Texas Data Privacy Law (TDPSA): Everything you need to know

While Texas has a reputation for deregulation and for having business-friendly laws, it did not stay behind when it came to regulating the handling of personal data: On June 18, 2023, Governor Greg Abbott signed into law the Texas Data Privacy and Security Act (TDPSA), making Texas the eleventh US State to introduce a data privacy law regime. 

Although the governor approved the new legislation last year, the Texas Data Privacy and Security Act became enforceable on July 1, 2024, with certain provisions becoming effective on January 1, 2025.

Texas Data Privacy Law imposes various obligations on businesses, such as obtaining consent for the collection of sensitive personal data and signing a data processing agreement between data controllers and data processors.

Considering that Texas is a vital market for global businesses with a population of 30 million, complying with the new Texas privacy law is necessary for all U.S. businesses. In this article, we will cover the main requirements imposed by the Texas data privacy laws and help you understand how you can comply.

‍

What is the Texas data privacy law?

The Texas new privacy law introduces various obligations on entities and provides Texas consumers with certain rights, such as the right of access and deletion.

‍

The new privacy law comes into force on July 1, 2024, giving businesses ample time to understand the key obligations and to implement necessary changes to comply with the new Law. Note that certain provisions related to universal opt-out mechanisms have a delayed effective date of January 1, 2025.

‍

Processing Personal Data: The term 'Processing Personal Data' refers to any operation performed on personal data, such as collection, storage, use, and disclosure. Consent must be a clear and affirmative action indicating a consumer's informed agreement to the processing of their personal data. Entities must process personal data relating to consumers only with their explicit consent, ensuring transparency and compliance with data protection laws.

‍

Texas' TDPSA key terms and definitions

The Texas Data Privacy and Security Act (TDPSA) defines several key terms that are essential to understanding the law’s requirements and applicability. Here are some of the most important ones:

• Personal Data: This refers to any information that is linked or reasonably linkable to an identified or identifiable individual. It encompasses a wide range of data, from names and addresses to more complex identifiers like IP addresses and device IDs.
• Sensitive Personal Data: This category includes personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data processed for the purpose of uniquely identifying an individual, personal data collected from a known child, or precise geolocation data. Handling this type of data requires explicit consent due to its sensitive nature.
• Processing Personal Data: This term covers any operation or set of operations performed on personal data, whether or not by automated means. This includes collecting, using, storing, disclosing, and deleting personal data.
• Biometric Data: Data generated by automatic measurements of an individual’s biological characteristics, such as fingerprint, voiceprint, eye retina or iris, or other unique biological patterns or characteristics. This type of data is often used for identification and authentication purposes.
• Data Controller: An individual or another person that determines the purpose and means of processing personal data. The data controller is responsible for ensuring that personal data is processed in compliance with the TDPSA.
• Data Processor: A person that processes personal data on behalf of a controller. Data processors must follow the instructions of the data controller and are also subject to certain obligations under the TDPSA.

‍

Scope and applicability

The TDPSA applies to persons that process personal data collected from an individual who is a resident of Texas. This means that if you handle personal data of Texas residents, you are likely subject to the law. However, the TDPSA excludes personal data collected or processed from individuals acting in an employment or commercial context. Additionally, the law does not apply to the processing of personal data by a person in the course of a purely personal or household activity. This ensures that the law focuses on business-related data processing activities, rather than personal or domestic use.

‍

Who must comply with the new Texas privacy law?

If you fulfill the following three criteria cumulatively (source: Texas Legislature Online), you will be subject to the new Texas privacy law:

• You carry out business in Texas or produce a product or service consumed by Texas residents;
• You process or engage in the sale of personal data;
• You are not considered a small business as defined by the United States Small Business Administration.

As you can infer from these three cumulative criteria, Texas privacy law will have broader applicability compared to other US state privacy laws such as California, Virginia, or Colorado because it does not include any revenue or data threshold to be applied to an entity that operates in Texas. 

Furthermore, Texas privacy law may apply to a business even when that business does not specifically target Texas consumers (source: White & Case). If your product or service is consumed in Texas, the Texas privacy law may apply to you if other criteria are also fulfilled.

For instance, if you are an online retailer that sells cosmetics products but does not target the US market, you may still be subject to the Texas data privacy law if Texas consumers purchase your products from your website online. 

What are the exemptions to the TDPSA ?

While Texas privacy law has broad applicability, it exempts the following activities and entities from its scope of applicability even when they process personal data: 

• Processing personal data in an individual or household context is not subject to the new law.
• Processing personal data in a business-business context or employment context is outside the scope of the new law.
• State entities are outside the scope.
• Entities subject to the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act are exempt from the new Texas privacy law.
• Electric utility and power companies are also exempt from the scope of applicability of the Texas Data Privacy Law.

Main obligations under the Texas Data Privacy and Security Act (TDPSA)

In this section, we walk you through the main obligations you need to comply with under the Texas privacy law:

Implementing an opt-in mechanism for processing sensitive data

If you collect, use, sell, store, or in any way process sensitive personal data of Texas residents, you must obtain consumer consent before processing.

Under Texas privacy law, sensitive data includes racial or ethnic origin, sexuality, citizenship, precise geolocation data, genetic or biometric data, and religious beliefs. 

For instance, if a contact form on your website collects data about sensitive or biometric data, such as a consumer’s health or data revealing their racial or ethnic origin, you need to implement an opt-in mechanism to ask for the consumer’s consent. 

‍

To learn more about sensitive personal information under the Texas data privacy law and other laws in the U.S., check out our article:

{{us-spi-link}}

Implementing an opt-out mechanism for the sale of personal data

If you sell or disclose personal data of Texas consumers in exchange for monetary or any other consideration, you must provide consumers with an opt-out opportunity to opt out of the sale of their personal data.

Notably, Texas data privacy law defines “sale” quite broadly because disclosure of data for “any” consideration will amount to the sale of personal data.

We should also note that the Law does not specify how to implement such an opt-out mechanism, so you should stay updated with any guidance on this issue.

Implementing an opt-out mechanism for targeted advertising

Under the Texas privacy law, you must offer consumers the right to opt out of targeted advertising, which is defined as:

“displaying to a consumer an advertisement that is selected based on personal data obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s preferences or interests.” 

- Texas Data Privacy and Security Act (source: Texas Legislature Online)

However, the Law excludes certain activities from targeted advertising, such as “activities within a controller’s own websites or applications.”

Drafting a privacy notice 

The Texas Privacy Law requires that data controllers provide consumers with a clear and easily accessible privacy notice on their website.

According to section 541 of the new Privacy law, this privacy notice should describe what types of personal data you collect, how you use it, and for what purposes you process it. Furthermore, if you share personal data with third parties, you should disclose this in your privacy notice and describe the recipients to whom you transfer personal data.

‍

Signing a data processing agreement

If you are subject to the Texas Data Privacy and Security Act, you are required to sign a data processing agreement with data processors. This agreement should address parties’ rights and obligations and require the data processor to impose the same obligations on the sub-processors.

Furthermore, the data processor must be obliged to delete personal data provided by the data controller at the end of the agreement.

Having a process in place to handle data subject rights

The TDPSA provides consumers with several rights to ensure they have control over their personal data:

• Right to Confirm: Consumers have the right to confirm whether a controller is processing their personal data. This transparency helps build trust between consumers and businesses.
• Right to Access: Consumers can access their personal data held by a controller. This allows them to understand what information is being collected and how it is being used.
• Right to Correct Inaccuracies: If a consumer finds inaccuracies in their personal data, they have the right to correct them. This ensures that personal data remains accurate and up-to-date.
• Right to Delete: Consumers can request the deletion of their personal data. This right empowers consumers to remove their data from a controller’s records if they no longer wish for it to be processed.
• Right to Obtain a Portable Copy: Consumers have the right to obtain a portable copy of their personal data. This facilitates data portability and allows consumers to transfer their data to another service provider if they choose.
• Right to Opt-Out: Consumers can opt-out of the processing of their personal data, particularly for purposes like targeted advertising or the sale of personal data. This gives consumers greater control over how their data is used.

‍

Learn how you can handle these rights as a business:

‍

{{discover-our-privacy-request-module}}

‍

Conducting data protection assessments

Texas Data Privacy and Security Act requires organizations to conduct data protection assessments for certain data processing activities, such as processing personal data for targeted advertising, selling personal data, and processing sensitive data, such as personal data revealing racial origin or biometric personal data.

Who enforces the Texas Data Privacy and Security Act?

Like other US State Privacy Laws, such as New Jersey privacy law, the Texas privacy law does not allow consumers to bring private rights of action. 

Texas Attorney General is responsible for enforcing the Texas Privacy Law and any single violation may be fined up to 7500$ by the Court.

How can Didomi help you comply with Texas' TDPSA?

Without a robust consent and opt-out mechanism, you are guaranteed to fall foul of the Texas privacy law’s requirements. This is because the new law requires you to obtain consent for sensitive data and provide an opt-out for the sale of data or targeted advertising. 

Our Consent Management Platform (CMP) allows you to collect consent in full compliance with local regulations, and to manage it across multiple channels, devices, frameworks and touch points.

Get in touch with our team to discuss your privacy challenges, or continue reading about data privacy laws in the united states in our dedicated article: 

 {{us-map-link}} 

Frequently Asked Questions (FAQ)

When does the  Texas Data Privacy and Security Act come into force?

The Act enters into force on July 1, 2024, with certain provisions related to universal opt-out mechanisms having a delayed effective date of January 1, 2025

Who can bring enforcement action against non-compliant organizations?

Under the Texas Data Privacy and Security Act, only the Texas Attorney General can bring an enforcement action against violations of the Act. 

What are the penalties under the Texas Data Privacy Act?

Any violation can be fined up to 7500$ per violation by the Court.

Can consumers sue the organizations?

Texas Data Privacy and Security Act does not provide consumers with a private right of action. Therefore, consumers cannot bring an enforcement action. 

What is the deadline for responding to data subject requests from consumers? 

Under the new Act, organizations have 45 days to respond to data subject requests.

When are we obligated to carry out data protection assessments?

You must carry out data protection assessments before undertaking certain data processing activities, such as selling personal data or processing sensitive personal data.