Texas: A comprehensive look at the Data Privacy and Security Act
Texas enacted the Texas Data Privacy and Security Act (TDPSA) on June 18, 2023, and compliance is required starting from July 1, 2024. Businesses experienced with other comprehensive state consumer privacy laws will find most aspects of the TDPSA to be familiar. However, the TDPSA incorporates unique features that businesses should consider when updating their privacy programs for compliance with Texas regulations.
In this Insight article, Wendell Bartnick, Christian Blair, and Stuart Cobb, from Reed Smith LLP, delve into the TDPSA's applicability, unique features, exemptions, potential risks of non-compliance, and various compliance considerations, including privacy requests, authorized agents, data safeguards, privacy notices, disclosure of personal data sales, and updating vendor management processes to meet TDPSA requirements.
Applicability and Risks
Applicability of the TDPSA
The TDPSA applies to a business if it meets the following criteria:
- conducts business in Texas or provides a product or service used by Texas residents;
- engages in the processing or sale of personal data; and
- is not a small business as defined by the United States Small Business Administration (SBA).
The TDPSA is the first state consumer privacy law to exclude businesses that are 'small businesses' under SBA guidelines. In contrast, most other state consumer privacy laws generally apply to businesses that exceed a specific revenue threshold, handle a certain volume of personal data, or a combination of these factors.
An additional distinctive feature of the TDPSA is that it may regulate businesses that operate outside of Texas when they offer a product or service consumed by Texas residents. By comparison, Virginia's consumer privacy law applies only to businesses targeting Virginia residents, and California's privacy law only applies to businesses that do business in California. These interpretations could be seen as narrower than the TDPSA and may exclude scenarios where products or services are sold in another state but ultimately consumed or utilized by residents of Virginia or California. Accordingly, businesses that do not operate or conduct business in Texas nevertheless may be subject to the TDPSA if their products or services are consumed by Texas residents.
Exemptions in the TDPSA are similar to other state consumer privacy laws, encompassing non-profit organizations and certain regulated entities and data, including:
- regulated entities: financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA), institutions of higher education, and electric utility, power generation, and retail electric companies as defined by the Texas Utilities Code;
- regulated data: data subject to federal privacy laws including HIPAA, the Fair Credit Reporting Act (FCRA), the Family Educational Rights and Privacy Act (FERPA), and other applicable regulations; and
- other data: data collected in the employment or commercial context.
Potential risks from TDPSA non-compliance
- The TDPSA does not grant individuals the right to take legal action.
- The TDPSA is enforced by the Texas Attorney General only, and violations can result in a monetary penalty not to exceed $7,500 per violation.
- The law permits a 30-day cure period after a notice of violation. To effect the cure the business must provide the Texas Attorney General with a written statement that includes:
- confirmation of resolving the alleged violation;
- notification to the affected consumer that the privacy violation was cured (if the business has the consumer's contact information); and
- any necessary changes made to internal policies to prevent future similar violations. The statement also should include supportive documentation to show how the privacy violation was cured (e.g., a copy of the updated policies).
The TDPSA places specific privacy-related compliance obligations on regulated businesses that control the purpose and means of processing the personal data of Texas residents (controllers). These businesses should thoroughly review the TDPSA and consider their compliance steps.
Additionally, businesses that handle personal data about Texas residents on behalf of TDPSA-regulated controllers (processors) have certain limited duties under the TDPSA. These duties generally involve assisting the controller to ensure it fulfills its compliance requirements and adhering to the controller's instructions and the contractual terms applicable to processing personal data.
Some of the significant TDPSA compliance obligations for controllers are outlined below:
Minimize personal data collected and processed about Texas residents
The TDPSA requires regulated businesses to limit their collection and processing of personal data to what is adequate, relevant, and reasonably necessary for the purposes for which the personal data is collected as described to consumers in its notices. If necessary, businesses can obtain consent from consumers for processing beyond what was described in the notice at the time of collection. Under the TDPSA, businesses are required to obtain explicit consent from consumers to process sensitive data. Notably, businesses that qualify as 'small businesses' under the SBA guidelines, which would typically be exempt from the TDPSA's requirements, are required to obtain consumer consent prior to selling sensitive data.
Establish a process to comply with privacy-related requests from Texas residents
Similar to provisions in other state consumer privacy laws, the TDPSA grants Texas residents specific privacy rights, enabling them to make requests to businesses required to comply with the TDPSA. Texas residents have the right to request the following:
- confirmation of whether the business is processing the consumer's personal data;
- access to the consumer's personal data the business processes;
- correction of inaccuracies in the consumer's personal data, considering the nature of the personal data and the purposes for processing;
- deletion of the consumer's personal data;
- a portable copy of the consumer's personal data in a readily usable format, to the extent technically feasible, when the data is available in a digital format; and
- opt-out capability for the processing of personal data for the following purposes:
- targeted advertising;
- the sale of personal data; or
- solely automated decision-making activities (e.g., profiling) that have significant legal or similarly significant effects on the consumer.
Accordingly, businesses subject to the TDPSA are required to receive these requests, use commercially reasonable efforts to authenticate them, and respond within 45 days (which may be extended another 45 days in certain situations). Businesses should take steps to prevent discrimination against consumers who exercise their privacy rights. Such discriminatory practices may include denying goods or services, differential pricing, or providing a different quality level of goods or services to consumers who have exercised their privacy rights.
If a business declines to comply with a consumer's privacy-related request, the TDPSA requires informing the consumer of the decision, along with instructions on how the consumer can initiate and appeal. The appeals process should be 'conspicuously available' and similar to the process for the consumer to exercise other rights under the TDPSA. Businesses required to comply with the TDPSA have 60 days to take action on the appeal and inform the consumer of the results. If an appeal is denied, the response must include a link to the online platform established by the Texas Attorney General to receive such complaints.
Responding to privacy requests from authorized agents
The TDPSA permits a consumer to designate another person or entity to act as an authorized agent on their behalf, particularly for the purpose of opting out of targeted advertising, or the sale of personal data. Under the TDPSA, consumers may designate an authorized agent using various technologies, such as a link to an internet website, internet browser settings or extensions, or a global setting on an electronic device. However, a business is not required to comply with a request originating from such technology unless it enables the consumer to clearly express their intent to opt out of the processing of their personal data for targeted advertising and/or the sale of personal data. This technology should not unfairly disadvantage another controller, must be user-friendly, and should require the consumer to make an affirmative, freely given, and unambiguous choice (rather than relying on a default setting).
When receiving a request from an authorized agent, businesses are allowed to verify the identity of the consumer and the authorized agent's authority to act on behalf of the consumer, using commercially reasonable efforts. A business is not obligated to comply with a request from an authorized agent if the request is unclear or ambiguous, the business cannot verify the individual is a Texas resident, the business lacks the ability to process the request, or the business does not handle similar requests under other state privacy laws.
Implement reasonable administrative, technical, and physical data measures
The TDPSA mandates that regulated businesses must establish, implement, and maintain reasonable administrative, technical, and physical data security measures to safeguard the confidentiality, integrity, and accessibility of the personal data they process. These measures must be appropriate to the volume and nature (including sensitivity) of the personal data in question. This requirement aligns with most state consumer privacy laws.
Post a privacy notice
The TDPSA requires that controllers provide a reasonably accessible and clear privacy notice to Texas residents. This privacy notice, as required by most other state consumer privacy laws, should include the following essential information:
- the categories of personal data processed by the business;
- the purposes for processing the personal data;
- the process and mechanisms enabling consumers to exercise these rights under the TDPSA, including details about the appeals process;
- if applicable, the categories of personal data the business shares with third parties; and
- if applicable, the categories of third-party recipients of personal data.
Additionally, the TDPSA requires that businesses that engage in the sale of sensitive data provide a notice with the following specific language: "NOTICE: We may sell your sensitive personal data." Furthermore, for businesses that sell biometric data, the TDPSA requires a notice stating "NOTICE: We may sell your biometric personal data." These notices must be posted in the same location and manner as the business' privacy notice.
Disclose the sale of personal data or sharing for targeted advertising purposes
In line with similar privacy laws in other states, businesses that 'sell' personal data or share personal data for 'targeted advertising' must disclose that activity in their privacy notice and offer consumers the option to opt out of such activity. The TDPSA defines the 'sale of personal data' as the act of sharing, disclosing, or transferring personal data for monetary or other valuable consideration by the controller to a third party, with certain exceptions. Notably, two important exceptions are that the sale of personal data does not encompass the disclosure of personal data to processors handling the data on behalf of the controller or disclosures to an affiliate of the controller.
Update vendor risk management and contracting processes
Businesses subject to the TDPSA may also need to update their vendor management processes and contracts to comply with the TDPSA. The TDPSA requires that contracts between controllers and processors contain the following:
- clear instructions for processing personal data;
- the nature and purpose of the processing;
- the types of personal data subject to processing;
- the duration of the processing;
- the rights and obligations of both parties, including the following requirements for a processor:
- ensuring that each person processing personal data is subject to a duty of confidentiality;
- deleting or returning all personal data to the controller, at the controller's direction, after the provision of the service is completed, unless retention of the personal data is mandated by applicable law;
- providing the controller with all necessary information, upon reasonable request, to demonstrate the processor's compliance with the TDPSA;
- allowing and cooperating with reasonable assessments by the controller or the controller's designated assessor; and
- executing written contracts with subcontractors that require each subcontractor to meet the requirements of the processor outlined in the contract with the controller concerning personal data.