Security Act (TDPSA), was passed in June 2023 and made Texas the 11th state to pass comprehensive privacy legislation. With the Act newly in force from July 2024, what do businesses and consumers need to know?
Scope and applicability of the TDPSA
The TDPSA casts a wide net, covering a broad range of entities. Specifically, the law applies to any business that operates within Texas, those that produce products or services consumed by Texas residents, and organizations that process or sell the personal data of Texas residents.
However, the TDPSA does provide certain exemptions. Small businesses are generally exempt from compliance unless they sell sensitive data. The Act also exempts state agencies, political subdivisions, nonprofit organizations, and institutions of higher education.
Moreover, entities already governed by federal privacy laws—such as those under the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Family Educational Rights and Privacy Act (FERPA)—are not required to comply with the TDPSA.
Key provisions of the TDSPA
The Act outlines clear responsibilities for both controllers and processors in handling personal data:
Privacy notice requirements: must disclose categories of personal data processed, purposes of processing, and third parties with whom data is shared. Specific disclosures are required for the sale of sensitive or biometric data.
Data security: controllers must implement reasonable administrative, technical, and physical security measures. Measures must protect the confidentiality, integrity, and accessibility of personal data.
Data protection assessments (DPAs): required for high-risk processing activities, including targeted advertising, sale of personal data, and processing of sensitive data. Assessments must weigh the benefits of processing against potential risks to consumers.
Contractual obligations: written contracts between controllers and processors must include clear processing instructions, data protection measures, and confidentiality requirements.
The Act also has specific provisions for the handling of de-identified and pseudonymous data. Controllers must take steps to ensure that deidentified data cannot be re-identified and must publicly commit to not attempting to reidentify this data. Pseudonymous data should be kept separate with appropriate controls to prevent reidentification.
Notably, there is no private right of action under the TDPSA - only the Attorney General (AG) can bring enforcement actions. The AG has exclusive authority to impose penalties and ensure compliance, with penalties reaching up to $7,500 per violation. The law also includes a 30-day cure period, allowing businesses to rectify any violations before penalties are imposed.
Consumer privacy rights under the TDPSA
Similar to other state data laws, consumer rights include:
Access and portability: right to know if personal data is being processed, and to obtain a portable and readily usable copy of personal data.
Correction: right to correct inaccuracies in personal data.
Deletion: right to request deletion of personal data held by a controller.
Opt-out: right to opt out of data processing for targeted advertising, sale of personal data, and profiling.
Appeals process: right to appeal a controller’s decision regarding a data request. If denied, consumers can contact the Texas Attorney General.
How the TDPSA compares to other state data protection laws
The TDPSA stands out with its broad scope, applying to entities without revenue or data volume thresholds and ensuring that a wide range of businesses comply.
While other states mandate consent for sensitive data processing, Texas’ TDPSA goes further:
It requires specific notices in privacy policies if such data is sold - such as precise geolocation and data of children under 13.
It prohibits dark patterns from being used to obtain user consent, banning interface designs that could manipulate and undermine consumer choices.
It introduces a universal opt-out mechanism that means businesses must honor global opt-out signals which allows privacy preferences to be applied across multiple websites and online services (effective from January 1, 2025). Also found in California, Colorado, Utah, Connecticut, and Virginia laws, this feature reflects a growing trend toward standardizing privacy controls across states.
Looking beyond the US landscape, the TDPSA also aligns closely with the GDPR, particularly in defining the roles and responsibilities of controllers and processors. This alignment facilitates smoother compliance for businesses already familiar with GDPR standards, promoting consistency in data protection practices.
Texas’s forward-thinking approach to data protection
The TDPSA is a testament to Texas’s proactive stance on data privacy, building on a robust privacy framework that already includes measures like the Capture or Use of Biometric Identifiers (CUBI) Act.
The TDPSA is forward-thinking in its inclusion of a public feedback and review process. The Department of Information Resources will review the Act's implementation, collect public feedback, and report to the legislature. This interactive approach is less common among state privacy laws and emphasizes the importance of continuous improvement and public involvement.
Texas’s commitment to data privacy is further highlighted by the recent $1.4 billion settlement with Meta over unauthorized use of biometric data. This landmark settlement, the largest ever obtained by a single state, underscores Texas’s aggressive enforcement of privacy laws and dedication to protecting its residents' data.
Steps for compliance with the TDSPA
To ensure compliance with the TDPSA, businesses should conduct comprehensive data audits, documenting all data processing activities thoroughly. Data minimization and security policies, along with clear privacy notices, are crucial. Efficient processes for handling consumer requests for data access, correction, and deletion must be established.
Additionally, businesses should provide clear opt-out mechanisms for data sales and targeted advertising, ensuring these options are easily accessible to consumers. Regular employee training on data privacy practices and compliance requirements is essential. Advanced technology solutions, such as consent management platforms and data protection tools, can further streamline compliance efforts.
The Texas Data Privacy and Security Act marks a significant advancement in protecting data privacy for Texas residents. Businesses must adapt to the new requirements to ensure compliance and maintain consumer trust. By using advanced redaction software like Secure Redact, companies can effectively anonymize sensitive data, ensuring it cannot be traced back to identifiable individuals.