All About the Texas Data Privacy and Security Act

There’s a new frontier in the Lone Star State: consumer data protection. Like California, Colorado, and Connecticut, Texas has recognized the need for comprehensive data privacy legislation. The result is the Texas Data Privacy and Security Act, a comprehensive framework designed to protect Texas consumers’ privacy and security and offer them greater control over their personal data.

In this article, we’ll cover the most important elements of the law, including its timeline, enforcement, exemptions, and consumer rights. We’ll also explore how it compares to other state-level data privacy laws, and we’ll offer some suggestions for compliance. Read on to explore this new digital frontier with us.

What are the key provisions of the Texas Data Privacy and Security Act?

With its broad scope, the Texas Data Privacy and Security Act is poised to have far-reaching implications. To understand what this means for Texas residents and businesses — as well as organizations around the world that conduct business in Texas — we’ll delve into the law’s key requirements.

Texas consumer rights under the TDPSA

Other data privacy laws in other US states center consumer rights, and the Texas law is no exception. Like the CCPA, the TDPSA gives consumers the right to access and control certain aspects of their personal data. It also affords special protections to sensitive data, a category that includes:

genetic and biometric data
precise geolocation data
personal information about a known child
personal information regarding racial or ethnic origins, religious beliefs, mental or physical health diagnoses, sexuality, and citizenship or immigration status.

TTexas consumers may request to access, delete, and/or obtain a copy of their personal data. They may also opt out of the sale of personal data and the processing of their data for targeted advertising and profiling, confirm whether a data controller is processing their personal data, and correct inaccuracies in that data.

New obligations under the TDPSA

Like its counterparts in other states, the Texas Data Privacy and Security Act imposes new obligations on organizations in order to protect a consumer’s personal data privacy and honor consumer requests. Here are a few of the top obligations under the TDPSA:

Following data minimization principles. First, organizations must limit the collection and retention of personal data to only what is reasonably necessary and relevant. Under a data minimization mindset, companies must also refrain from using data for reasons other than the ones disclosed to consumers.

Consent for the processing of sensitive data. The TDPSA mandates that businesses receive clear consent (i.e., consent not obtained through the use of dark patterns) from consumers before processing their sensitive data. Even small businesses that are otherwise exempt from the TDPSA are prohibited from selling sensitive personal data for which they have not obtained consumer consent.

Providing clear privacy notices. The TDPSA requires businesses to provide individuals with reasonably clear and accessible privacy notices that clarify the categories of personal data being processed, the purpose for the data processing, and the methods by which individuals can exercise their consumer data privacy rights. This includes direct notices that identify when a company may sell sensitive personal data and/or biometric personal data.

Establishing data security safeguards. Lastly, organizations must implement and maintain safeguards that are appropriate and proportional to the type and quantity of personal data being processed. This includes administrative, technical, and/or physical data security measures. For instance, a business might rely on a combination of legal contracts, employee training, on-site security systems, and data privacy software to protect data under the TDPSA.

Timeline and enforcement of the TDPSA

Introduced in the Texas legislature in February 2023, the Texas Data Privacy and Security Act passed relatively quickly. It was amended several times and then signed into law by Texas Governor Greg Abbott in June 2023.

The TDPSA will largely go into effect in July 2024, at which point it will be enforced by the Texas Attorney General. At that point, it will offer a 30-day cure period in which businesses can avoid penalties by resolving alleged violations and submitting written documentation.

Organizations that violate the Texas Data Privacy and Security Act will be subject to civil penalties of up to $7,500 per violation as well as court injunctions when necessary. Although the law does not establish a private right of action, the state attorney general will provide a way for individual consumers to submit complaints online by the time enforcement begins next year.

Who must comply with the Texas Data Privacy and Security Act?

Essentially, the TDPSA applies to companies that meet all three of the following requirements:

An entity that conducts business in Texas or produces products or services consumed by Texas residents
An entity that processes consumer personal data, and
An entity that is not a “small business,” as defined by the US Small Business Administration (SBA).

This last point, the use of small-business status to determine compliance, is unique among the other state data privacy laws — most of which use a business’s annual revenue or scale of data processing to determine applicability. This means that the TDPSA will likely extend to businesses that fall well below the applicability thresholds in other states, complicating compliance efforts.

Who is exempt under the TDPSA?

As defined above, Texas carves out exemptions for small businesses. It also excludes the following types of data from compliance:

Health records and protected health information under the Health Insurance Portability and Accountability Act (HIPAA)
Personal data subject to the Fair Credit Reporting Act (FCRA)
Educational data subject to the Family Educational Rights and Privacy Act (FERPA)
Financial data subject to the Gramm-Leach-Bliley Act (GLBA)
Personal data processed in the employment context, including data related to job applications.

The TDPSA also exempts certain covered entities, including nonprofit organizations, state agencies, financial institutions subject to the GLBA, healthcare organizations governed by HIPAA, electric utilities, and institutions of higher education.

How does the TDPSA compare to other state-level data privacy laws?

As state privacy laws stack up, it becomes more challenging to compare them with each other. Almost all of them share a fundamental emphasis on protecting the personal data of consumers and requiring businesses to be transparent about their data processing activities. However, when it comes to the specifics of enforcement, exemptions, and qualifying thresholds, each state has its own way of doing things. Here’s how Texas measures up against other states.

Unique scope. We’ve already mentioned the unique applicability criterion of small-business status. But it’s important to note that this criterion will likely create confusion, since the definition of a small business under the Small Business Administration is extremely variable. The factors that determine a business’s status are heavily dependent on the context of that business, and an entity that’s defined as a small business one year may not qualify in another year. Unlike with all the other state data privacy laws, the Texas law will mean that organizations may struggle to understand whether they must meet compliance and whether that obligation remains in place year-to-year.

Relatively strong consumer protections. Although it was generally modeled after the business-friendly Virginia Consumer Data Protection Act (VCDPA), the TDPSA aligns more closely with the laws of California and Connecticut in some of its consumer protections. For instance, it requires businesses to offer universal opt-out mechanisms like the laws in Colorado, Connecticut, and California. It also introduces a more far-reaching definition of personal data, expanding the category to include not only personal identifiable information (PII) but also pseudonymous data that can reasonably be linked to an identifiable person.

No private right of action. Most state privacy laws do not include a private right of action, and Texas is no exception. Although eleven states from Montana to Florida to Iowa now have consumer data protection regulations on the books, only California allows individual consumers to bring civil lawsuits against companies for data privacy violations.

How to prepare for compliance with the Texas Data Privacy and Security Act

With less than a year to prepare for compliance with the TDPSA, organizations need to act decisively. The first step is to invest time in thoroughly understanding the law’s requirements and its implications for your industry. After you’ve done this — and consulted with experienced legal experts as needed — the next step is to begin implementing new processes, tools, and mechanisms to meet compliance by July 2024.

Conduct data protection assessments. First, it’s essential to gain a thorough understanding of your current data protection practices and vulnerabilities. Data protection assessments will allow your company to gain a detailed picture of your data processing activities, the types of data you collect and store, who has access to that data, and the data security tools and procedures you already have in place. Regular assessments can also help you identify potential weaknesses and stay up to date with changes in your data ecosystem, ensuring that your compliance efforts remain effective over time.

Prepare privacy notices and opt-out mechanisms. Next, you’ll want to put TDPSA-specific mechanisms in place. Transparency is a cornerstone of data privacy compliance, and clear and comprehensive privacy notices are a required part of the Texas Data Privacy and Security Act. In these notices, businesses will be required to inform consumers of the categories of personal data being processed (including any sensitive data), the purpose for processing that data, and the ways that consumers may exercise their rights. If applicable, privacy notices will also need to alert consumers about the categories of personal data that the business shares with third parties as well as the categories of third parties involved, and clear opt-out processes will need to be provided.

Implement robust access controls. Regardless of where your company is located, compliance with your jurisdiction’s data privacy controls will include the need to proactively safeguard your sensitive information. One of the best methods is with robust access controls that allow only authorized personnel to view and modify data. These controls should be regularly audited and updated to stay current with staffing changes.

Train your employees on best practices. Your employees play a critical role in maintaining strong data security. Make sure your staff understands the specific requirements of the Texas Data Privacy and Security Act, and clearly outline their responsibilities in handling personal data and sensitive data. Regular training and awareness programs can create a positive culture of data privacy within your organization that will leave you prepared when TDPSA enforcement begins in 2024.

Strengthen your security posture with ShardSecure

With the broadest scope of any of the state-level data privacy regulations, the Texas Data Privacy and Security Act will present challenges for compliance. That’s on top of existing challenges with the constantly evolving regulatory landscape and the ongoing lack of a federal data privacy law in the United States.

ShardSecure’s technology can help. We provide advanced data privacy, security, and resilience with an innovative approach to file-level encryption that secures data from access by unauthorized third parties, including infrastructure admins and cloud providers. As part of a robust cybersecurity strategy, ShardSecure’s platform can help you safeguard your Texas customers’ personal data — and any other vital data you might want to protect. Visit our resources page to learn more.