In the absence of a federal comprehensive privacy law, states have been enacting their own in a sort of domino effect, creating a patchwork of compliance laws with their own nuances. The Texas Data Privacy and Security Act (TDPSA) is one of those new laws and goes into effect July 1, 2024, bringing Texas into the fold of U.S. states with a comprehensive data privacy law.While the TDPSA is similar to existing state data privacy laws, it has a unique threshold requirement that may broaden its reach compared to other states. Below are some key considerations that covered businesses should take into account to get ready for compliance with this upcoming new law.
Scope and Applicability
Unlike other state privacy laws, the TDPSA does not provide applicability thresholds based on a business' revenue or volume of personal data processed. Instead, the TDPSA applies to entities that:
- Conduct business in Texas or produce products or services consumed by Texas residents;
- Process or engage in the sale of personal data; and
- Are not a small business as defined by the U.S. Small Business Administration, under which qualification varies by industry.
Exemptions
Consistent with other state privacy laws, the TDPSA contains entity-level exemptions for:
- State agencies or political subdivisions of the state;
- Financial institutions subject to Title V of the Gramm-Leach-Bliley Act;
- Covered entities or business associates governed by the privacy, security and breach notification rules established under the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act;
- Nonprofit organizations;
- Higher education institutions; and
- Electric utilities, power generation companies and retail electric providers.
Controller's Obligations
The TDPSA imposes specific obligations and requirements on data controllers, including:
- Data minimization
- Purpose limitation
- Nondiscrimination
- Opt-in consent for the processing of sensitive personal data
- Privacy notices
- Additional notices for the sale of sensitive or biometric data
- Universal opt-out mechanisms for the sale of personal data and targeted advertising
- Data security safeguards
- Data processing agreements
- Data protection impact assessments for certain high-risk processing activities
Consumer Rights
The TDPSA recognizes a number of consumer rights, including the right to:
- Data access and portability
- Correct inaccuracies
- Delete personal data
- Opt out of targeted advertising, sale of personal data or profiling
- Appealany denial of a rights request
Given the novelty of some of the TDPSA's provisions and unique applicability test that may broaden its reach, covered businesses will need to reassess their privacy practices and programs to ensure compliance. Stay tuned for further updates as we navigate the hastily evolving U.S. privacy landscape.
For More Information
If you have any questions about this Alert, please contact Michelle Hon Donovan, Sandra A. Jeskie, Milagros Astesiano, any of the attorneys in our Privacy and Data Protection Group, any of the attorneys in our Technology, Media and Telecom Industry Group or the attorney in the firm with whom you are regularly in contact.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.