Scope, applicability, and key definitions

Who does the TDPSA apply to?

The TDPSA applies to persons that:

• conduct business in Texas or produce a product or service consumed by residents in Texas;
• process or engage in the sale of personal data; and
• are not a small business as defined by the U.S. Small Business Administration, except to the extent that organizations are exempt as provided for under the TDPSA.

However, the TDPSA does not apply to organizations including, among others:

• any state agency or political subdivision of Texas;
• financial institutions or data subject to the Gramm-Leach Bliley Act (GLBA);
• entities subject to the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH);
• non-profit organizations; or
• institutions of higher education.

Are certain data exempted from the application of the TDPSA?

Information exempt from the TDPSA includes, among others:

• protected health information under HIPAA;
• health records;
• identifiable private information;
• personal data regulated by the Family Educational Rights and Privacy Act (FERPA);
• personal data collected, processed, sold, or disclosed in compliance with the Farm Credit Act 1971; or
• data processed or maintained in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role.

The TDPSA does not apply to the processing of personal data by a person in the course of a purely personal or household activity.

How does the TDPSA define 'consumer'?

'Consumer' under the TDPSA is defined as an individual who is a resident of Texas acting only in an individual or household context and does not include an individual acting in a commercial or employment context.

How does the TDPSA define a 'controller'?

'Controller' is defined as an individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data.

How does the TDPSA define 'personal data'?

'Personal data' is defined as any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. The term does not include de-identified data or publicly available information.

How does the TDPSA define 'consent'?

'Consent' is defined as a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. The term includes a written statement, including a statement written by electronic means, or any other unambiguous action. Notably, consent does not include:

• acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information;
• hovering over, muting, pausing, or closing a given piece of content; or
• agreement obtained through the use of dark patterns.

How does the TDPSA define 'sensitive data'?

'Sensitive data' is defined as including:

• personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status;
• genetic or biometric data that is processed for the purpose of uniquely identifying an individual;
• personal data collected from a known child; or
• precise geolocation data.

How does the TDPSA define 'processing'?

'Process' or 'processing' is defined as an operation or set of operations performed, whether by manual or automated means, on personal data or sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.

How does the TDPSA define a 'processor'?

'Processor' is defined as a person that processes personal data on behalf of a controller.

How does the TDPSA define 'sale' of personal data?

'Sale of personal data' is defined as the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party. However, the term does not include:

• the disclosure of personal data to a processor that processes the personal data on the controller's behalf;
• the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
• the disclosure or transfer of personal data to an affiliate of the controller;
• the disclosure of information that the consumer:
  • intentionally made available to the general public through a mass media channel; and
  • did not restrict to a specific audience; or
• the disclosure or transfer of personal data to a third party as an asset that is part of a merger or acquisition.

Key provisions and requirements

Does the TDPSA provide for consumer rights?

Consumers under the TDPSA are entitled to exercise their consumer rights at any time by submitting a request to a controller specifying the consumer rights the consumer wishes to exercise. Regarding the processing of personal data belonging to a known child, a parent or legal guardian may exercise their consumer rights on behalf of the child.

Pursuant to the above, the consumer rights under the TDPSA include the right to:

• confirm whether a controller is processing the consumer's personal data and accessing the personal data;
• correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of processing;
• delete personal data provided by or obtained about the consumer;
• if data is available in a digital format, obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance; or
• opt-out of the processing of personal data for the purposes of:
  • targeted advertising;
  • the sale of personal data; or
  • profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

Specifically, regarding deletion requests, a controller that has obtained personal data about a consumer from a source other than the consumer is considered in compliance with a consumer's deletion request by:

• retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the personal data remains deleted from the business's records and not using the retained data for any other purpose; or
• opting the consumer out of the processing of personal data for any purpose other than a purpose that is exempt under the TDPSA.

In addition, the TDPSA establishes provisions for responding to consumer requests. Data controllers must comply with consumer requests without undue delay, which may not be later than 45 days after receipt of the request. The response period may be extended by another 45 days where reasonably necessary, taking into account the complexity and number of the consumer's request, so long as the controller informs the consumer of the extension within the initial 45-day response period, together with the reason for the extension.

Further, if a controller declines to take action regarding a consumer's request, the controller must inform the consumer without undue delay, which may not be later than 45 days after the receipt of the request, of the justification for declining to take action and instructions on how to appeal the decision.

Data controllers must also provide information in response to a consumer request free of charge, at least twice annually per consumer. However, if consumer requests are manifestly unfounded, excessive, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. If a controller is unable to authenticate the request using commercially reasonable efforts, the controller is not required to comply with a consumer request and may request the consumer to provide additional information reasonably necessary to authenticate the consumer and their request.

Controllers must establish two or more secure and reliable methods to enable consumers to submit requests, and must take into account:

• the ways in which consumers normally interact with the controller;
• the necessity for secure and reliable communications of those requests; and
• the ability of the controller to authenticate the identity of the consumer making the request.

When exercising consumer rights, consumers must not be required to create a new account but may be required to use an existing account. Controllers that maintain an internet website must provide a mechanism to submit consumer requests on the website, while controllers who operate exclusively online and have a direct relationship with the consumer from whom they collect information are only required to provide an email address for receiving consumer requests.

Are there obligations in relation to sensitive data?

Controllers may not, under the TDPSA, process the sensitive data of a consumer without obtaining the consumer's consent, or, in the case of processing the sensitive data of a known child, without processing that data in accordance with Children's Online Privacy Protection Act (COPPA). If controllers engage in the sale of personal data that is sensitive data, the controller must include the following notice, in the same location and manner as the privacy notice required under the TDPSA:

• "NOTICE: We may sell your sensitive personal data."

Further, the TDPSA expressly provides that entities that are not small businesses as defined by the U.S. Small Business Administration may not engage in the sale of personal data that is sensitive data without obtaining prior consent from the consumer.

What are the main obligations for data controllers?

Controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which that personal data is processed, as disclosed to the consumer. Likewise, controllers must also not process personal data for a purpose that is neither reasonably necessary nor compatible with the disclosed purpose for which the personal data is processed unless the controller obtains the consumer's consent. Further, controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security measures to ensure the confidentiality, integrity, and accessibility of the personal data, taking into account the volume and nature of personal data.

In addition, controllers in possession of de-identified data must:

• take reasonable measures to ensure that the data cannot be associated with an individual;
• publicly commit to maintaining and using deidentified data without attempting to reidentify the data; and
• contractually obligate any recipient of the de-identified data to comply with the provisions of the TDPSA.

What are the main obligations for data processors?

Processors must adhere to the instructions of a controller and assist the controller in meeting their duties or requirements under the TDPSA, including:

• responding to consumer requests by using appropriate technical and organizational measures, as reasonably practicable, taking into account the nature of processing and the information available;
• complying with the security of processing personal data and to the notification of a breach of security of the processor's system; and
• providing necessary information to enable the controller to conduct and document Data Protection Assessments (DPA).

Are vendor privacy relationships regulated under the TDPSA?

Determining whether a person is acting as a controller or processor with respect to the specific processing of personal data is a fact-based determination that depends on the context in which personal data is to be processed. Processors that continue to adhere to a controller's instructions with respect to a specific processing activity remain a processor.

Specifically, a contract must govern controller and processor procedures and must include:

• clear instructions for processing data;
• the nature and purpose of the processing;
• the type of data subject to processing;
• the duration of the processing;
• the rights and obligations of both parties; and
• a requirement that the processor shall:
  • ensure each person processing personal data is subject to a duty of confidentiality;
  • at the controller's direction, delete or return all personal data to the controller as requested after the provision of the service is complete unless retention is required by law;
  • make available to the controller, on reasonable request, all information in the processor's possession necessary to demonstrate the processor's compliance under the TDPSA;
  • allow, and cooperate with, reasonable assessments by the controller or controller's designated assessor; and
  • engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the requirements of the processor with respect to personal data.

Are Data Protection Impact Assessments regulated under the TDPSA?

Controllers must conduct DPAs for activities involving personal data, including where:

• the processing is for targeted advertising;
• the processing involves the sale of personal data;
• the processing is for the purpose of profiling, and the profiling presents reasonably foreseeable risks of:
  • unfair or deceptive treatment of or unlawful disparate on consumers;
  • financial, physical, or reputational injury to consumers;
  • a physical or other intrusion on the solitude or seclusion, or the private affairs or concerns, of consumers, if the intrusion would be offensive to a reasonable person; or
  • other substantial injury to consumers;
• the processing involves sensitive data; and
• the processing activities involve personal data that presents a heightened risk of harm to consumers.

DPAs must aim to identify and weigh the direct or indirect benefits that may result from the processing for the controller, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with that processing, as mitigated by safeguards that can be employed by the controller to reduce the risks. DPAs must factor in:

• the use of de-identified data;
• the reasonable expectations of consumers;
• the context of the processing; and
• the relationship between the controller and the consumer whose personal data will be processed.

A single DPA may address a comparable set of processing operations that include similar activities. Likewise, DPAs conducted by a controller for the purpose of compliance with other laws or regulations may constitute compliance with the requirements of the TDPSA if the assessment has a reasonably comparable scope and effect.

DPAs must also be made available to the Attorney General (AG) pursuant to a civil investigative demand.

Who is empowered to enforce violations of the TDPSA?

The AG has exclusive authority to enforce the TDPSA and may issue a civil investigative demand where they have reasonable cause to believe that a person has engaged or is engaging in violation of the TDPSA. Before bringing an action under the TDPSA, the AG must notify persons in writing, no later than 30 days before bringing the action, identifying specific provisions of the TDPSA the AG alleges to have been or are being violated.

What penalties are controllers and processors facing under the TDPSA?

Persons who violate the TDPSA following the cure period or who breach a written statement provided to the AG are liable to a civil penalty that shall not exceed $7,500 for each violation of the TDPSA. The AG may also bring an action in the name of Texas to:

• recover a civil penalty under this section;

• restrain or enjoin the person from violating this chapter; or
• recover the civil penalty and seek injunctive relief.

Next stages

What is the legislative status of the TDPSA?

The TDPSA was signed, on June 18, 2023, by the Office of the Texas Governor.

When will the TDPSA come into force?

The TDPSA will enter into effect on July 1, 2024.

Harry Chambers Senior Privacy Analyst
[email protected]