On June 18, 2023, the Governor of Texas signed the Texas Data Privacy and Security Act (TDPSA) into law, providing residents of Texas with privacy rights and imposing privacy requirements on businesses. This law will go into effect on July 1, 2024 so businesses that need to comply with this law should begin their compliance efforts now to avoid heavy fines.
In this Compliance Guide, we will discuss the following important aspects of the TDPSA:
- Who needs to comply with this new Texas privacy law;
- How the law defines personal data;
- The privacy rights provided to residents of Texas;
- The penalties for failure to comply; and
Table of Contents
Who needs to comply with this new Texas privacy law?
The Texas Data Privacy and Security Act is similar to other privacy laws in the sense that a business does not need to be located in the State for the law to apply. The TDPSA applies to any person that conducts business in Texas or produces a product or service consumed by residents of Texas and that processes or engages in the sale of personal data.
It is important to note that a few types of organizations will not be subject to this law, including:
- Nonprofit organizations; and
- Small businesses, as defined by the United States Small Business Administration. The Small Business Administration defines “small business” as either an independent business with less than 500 employees or a business that makes under a certain amount of gross revenue per year. While small businesses are exempt from most of the requirements of the TDPSA, according to the law, small businesses may not engage in the sale of sensitive personal data without receiving prior consent from the consumer.
How does Texas’ privacy law define personal data?
The TDPSA defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable individual.” This means that information that is commonly collected through websites such as names, emails, phone numbers, IP addresses or physical addresses would be considered “personal data” and thus would be covered under this privacy law.
What privacy rights are provided to residents of Texas by the TDPSA?
This Texas privacy law was passed to protect the privacy of residents of the State by providing them with the following privacy rights:
- Confirm whether a controller is processing the consumer’s personal data and to access that personal data;
- Correct inaccuracies in the consumer’s personal data;
- Delete personal data provided by or obtained about the consumer;
- If the data is in a digital format, obtain a copy of the consumer’s personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller;
- Opt out of the processing of personal data for targeted advertising;
- Opt out of the sale of personal data;
- Opt out of the processing of personal data for profiling;
- Right to not be discriminated against for exercising privacy rights;
- Right to appeal a decision made with regard to privacy rights.
Businesses must respond to consumer privacy rights requests within 45 days after the receipt of the request, though this period can be extended by an additional 45 days if necessary.
- The categories of personal data processed;
- The purpose for processing the personal data;
- How consumers can exercise their consumer rights, including how to appeal a privacy rights decision;
- The categories of personal data shared with third parties, if any;
- The categories of third parties with whom the data is shared, if any;
- If a controller engages in the sale of sensitive personal data: “NOTICE: We may sell your sensitive personal data”;
- If a controller engages in the sale of biometric personal data: “NOTICE: We may sell your biometric personal data”;
Penalties for not complying with Texas’ new privacy law
The TDPSA will be enforced by the Texas Attorney General who can issue a civil penalty of up to $7,500 per violation. In this case, “per violation” can mean per website visitor whose privacy rights were infringed upon, meaning that fines for non-compliance can add up very quickly.
Termageddon’s plan for the TDPSA