While Texas has a reputation for deregulation and for having business-friendly laws, it did not stay behind when it came to regulating the handling of personal data: On June 18, 2023, Governor Greg Abbott signed into law the Texas Data Privacy and Security Act (TDPSA), making Texas the eleventh US State to introduce a data privacy law regime.
Although the governor approved the new legislation last year, the Texas Data Privacy and Security Act will become enforceable on July 1, 2024.
Texas Data Privacy Law imposes various obligations on businesses, such as obtaining consent for the collection of sensitive personal data and signing a data processing agreement between data controllers and data processors.
Considering that Texas is a vital market for global businesses with a population of 30 million, complying with the new Texas privacy law is necessary for all U.S. businesses. In this article, we will cover the main requirements imposed by the Texas data privacy laws and help you understand how you can comply.
What is the Texas data privacy law?
Texas’s new privacy law introduces various obligations on entities and provides Texas consumers with certain rights, such as the right of access and deletion.
The new privacy law comes into force on July 1, 2024, giving businesses ample time to understand the key obligations and to implement necessary changes to comply with the new Law.
Who must comply with the new Texas privacy law?
If you fulfill the following three criteria cumulatively (source: Texas Legislature Online), you will be subject to the new Texas privacy law:
- You carry out business in Texas or produce a product or service consumed by Texas residents;
- You process or engage in the sale of personal data;
- You are not considered a small business as defined by the United States Small Business Administration.
As you can infer from these three cumulative criteria, Texas privacy law will have broader applicability compared to other US state privacy laws such as California, Virginia, or Colorado because it does not include any revenue or data threshold to be applied to an entity that operates in Texas.
Furthermore, Texas privacy law may apply to a business even when that business does not specifically target Texas consumers (source: White & Case). If your product or service is consumed in Texas, the Texas privacy law may apply to you if other criteria are also fulfilled.
For instance, if you are an online retailer that sells cosmetics products but does not target the US market, you may still be subject to the Texas data privacy law if Texas consumers purchase your products from your website online.
What are the exemptions to the TDPSA ?
While Texas privacy law has broad applicability, it exempts the following activities and entities from its scope of applicability even when they process personal data:
- Processing personal data in an individual or household context is not subject to the new law.
- Processing personal data in a business-business context or employment context is outside the scope of the new law.
- State entities are outside the scope.
- Entities subject to the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act are exempt from the new Texas privacy law.
- Electric utility and power companies are also exempt from the scope of applicability of the Texas Data Privacy Law.
Main obligations under the Texas Data Privacy and Security Act (TDPSA)
In this section, we walk you through the main obligations you need to comply with under the Texas privacy law:
Implement an opt-in mechanism for processing sensitive data
If you collect, use, sell, store, or in any way process sensitive personal data of Texas residents, you must obtain consumer consent before processing.
Under Texas privacy law, sensitive data includes racial or ethnic origin, sexuality, citizenship, precise geolocation data, genetic or biometric data, and religious beliefs.
For instance, if a contact form on your website collects data about sensitive or biometric data, such as a consumer’s health or data revealing their racial or ethnic origin, you need to implement an opt-in mechanism to ask for the consumer’s consent.
{{learn-more-about-consent-banner-formats}}
Implement an opt-out mechanism for the sale of personal data
If you sell or disclose personal data of Texas consumers in exchange for monetary or any other consideration, you must provide consumers with an opt-out opportunity to opt out of the sale of their personal data.
Notably, Texas data privacy law defines “sale” quite broadly because disclosure of data for “any” consideration will amount to the sale of personal data.
We should also note that the Law does not specify how to implement such an opt-out mechanism, so you should stay updated with any guidance on this issue.
Implement an opt-out mechanism for targeted advertising
Under the Texas privacy law, you must offer consumers the right to opt out of targeted advertising, which is defined as:
“displaying to a consumer an advertisement that is selected based on personal data obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s preferences or interests.”
- Texas Data Privacy and Security Act (source: Texas Legislature Online)
However, the Law excludes certain activities from targeted advertising, such as “activities within a controller’s own websites or applications.”
Draft a privacy notice
The Texas Privacy Law requires that data controllers provide consumers with a clear and easily accessible privacy notice on their website.
According to section 541 of the new Privacy law, this privacy notice should describe what types of personal data you collect, how you use it, and for what purposes you process it. Furthermore, if you share personal data with third parties, you should disclose this in your privacy notice and describe the recipients to whom you transfer personal data.
Sign a data processing agreement
If you are subject to the Texas Data Privacy and Security Act, you are required to sign a data processing agreement with data processors. This agreement should address parties’ rights and obligations and require the data processor to impose the same obligations on the sub-processors.
Furthermore, the data processor must be obliged to delete personal data provided by the data controller at the end of the agreement.
Data subject rights
Texas consumers may submit a request to data controllers to exercise their rights:
- To confirm if their data is processed
- To access their data
- To delete their data
- To obtain a copy of their data
- To opt out of the sale of their personal data or right to opt out of targeted advertising or profiling.
Conduct data protection assessments
Texas Data Privacy and Security Act requires organizations to conduct data protection assessments for certain data processing activities, such as processing personal data for targeted advertising, selling personal data, and processing sensitive data, such as personal data revealing racial origin or biometric personal data.
Who enforces the Texas Data Privacy and Security Act?
Like other US State Privacy Laws, such as New Jersey privacy law, the Texas privacy law does not allow consumers to bring private rights of action.
Texas Attorney General is responsible for enforcing the Texas Privacy Law and any single violation may be fined up to 7500$ by the Court.
How can Didomi help you comply with Texas' TDPSA?
Without a robust consent and opt-out mechanism, you are guaranteed to fall foul of the Texas privacy law’s requirements. This is because the new law requires you to obtain consent for sensitive data and provide an opt-out for the sale of data or targeted advertising.
Our Consent Management Platform (CMP) allows you to collect consent in full compliance with local regulations, and to manage it across multiple channels, devices, frameworks and touch points.
Get in touch with our team to discuss your privacy challenges and find out how our solutions can help you comply with the Texas Data Privacy and Security Act:
{{talk-to-an-expert}}
Frequently Asked Questions (FAQ)
When does the Texas Data Privacy and Security Act come into force?
The Act enters into force on July 1, 2024.
Who can bring enforcement action against non-compliant organizations?
Under the Texas Data Privacy and Security Act, only the Texas Attorney General can bring an enforcement action against violations of the Act.
What are the penalties under the Texas Data Privacy Act?
Any violation can be fined up to 7500$ per violation by the Court.
Can consumers sue the organizations?
Texas Data Privacy and Security Act does not provide consumers with a private right of action. Therefore, consumers cannot bring an enforcement action.
What is the deadline for responding to data subject requests from consumers?
Under the new Act, organizations have 45 days to respond to data subject requests.
When are we obligated to carry out data protection assessments?
You must carry out data protection assessments before undertaking certain data processing activities, such as selling personal data or processing sensitive personal data.