Texas Passes Comprehensive Data Privacy Law

7 min read

On June 18, 2023, Governor Greg Abbott signed the Texas Data Privacy and Security Act (TDPSA) into law. Texas now joins the rapidly increasing group of states, California, Utah, Colorado, Connecticut, Virginia, Iowa, Indiana, Tennessee, and Montana (together, "US State Data Privacy Laws"), with their own comprehensive consumer data privacy laws. The TDPSA becomes effective on July 1, 2024. The TDPSA mostly follows other states, so controllers should have little difficulty adapting their existing data privacy compliance program to the TDPSA. Similar to our other articles on US State Data Privacy Laws, we summarize the key components of the TDPSA below.

Who does the TDPSA apply to?

Similar to the US State Data Privacy Laws, the TDPSA imposes transparency and disclosure obligations on a "controller" (a person or entity who determines the purpose and means of processing personal data) who conducts business in Texas by producing products or services consumed by residents of the state, (2) processes or engages in the sale of personal data, and (3) are not a small business, as defined by the US Small Business Administration (SBA). Notably, the TDPSA contains a limited applicability provision where small businesses who engage in the selling of sensitive data (as defined below) must also first receive the consumer's consent prior to engaging in such activity.

Notably, unlike other US State Data Privacy Laws, the TDPSA does not contain a revenue threshold nor a minimum number of consumers whose personal data is processed or sold for the law to apply. As such, the TDPSA will sweep up a broader array of businesses under its jurisdiction. In addition, the TDPSA does not apply to state government entities, nonprofits, HIPAA-covered entities and business associates, higher educational institutions (public or private), utility service providers, and Gramm-Leach-Bliley Act-regulated entities and data. The TDPSA also does not apply to certain classes of data including health records and health related data, scientific research data, consumer credit-reporting data, personal motor vehicle records, insurance data, data regulated by the Family Educational Rights and Privacy Act or federal Farm Credit Act, and employment-related information.

What rights does the TDPSA vest in consumers?

The TDPSA grants Texas residents acting in an individual or household context ("consumers") certain access and control rights concerning their personal data. Consumers may submit authenticated requests to a controller to:

(1) confirm whether the controller is processing their personal data and provide them access to their personal data;

(2) correct inaccuracies in their personal data;

(3) delete personal data provided by or obtained about them;

(4) obtain a copy of the consumer's personal data that the consumer previously provided to the controller (i.e., data portability); and

(5) opt-out of the processing of their personal data for targeted advertising, selling personal data about them, or profiling.

A controller must respond to consumer requests within 45 days, though that time period may be extended for an additional 45 days if reasonably necessary, depending on the complexity and number of requests. Notably, the TDPSA also grants consumers the right to appeal a controller's refusal to take action on requests to exercise their rights, to which the controller must reply within 60 days. If the controller denies a consumer’s appeal, the controller must provide the consumer an online method to contact the Texas Attorney General to submit a complaint.

What obligations does the TDPSA impose on controllers?

The TDPSA applies to "personal data." Personal data is defined as "information that is linked or reasonably linkable to an identified or identifiable natural person," and similar to other US State Data Privacy Laws, excludes de-identified or aggregate data or publicly available information.

The TDPSA requires controllers to:

  • Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to disclosed purposes for which such data is processed;
  • Adopt and implement reasonable administrative, technical, and physical data security practices;
  • Process consumers' sensitive data only after obtaining the consumer’s affirmative consent. Sensitive data is defined to include genetic or biometric data, data of known children, precise geolocation data, and personal data revealing racial or ethnic origin, religious beliefs and health status. Notably, unlike other US State Data Privacy Laws, the TDPSA’s definition of sensitive data also includes citizenship and immigration status;
  • Process consumer data in a non-discriminatory manner, and refrain from discriminating against consumers who exercise the rights granted by the statute;
  • Provide a clear privacy policy that includes the categories of personal data processed; the purpose for processing personal data; the categories of personal data shared to third parties; the categories of third parties; and the consumer's rights and the manner in which consumers may exercise their rights, including to appeal;
  • Clearly disclose if the controller sells consumers' sensitive personal data or biometric data;
  • Clearly disclose to consumers how to opt-out from the sale of their personal data to third parties and the processing of their personal data for targeted advertising;
  • Establish a process for consumers to appeal the refusal to take action on requests to exercise their rights and provide consumers an online mechanism to contact the attorney general should their appeal be denied;
  • Conduct a data protection impact assessment on the processing of personal data for targeted advertising, the sale of personal data, profiling, sensitive data, and any processing activities that involve personal data that present a heightened risk of harm to consumers; and
  • When in possession of de-identified data, take reasonable measures to ensure that the data cannot be associated with an individual, commit publicly to maintaining data as de-identified data, and obligate any recipients of the data to comply with the TDPSA.

The TDPSA imposes additional requirement on "processors" (a person or entity who processes personal data on behalf of a controller). Processors must cooperate with the controller to comply with its obligations under the act, including its obligations regarding consumer rights requests and security of data processing. The TDPSA also requires that all processing be governed by a contract between the controller and processor that outlines relevant consumer privacy provisions set forth under the TDPSA.

Key Aspects of the TDPSA

  • Definition of a Controller. Unlike other US State Data Privacy Laws, the definition of a controller under the TDPSA is quite expansive and applies to all non-exempt entities who conducts business in Texas and process or engage in the sale of personal data and are not a small business (as defined by the SBA).
  • Processing Agreement Required between Controllers and Processors: Like certain other US State Data Privacy Laws, the TDPSA requires controllers to enter into contracts with data processors governing the processor's data processing procedures. Contracts under the TDPSA must set forth clear instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the parties' rights and obligations. The contracts also must include a duty of confidentiality and must require processors' subcontractors to sign contracts with the same requirements. The TDPSA also requires processors to delete or return personal data upon the controller's request.
  • Attorney General Investigations and Enforcement: Like most of the US State Data Privacy Laws, the TDPSA does not provide for a private right of action. The Texas Attorney General may conduct enforcement actions and issue investigative demands. Before initiating an action, the attorney general must provide a written notice to the controller or processor, giving 30 days to cure the noticed violation. The attorney general may bring an action in court seeking various forms of relief, including declaratory judgment, injunctive relief, civil penalties, attorney's fees and investigative costs. A court may impose civil penalties of up to $7,500 for each violation, and if the violation is found to be willful or knowing, treble damages may be awarded.

White & Case's Data, Privacy and Cybersecurity team will continue to provide updates as these laws and regulations emerge. Please reference our US Data Privacy Guide and other client alerts for general steps to take to comply with US data privacy laws.

Katherine Madriz (White & Case, Law Clerk, Boston) co-authored this publication.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2023 White & Case LLP