Businesses use personal data to understand consumer needs and develop business strategies. Data privacy and security laws are an attempt to balance the needs of businesses to collect and maintain personal information with the rights of individuals to protect their private data from unauthorized use.
While some federal legislation has been passed, the burden still falls to individual states to establish laws regarding the collection and use of consumers' private data. Since California adopted the first consumer data privacy laws in 2018, a number of other states have followed suit – many of them in 2023, including Texas. Below, the commercial litigation lawyers at Fee, Smith & Sharp LLP explain what you need to know about how a new Act will impact companies doing business in the state.
The Texas Data Privacy and Security Act
Two important federal laws exist to protect the private and sensitive information collected from individuals. These are the Health Insurance Portability and Accountability Act (HIPAA) for health information and the Gramm Leach Bliley Act for financial information. However, federal attempts at providing consumers with foundational data privacy rights have not yet made it through Congress.
The Texas Data Privacy and Security Act (TDPSA) became law in June of 2023 and takes effect on July 1, 2024. The new law regulates how consumers' personal information is collected, used, processed, and treated by certain businesses. The law applies to companies that:
- Conduct business in the state
- Produce a product or service consumed by residents of the state
- Process personal data
- Sell personal data
- Employ over 500 workers
In addition, small businesses (those with under 500 employees) may not sell sensitive personal data without prior permission from consumers. Entities and information subject to other data privacy laws are not subject to the TDPSA. The new law also does not apply to non-profit organizations, schools, or utility providers.
Consumer Personal Data Rights Under the TDPSA
Under the TDPSA, consumers are given certain rights with regard to personal data collected by companies that determine the means and the purpose of processing the information. At any time by request, a consumer may:
- Confirm whether personal data is being processed and have access to the information
- Correct inaccuracies in personal data
- Delete personal data
- Obtain a copy of personal data
- Opt out of having personal data sold or used for targeted advertising or profiling
Compliance With TDPSA Consumer Requests
Consumer requests about their data privacy rights must be honored within 45 days after being received. An additional 45-day extension is allowed when reasonably necessary. Information requested by a consumer must be provided free of charge in most circumstances and at least twice annually per consumer.
If a business denies a consumer's TDPSA request, it must inform the consumer not later than 45 days after receiving the request, provide justification for the decision, and instruct the consumer how to appeal the denial.
Each individual business is tasked with developing procedures for consumers to submit requests concerning private data and for them to appeal a denied request. Consumers whose appeals are denied are to be given the contact information for the attorney general's office so they may submit a complaint.
Duties of Entities That Collect and Process Private Data
The collection of personal data is limited to only such information as is adequate, relevant, and reasonably necessary to accomplish the purpose disclosed to the consumer. The data gathered must be protected by reasonable security practices that are appropriate to the amount and sensitivity of the information.
The following will be considered violations of the TDPSA:
- Processing private data not reasonably necessary for the disclosed purpose
- Processing private data for purposes not disclosed (without consumer permission)
- Processing private data in violation of anti-discrimination laws
- Retaliation against consumers for exercising their rights regarding private data
- Processing sensitive data (personal characteristics, unique identification) without consumer consent
Privacy Notice Requirement
Consumers must be notified of the kinds of personal data that are processed and for what purpose. They are to be told if personal data is sold and provided accessible information on how to exercise their data privacy rights.
Data Protection Assessments
Certain types of data processing present a higher risk to the security of private data and potentially greater harm to consumers. Data protection assessments compare the benefits of processing the information against the risk of injury to consumers.
Data protection assessments will be required by businesses that sell private data or use it for targeted advertising. When personal data is used for profiling, a data protection assessment will be required if profiling presents a reasonably foreseeable risk of:
- Discriminatory treatment
- Financial, physical, or reputational injury
- Intrusion on solitude, seclusion, or private affairs
- Other substantial harm
Consumers Have No Private Right to Enforce the TDPSA
Consumers do not have the right to legally enforce the provisions of the TDPSA. The state attorney general has exclusive enforcement authority. This authority includes the right to initiate investigations into suspected violations and to fine violators.
The attorney general must provide written notice to a suspected violator, who then has 30 days to cure the violation and make a written report back to the attorney general. If violations are not cured after 30 days, the attorney general may bring an action to recover a civil penalty not to exceed $7,500 per violation.
How the New Data Privacy Law Will Impact Companies Doing Business in Texas
In this ever-expanding digital world, consumer private data can be manipulated, sold, or stolen. Individual states and perhaps soon the federal government are starting to recognize the rights of consumers to have more control over how their personal data is used and to protect themselves from unauthorized misuse.
Companies doing business in Texas may face operational and financial risks if they fail to understand and incorporate the data privacy requirements as the TDPSA takes effect later this year.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.