Texas Privacy Law
Please note that this is intended to be a summary. It is not a complete recitation of the applicable laws and/or regulations and is not intended to be used as legal advice.
Texas Governor Greg Abbott signed the Texas Data and Privacy Security Act (“TDPSA”) into law on June 18, 2023. The TDPSA’s main provisions become effective on July 1, 2024.
The Texas law creates obligations on “controllers” and “processors” of personal data; defined as the individuals or legal entities who, alone or jointly with another person, determine the purposes and means for processing personal data, and the individuals or legal entities who process personal data on behalf of a controller, respectively.
The applicability of the TDPSA is unique from other state privacy laws. Controllers and processors subject to the TDPSA are only persons that:
(1) conduct business in Texas, or produce products or services consumed by Texas residents
(2) process or engage in the sale of personal data; and
(3) are not small businesses as defined by the United States Small Business Administration.
Like many other states’ privacy laws, information and data exempt from the provisions of the TDPSA include, among other types, personal data subject to regulation under the FRCA, HIPAA, FERPA, and GLBA.
Controllers have the following obligations under the TDPSA:
- Privacy Notice: controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes the categories of personal data processed by the controller; the purpose for processing personal data; the categories of personal data that the controller shares with third parties, if any; the categories of third parties, if any, with which the controller shares personal data; and, how consumers may exercise their consumer rights and appeal any controller’s decision regarding a consumer’s request, along with a description of the methods through which consumers can submit requests to exercise their rights.
- Restraint: controllers must limit the controller’s collection of personal data to only the personal data that is adequate, relevant and reasonably necessary in relation to the purposes for which that personal data is processed.
- Security: controllers must establish, implement and maintain safeguards for protecting personal information so that the controller’s safeguards protect the confidentiality, integrity and accessibility of the personal data as appropriate to the volume and nature of the personal data at issue.
Consumer rights under the TDPSA include the right to:
- Confirm whether a controller is processing or has processed the consumer’s personal data, and the consumer has the right to access that personal data held by the controller;
- Require a controller to correct inaccuracies in personal data about the consumer;
- Require a controller to delete personal data provided by or obtained about the consumer;
- Obtain a copy of the consumer’s personal data previously provided by the consumer to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the personal data to another controller; and,
- Opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling the consumer in furtherance of decisions made by the controller that produce legal effects or effects of similar significance for the consumer, such as those that result in the provision or denial by the controller of financial or lending services, housing, insurance, education enrollment or opportunity, or access to essential goods or services.
Controllers must respond to a consumer’s rights request within 45 days of receipt of the consumer’s request, with an option to extend such response by an additional 45 days with notice to the consumer.
Like most of the recent data privacy laws being enacted, the TDPSA does not provide a private right of action, with violations only enforceable by the Texas Attorney General’s office. The Texas Attorney General must issue a notice of violation to a controller prior to initiating any action for violation of the TDPSA, and if the controller fails to correct the action within 30 days of the notice, the attorney general may bring an action under the TDPSA, which may include penalties of up to $7,500 for each violation