WHAT IS THE TEXAS DATA PRIVACY & SECURITY ACT (TDPSA)?
The TDPSA is a comprehensive privacy law that regulates how businesses and individuals engage in the collection, use, processing, sale and sharing of personal data of Texas residents. The Act also directs businesses to conduct regular data protection assessments, provide privacy notices to consumers, and have a contractual relationship in place with their third-party data processors.
TDPSA however, does not apply to data collected, used, or processed for employment purposes (e.g., potential, existing, past employees) nor for business-related data (e.g., office phone numbers, business mailing addresses, business email addresses).
Click here to view the official text.
WHO IS IMPACTED?
TDPSA applies to any organization or person conducting business in the State of Texas that collects, uses, or processes the personal data of Texas residents, unless subject to the exemptions noted below.
EXAMPLES OF PERSONAL DATA
| Full Name/Aliases | Postal Mailing & Email Address |
| Birth Date | Passport Number |
| Social Security Number | Driver's License Number |
| Banking Information | Payment Card Information |
| Geo-Location Data | Biometric Information |
| Racial or Ethnic Origin | Sexuality |
WHO IS EXEMPT UNDER TDPSA?
- A state agency or politicalsubdivision of Texas;
- Financial institutions or whereby data issubject to the Gramm-Leach Bliley Act (GLBA);
- Entities subject to the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH);
- Non-profit organizations; Institutions of higher education; or
- Electric utilities, power generation companies and retail electric providers.
**However, if an exempt entity processes or engagesin the sale of personal data, TDPSA may become applicable.
ILLUSTRATIVE EXAMPLES OF WHEN TDPSA IS APPLICABLE
- A company uses cookies or other tracking technologiesto collect data on Texasresidents visiting its website such astheir IP addresses, device identifiers, website uses, and data regarding network-connected hardware (e.g., computers, mobile devices).
- A company's website enables usersto enter their personal data to receive more information about the company'sservices or products.
- A professionalservicesfirm that providesservicesto individuals and collects personal client data.
- A manufacturer of consumer goodsthat collects personal data through online registrations and sharesthe personal data of registrantsfrom that list (versusselling it) with a non- affiliate who then provides discountsto the manufacturer forsharing its consumer list.
HOW IS SALE OF PERSONAL DATA DEFINED BY TDPSA?
The "sale of personal data" meansthe sharing, disclosing, or transferring of personal data for monetary or forsome other value or benefit to the controller, which is an individual or company that determinesthe purpose and means of processing personal data to a third party.
However, the term does not include the disclosure of personal data with third partiesfor business purposesto include the following:
- The disclosure of personal data to a processor that processesthe personal data on the controller's behalf;
- The disclosure of personal data to a third party for purposes of providing a product orservice requested by the consumer;
- The disclosure or transfer of personal data to an affiliate of the controller;
- The disclosure of information that the consumer:
- Intentionally made available to the general public via a mass media channel; and
- Did not restrict to a specific audience; or
- The disclosure or transfer of personal data to a third party as an asset that is part of a merger or acquisition.
SALE OF PERSONAL DATA EXAMPLES
- A retail conglomerate has a membership program in which personal data is collected. The information collected isshared with an insurance company that is wholly owned by the retail conglomerate. The insurance company advertises directly to the member, resulting in the member purchasing insurance coverage.
- A residential buildersells homes and sharesthe homebuyer'sinformation with a homeowner's warranty company and receives money forsharing the information.
- A non-profit rescues animals and receives donations. Upon obtaining the donator's personal information, it is provided to third partiesthat directly advertise pet related products. If purchases are made at the third-party store, the non-profit receives kickbacks in the form of pet products(e.g., blankets, dog food).
WHAT PERSONAL DATA IS EXEMPT FROM THE APPLICATION OF TDPSA?
TDPAS does not apply to the following types of personal data:
- Protected health information data regulated by HIPAA;
- Health records;
- Personal data regulated by the Family Educational Rights and Privacy Act (FERPA);
- Personal data collected, processed,sold, or disclosed in compliance with the Farm Credit Act 1971; or
- Data processed or maintained in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role.
HOW IS TDPSA ENFORCED?
The Texas Attorney General (AG) will post on their website an online mechanism through which a consumer may submit a complaint under thislaw. If the AG has reasonable cause to believe that a person has engaged in or is engaging in a violation of thislaw, the AG may issue a civil investigative demand.
WHAT ARE THE PENALTIES FOR CONTROLLERS AND PROCESSORS UNDER TDPSA?
Persons who violate the TDPSA following the cure period (up to a 30- day period) or who breach a written statement provided to the AG are liable to a civil penalty thatshall not exceed $7,500 for each violation.
WHAT ARE THE COMPLIANCE REQUIREMENTS PRESCRIBED BY THE TDPSA?
Among several requirements mandated by TDPSA, the following are among the most critical to implement:
- Enabling Consumer Rights Requests – Must be able to find
a consumer'srecord and have the capability of making
corrections, updates, or deletions are requested.
- Comply with Procedural Mandates – Have a repeatable
processin place to receive, track, and respond within 30 daysto
privacy requests. (45 daysto respond/fulfill the request –
and another 45 daysif needed, but they have to let the consumer
know).
- Include an Appeals Process – Provide consumers a
procedure to appeal a denied consumer rightsrequest.
- Two Methodsto Exercise Consumer Rights – Have two options
available for consumersto contact the company regarding their
privacy rights.
- Data Protection Assessments(DPAs) – Where applicable,
must perform DPAs when:
- The processing of personal data for purposes of targeted advertising;
- The sale of personal data;
- The processing of personal data for purposes of profiling, if
the profiling presents a reasonably foreseeable risk.
- Contracts Between the Controller and the Processor –
Contracts must include:
- Clear instructionsfor processing data;
- The nature and purpose of processing;
- The type of data subject to processing;
- The duration of processing;
- The rights and obligations of both parties; and
- A requirement that the processorshall adhere to a number of
privacy requirements.
- Universal Opt-Out Mechanisms – The provision refersto
streamlined processes offered for consumersto opt out of certain
data processing activities – which must be in place by Jan.
1, 2025.
- Disclosure Transparency and Privacy Notice Updates – explaining to consumers and users exactly what your privacy practices are on websites, in notifications, and within contracts.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.