The Texas Data Privacy and Security Act (TDPSA) represents a significant milestone in the realm of data protection and privacy in the Lone Star State. Enacted on June 16, 2023, TDPSA has ushered Texas into a select group of states with comprehensive consumer privacy legislation. This landmark act is designed to safeguard the personal data of Texas residents, setting the stage for robust data protection practices and accountability.
As Texas joins the ranks of states addressing the complex challenges posed by data privacy and security in the digital age, it is imperative to understand the intricacies of this legislation and its potential impact on businesses, consumers, and the broader privacy landscape.
Scope: “targeted to” vs. “consumed by”
In the context of the Texas Data Privacy and Security Act (TDPSA), the terms “targeted to” and “consumed by” refer to different aspects of how the act addresses the collection, use, and processing of personal data. Let’s explore the meanings and implications of these terms within TDPSA:
Meaning: “Targeted to” generally pertains to the intentional focus or directed efforts of a business or entity toward specific individuals or groups. In the context of TDPSA, it implies that a business or organization actively seeks out or directs its services, products, or marketing activities toward particular individuals or demographics.
Implications: If a business is “targeted to” a certain group or individual, TDPSA may impose specific obligations and requirements regarding the collection and use of personal data related to those targeted individuals. This could include the need for clear privacy notices, consent mechanisms, and data protection measures tailored to the targeted audience.
Meaning: “Consumed by” in the context of TDPSA suggests that personal data is actively used, processed, or utilized by a business or entity for its own purposes. It implies that the collected data is not merely gathered but has a practical and meaningful role within the operations of the entity.
Implications: When personal data is “consumed by” a business, TDPSA may require that the data be handled in accordance with the act’s provisions. This includes ensuring data security, allowing data subject rights, and complying with data protection assessments.
Sensitive personal data
In the Texas Data Privacy and Security Act (TDPSA), sensitive personal data holds a significant role in the protection of individuals’ privacy. The act defines sensitive data as any information that includes:
Genetic or biometric personal data
TDPSA encompasses genetic or biometric data, which can include unique biological identifiers such as fingerprints or genetic profiles. These types of personal data collected are considered highly sensitive due to their ability to identify an individual uniquely.
Personal data revealing racial or ethnic origin
The act also considers personal data that reveals an individual’s racial or ethnic origin as sensitive. This category is vital for safeguarding against discriminatory practices.
Data from known children
TDPSA categorizes data collected from known children, defined as individuals under 13 years of age, as sensitive data. This provision aims to protect the privacy of minors and impose additional safeguards on their data.
The inclusion of these categories in the definition of sensitive data underscores TDPSA’s commitment to preserving privacy and security, especially concerning highly personal and potentially sensitive information such as any data revealing a consumer’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, citizenship or immigration status, as well as any genetic or biometric data used for identifying an individual, any personal data collected from a known child, or any precise geolocation data. Businesses and entities that collect, use, or process sensitive data under TDPSA are subject to additional obligations and protections to ensure the responsible handling of such information.
Protecting sensitive personal information under the TDPSA
The Texas Data Privacy and Security Act (TDPSA) places significant emphasis on safeguarding sensitive personal information. Here are key measures for protecting such data under TDPSA:
Data protection assessments: TDPSA mandates businesses to conduct comprehensive data protection assessments. This includes identifying and assessing the risks associated with sensitive personal information. These assessments help businesses develop and implement appropriate data protection measures.
Data security measures: Businesses must implement robust data security measures to protect sensitive personal information. This includes encryption, access controls, and regular security audits to ensure data integrity and confidentiality.
Privacy notices: TDPSA requires businesses to provide clear and concise privacy notices to individuals whose sensitive personal information is collected. These notices inform individuals about how their data will be used, stored, and shared, ensuring transparency and informed consent.
Data subject rights: The act grants individuals certain rights over their sensitive personal information. Businesses must respect these rights, including the right to access, correct, and delete their data. Complying with data subject requests is crucial for protecting sensitive information.
Consent mechanisms: Obtaining clear and explicit consent before collecting and processing sensitive personal information is a fundamental requirement under TDPSA. Consent mechanisms must be user-friendly and easy to understand.
Security audits and compliance: Regular security audits and assessments ensure businesses are compliant with TDPSA’s data protection requirements. These audits help identify vulnerabilities and strengthen data protection measures.
Data minimization: To reduce risks, businesses should practice data minimization. This involves collecting only the minimum amount of sensitive personal information necessary for the intended purpose, thereby limiting exposure and potential harm.
Data retention policies: TDPSA encourages the establishment of data retention policies. Businesses should only retain sensitive personal information for as long as necessary and securely dispose of it when no longer needed.
Employee training: Training employees on data protection practices is essential. Employees should understand their role in safeguarding sensitive personal information and be aware of the legal obligations under TDPSA.
Response to data breaches: TDPSA requires businesses to promptly respond to data breaches involving sensitive personal information. Notification of affected individuals and authorities is a critical step in mitigating harm.
Consumer rights and consent in the TDPSA
The Texas Data Privacy and Security Act (TDPSA) enforces robust consumer rights and consent requirements to protect the privacy of individuals’ personal data:
Clear and informed consent
TDPSA defines consent as a clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to the processing of their personal data. This stringent definition ensures that consumers are fully aware of and willingly agree to how their data is handled.
Data subject rights
Consumers have various rights under TDPSA, including the right to access their personal data held by businesses, the right to correct inaccuracies, and the right to request the deletion of their data. These rights empower consumers to have control over their personal information.
Consent for sensitive data
Obtaining consumer consent is particularly crucial when processing sensitive data. TDPSA requires businesses to obtain explicit consent for collecting and processing sensitive personal information. This includes genetic or biometric data and data revealing racial or ethnic origin.
Transparency through privacy notices
Businesses must provide clear and concise privacy notices to consumers, informing them of the purposes for which their data will be used and any third parties with whom it may be shared. Transparency is essential to ensure that consumers can make informed decisions about their data.
Data breach notification
TDPSA mandates businesses to notify consumers and appropriate authorities in the event of a data breach that could result in harm to consumers. This prompt notification allows consumers to take necessary actions to protect themselves.
Right to opt-out of targeted advertising
The act also provides consumers with the right to opt out of the sale of their personal data for targeted advertising. This ensures that consumers have control over their data’s use for marketing purposes.
Exemptions granted by the TDPSA
The Texas Data Privacy and Security Act (TDPSA) includes several exemptions for specific entities and types of data. These exemptions are designed to clarify which organizations and information fall outside the scope of the act’s requirements.
State agencies and political subdivisions: TDPSA does not apply to state agencies or political subdivisions of Texas. These government entities are exempt from the act’s provisions.
Financial institutions: The act exempts financial institutions subject to Title V of the federal Gramm-Leach-Bliley Act (GLBA). These institutions already have federal regulations governing the protection of consumer financial information, and TDPSA does not duplicate those requirements.
These exemptions help ensure that certain entities that are already subject to comprehensive federal regulations related to data privacy and security are not burdened by additional state-level requirements. However, it’s essential for organizations falling under these exemptions to remain compliant with the relevant federal laws.
The Texas Data Privacy and Security Act (TDPSA) establishes a framework for processor contracts, particularly focusing on the relationship between data controllers and processors. Here are key aspects of processor contracts in the TDPSA:
The TDPSA adopts a controller-processor framework. This framework defines the roles and responsibilities of data controllers and processors in handling personal data. Controllers determine the purposes and means of processing data, while processors carry out processing on behalf of controllers.
Obligations of controllers and processors
TDPSA specifies obligations for both controllers and processors. Controllers are responsible for ensuring that processing activities comply with the TDPSA’s requirements. Processors, on the other hand, must process personal data only as instructed by controllers and take appropriate security measures to protect the data.
Clear and accessible processor contracts
TDPSA requires that controller-processor contracts be clear and accessible. These contracts should outline the specific instructions for data processing, security measures, and compliance with TDPSA’s provisions.
Data protection assessments
Controllers and processors may need to conduct data protection assessments as part of their contractual obligations. These assessments help ensure that data processing activities are in compliance with TDPSA.
Under the TDPSA, processors are not absolved of any responsibility or accountability in relation to the processing of personal data. They are required to adhere to the provisions of the law and ensure that all their actions are in compliance with the regulations set forth. Thus, processors are mandated to exercise utmost caution and diligence in their duties to avoid any breach of the law.
It’s crucial for businesses to establish robust processor contracts that align with TDPSA’s requirements to ensure the protection of personal data and compliance with the law. These contracts play a pivotal role in defining the responsibilities and obligations of both data controllers and processors in the data processing chain.
Enforcement – Private right of action?
The Texas Data Privacy and Security Act (TDPSA) does not provide for a private right of action for individuals or consumers. This means that individuals cannot file lawsuits against businesses for alleged violations of TDPSA in their personal capacity.
Enforcement of TDPSA is vested in the Texas Attorney General (AG). The Texas AG has the authority to conduct enforcement actions, issue investigative demands, and seek civil penalties against businesses that violate the provisions of TDPSA. The state attorney general is responsible for ensuring compliance with TDPSA and taking legal action against non-compliant entities.
Penalties & fines under the TDPSA
The Texas Data Privacy and Security Act (TDPSA) imposes penalties and fines on individuals and entities that fail to comply with its provisions. Here are key details about the penalties and fines under TDPSA:
Penalties for non-compliance: TDPSA establishes penalties for violations of its requirements. Violations can result in fines and other consequences.
Fines for violations: The fines under TDPSA can be substantial. They can be up to $7,500 per violation. This means that each violation of the law can lead to a fine of up to $7,500.
Multiplier effect: It’s important to note that the law counts violations on a per-consumer basis. For example, if a business violates the privacy rights of 1,000 consumers, it could be subject to fines for 1,000 violations, potentially totaling millions of dollars in fines.
Grace period for cure: TDPSA allows a grace period of 30 days for a violating party to cure the violation. During this period, the party can take corrective actions to rectify the non-compliance. If the violation is cured within this timeframe, it may mitigate or eliminate the fines.
Enforcement by Texas Attorney General: The Texas Attorney General is responsible for enforcing TDPSA and pursuing legal action against non-compliant individuals and entities. The Attorney General has the authority to issue penalties and fines for violations.
AG’s website: TDPSA requires the Attorney General to post information about violations and enforcement actions on the Attorney General’s website.
The Texas Data Privacy and Security Act (TDPSA) represents a significant milestone in the realm of data privacy and security, solidifying Texas as a state dedicated to safeguarding the personal information of its residents. TDPSA, which became law on June 16, 2023, is a comprehensive consumer privacy legislation that places Texas at the forefront of data protection in the United States. As the 11th state in the U.S. to enact comprehensive consumer privacy legislation, Texas joins a growing number of states prioritizing data protection.
With the enforcement of TDPSA set to commence on July 1, 2024, businesses operating in Texas must prepare for compliance with this robust privacy law. Understanding the intricacies of TDPSA is essential to avoid potential fines and penalties and to demonstrate a commitment to protecting consumer data.