The Texas Data Privacy and Security Act: Building Digital Integrity

The state of Texas has taken a significant stride with the implementation of the Texas Data Privacy and Security Act (TDPSA). The Governor of Texas, Greg Abbott, signed HB 4, the TDPSA, into law on June 18th. Much of the Act will be enforced on July 1st, 2024, while provisions for recognition of universal opt-out mechanisms (DNSS and GPC) will take effect on January 1, 2025. This legislation aims to enhance data protection, strengthen cybersecurity, and ensure the data privacy rights of Texas residents while also protecting small businesses.

The increasing need for US Data Privacy Legislation

The number of US States implementing data privacy legislation is accelerating. Each new law is adding more legal nuances rather than following the patterns of past laws. Following the fast-growing trend of US data privacy laws, Texas law makers have acknowledged the importance of protecting the personal information of Texans. The TDPSA attempts to address many concerns like unauthorized access, data breaches, and the misuse of personal data by corporations, marketers, and data brokers.

Examining the scope and threshold

The scope of the Texas bill is drawn differently, and more broadly, than existing state privacy laws. Unlike other state privacy laws, which generally apply to businesses that exceed a set revenue or data processing thresholds, the Texas bill applies to corporations and people who:

• Conducts business in Texas or produces products or services consumed by Texas residents, and
• Processes or engages in the sale of personal data (“sale” means a disclosure of personal data to a third party for “monetary or other valuable consideration”).

The second prong of the scope is not found in other comprehensive state privacy laws. The scope of the Act excludes small businesses as defined by the United States Small Business Administration (SBA). However, small businesses still need to obtain consumer consent prior to selling/sharing sensitive information.

The TDSPA has no data-processing volume threshold. While the SBA currently defines a small business as one having 500 or fewer employees, this definition may be subject to adjustment, and there is a myriad of exceptions to the current SBA definition.

Texan Consumer Rights

Texas continues to use the consistent formula to address the consumer rights to access and delete:

• Confirm whether a controller is processing their personal data and access such personal data;
• Correct inaccuracies in the consumer ’s personal data;
• Delete personal data provided by or obtained about the consumer;
• Obtain a portable copy of the consumer’s personal data and
• Opt-out of processing for purposes of
  • targeted advertising (defined as displaying advertisements that are selected based on the consumer’s activities over time and across nonaffiliated websites),
  • the sale of personal data; or
  • profiling (definition is limited to “solely automated processing”) in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

As stated, the Act requires controllers to implement opt-out preference signals by January 1, 2025.

Controller & Processor Contracts

The Act uses the terms “controller” and “processor.”  Under the Act, processors must assist controllers in meeting their obligations, including responding to consumer requests and conducting data protection assessments. The Act requires certain contractual terms between controllers and processors, including those requiring the processor to maintain a duty of confidentiality.

Sensitive Data

Controllers must obtain consent before processing a consumer’s sensitive data.  Sensitive data is defined as personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexuality, or citizenship or immigration status; genetic or biometric data processed to identify individuals; personal data collected from a known child; and precise geolocation data (i.e., identifies a consumer within a radius of 1,750 ft.).  If a controller sells sensitive data or biometric data, it must post a specific notice (i.e., “NOTICE: We may sell your [sensitive/biometric] personal data.”) in its privacy notice.

Data Protection Assessments

The Act requires controllers to conduct data protection assessments of processing activities that involve targeted advertising, the sale of personal data, profiling (in limited circumstances), sensitive data, or otherwise present a heightened risk of harm to consumers.

Enforcement & Cure

The Texas Attorney General has the exclusive authority to enforce the Act.  The Act provides controllers and processors with a 30-day cure period, which will not expire.

Key Provisions of the Act

• Enhanced Data Protection: The Act establishes stringent data protection standards, requiring businesses to implement reasonable security measures to safeguard sensitive information. It emphasizes the adoption of encryption, access controls, and secure data storage practices to mitigate the risk of data breaches.
• Consumer Rights: The Act gives individuals greater control over their personal data. It grants them the right to access and correct their information held by businesses. Additionally, it allows individuals to opt out of the sale of their personal data to third parties.
• Breach Notification: In the event of a data breach, businesses are required to promptly notify affected individuals and appropriate authorities. This provision ensures transparency and enables individuals to take necessary measures to protect their information.
• Cybersecurity Frameworks: The Act encourages the development of robust cybersecurity frameworks by promoting information sharing between government agencies, businesses, and other stakeholders. It aims to bolster the state’s overall cybersecurity posture and facilitate timely response to emerging threats.

Implications for Businesses

The Texas Data Privacy and Security Act imposes new obligations on businesses that collect and process personal information. Compliance with the Act will require organizations to assess their data handling practices, strengthen security measures, and enhance transparency in data processing activities. Non-compliance may result in significant penalties, including fines and reputational damage.

Balancing Privacy and Innovation

While the Act focuses on protecting individual privacy, it also recognizes the importance of fostering innovation and economic growth. By providing clear guidelines and legal frameworks, the Act strikes a balance between privacy rights and businesses’ need for data-driven operations.

Collaboration and Future Developments

The TDPSA is part of a broader trend where states are taking the initiative to enact data privacy legislation in the absence of a federal law. It aligns with efforts across the United States to establish a consistent framework for data protection and consumer data privacy rights.

The TDPSA reflects the growing recognition of the need for robust data privacy measures in the digital age. By prioritizing consumer rights and cybersecurity, the Act aims to create a more secure and transparent environment for businesses and individuals alike. While the legislation poses compliance challenges for organizations, it ultimately sets the stage for a stronger and more privacy-centric future. As technology continues to evolve, the Act will likely serve as another blueprint for other states in their pursuit of effective data protection legislation.

For more 2023 Privacy Readiness on all emerging US laws, request a copy today! Learn how Clarip’s privacy governance platform is powered with true automation. Clarip takes enterprise privacy governance to the next level and helps organizations reduce risks, engage better, and gain customers’ trust!

Contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.

Email Now:

Mike Mango, VP of Sales
mmango@clarip.com

Related Content:

Making the Case for Data Minimization
Automated Data Mapping
Data Discovery
Looking for Product Data Sheets?