Changes Are Coming to Texas Privacy Laws in 2024. What Do You Need to Know?

On June 18, 2023, Texas Governor Greg Abbott signed into law the Texas Data Privacy and Security Act (TDPSA). The TDPSA will go into effect on July 1, 2024. This is part of a continuing trend of states adopting their own comprehensive consumer data privacy laws. Texas will join the likes of California, Colorado, Connecticut, Iowa, Indiana, Utah, Virginia, and a handful of other states.

While the laws of each state have their own nuances, they all follow a similar structure:

1. Who the laws apply to;
2. Consumer’s rights under the laws;
3. The obligations of data controllers and processors; and
4. Enforcement

Luckily, if a business has had to comply with another state’s laws it shouldn’t be difficult to make adjustments to comply with the TDPSA. Nevertheless, let’s get into the important nuances of the TDPSA.

Who the Law Applies To:

The TDPSA applies to "controllers" (an individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data) and “processors” (a person that processes personal data on behalf of a controller) who conduct business in Texas by;

1. producing products or services consumed by residents of the state and
2. processing or engaging in the sale of personal data.

Essentially, a business that collects or sells the personal information of Texans is a “controller,” and a business that processes or sells the personal information of Texans on behalf of another business is a “processor.”

Unlike other states, Texas opted for a broad-reaching statute with no revenue threshold. For example, California’s CCPA applies to entities with gross revenues in excess of twenty-five million dollars ($25,000,000) in an annual year. It’s important to note that there could be entities not subject to some state’s laws but could still fall under the TDPSA.

However, there are a few ways entities can be exempt from the TDPSA:

1. Small Businesses. Any business that meets the definition of “small business” as defined by the United States Small Business Administration is exempt from the TDPSA. The United States Small Business Administration’s definition of a “small business” can change, but it’s mostly centered around the number of employees a business has and business receipts over the past 3-years. The cost of complying with the TDPSA would place a strong financial and operational burden on small businesses. This exemption will lift a weight off of small businesses.

   
   

2. Entities Subject to HIPPA or GLBA. Covered entities and business associates subject to Health Insurance Portability and Accountability Act (HIPAA) and Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) are exempt from the TDPSA as these entities already have strict privacy laws they are required to comply with.

   
   

3. Non-profits and State Agencies. Following most states, non-profits and state agencies are exempt from the TDPSA.

Consumer Rights Under The TDPSA

The TDPSA grants consumers certain rights in regards to their privacy. It’s like the Bill of Rights, but for privacy. States differ in what specific rights are awarded to consumers. The TDPSA grants consumers the following rights:

1. Confirm whether a controller is processing the consumer’s personal data and to access the personal data;
2. Correct inaccuracies in the consumer’s personal data;
3. Delete personal data provided by or obtained about the consumer;
4. If the data is available in a digital format, obtain a copy of the consumer’s personal data that the consumer previously provided to the controller.
5. Opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling.

Businesses must provide a mechanism on their website for consumers to submit requests for information. For businesses exclusively online, an email address is sufficient. Businesses cannot ask consumers to create a new account to submit a request, but can require consumers to use an existing account. Businesses have 45 days from receipt of the request to respond. However, another 45 days can be granted for excessive requests. Additionally, businesses cannot charge consumers for their first 2 requests. However, businesses are able to charge a reasonable fee if the consumer’s request is excessive.

It’s also worth noting that these rights cannot be contracted away. A business cannot simply ask that a consumer waive their rights in order to purchase goods and services. Under the TDPSA, any attempt to waive consumer rights is void.

The Obligations of Data Controllers and Processors

Like other states, the TDPSA imposes certain obligations on data controllers:

1. Limit the collection of personal data to what is adequate, relevant, and reasonably necessary;
2. Establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue;
3. Personal data must be processed in a non-discriminatory manner;
4. Cannot discriminate against consumers who exercise their rights under the TDPSA; and
5. Conduct various data protection assessments.

The TDPSA also imposes certain requirements on data processors:

1. Must adhere to the instructions of a controller and shall assist the controller in meeting or complying with the controller’s duties;

2. Assist the controller in responding to consumer requests; and

3. Provide necessary information to enable the controller to conduct and document data protection assessments.

   
   

Additionally, there is a requirement that a contract must exist between a controller and a processor that governs the processor’s data processing procedures. This contract must include clear instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.

Privacy Policy Requirements

The TDPSA has certain pieces of information that must be included in a business’ privacy policy. These are important to know for drafting a privacy policy that complies with the TDPSA.

1. The categories of personal data processed by the controller, including, if applicable, any sensitive data processed by the controller;
2. the purpose for processing personal data;
3. How consumers may exercise their consumer rights and submit requests;
4. The categories of personal data that the controller shares with third parties;
5. Notice of the sell of any biometric or sensitive personal data; and
6. The categories of third parties with whom the controller shares personal data

Enforcement

Violations of the TDSPA are enforced by the Texas Attorney General. The TDPSA provides businesses with a 30-day period to cure violations. Uncured violations can result in civil penalties of up to $7,500 per violation. Additionally, injunctive relief can be imposed on the violating parties.

Conclusion

Compliance can be stressful and tiresome for most businesses. However, the TDPSA is written clearly and is easy to follow. The important thing to remember is transparency. Businesses that are transparent in their data collection practices will have an easy time complying with the TDPSA. This means having clear links to their privacy policy, clearly stating how data is processed and used, and having security measures in place to protect personal data. Data privacy laws are here to stay so it’s important to start implementing good practices now.