TDPSA Compliance
What is TDPSA?
The Texas Data Privacy and Security Act (TDPSA) provides Texas residents with certain rights pertaining to their data and imposes obligations on those who control and process data. It shares some similarities with other state laws such as the California Privacy Rights Act (CPRA) and Virginia’s Consumer Data Protection Act (CDPA), as well as draws inspiration from the EU’s General Data Protection Regulation (GDPR).
While there are resemblances, such as the inclusion of opt-out provisions for data collection and processing, safeguards for sensitive data, and the integration of privacy-by-design principles, the significant divergences lie in the specific details. This insight comes from Kirk Nahra, a seasoned privacy attorney and co-chair at Wilmer Hale.
For instance, the CPRA (California) and TDPSA (Texas) diverge in their definitions of “sensitive data.” As Nahra pointed out, complying with the law will require careful consideration of these distinctions. In the following discussion, we will delve into the definition of sensitive data under the TDPSA, along with its other stipulations.
Who does the TDPSA apply to?
The Texas Data Privacy and Security Act (TDPSA) applies to “controllers” that conduct business in Texas or produce or deliver commercial products or services that are intentionally targeted to Texas residents.
What happens if I don't comply with the TDPSA?
The TDPSA doesn’t specify the penalties or fines that violators will have to pay. However, violations of the regulation are considered a deceptive trade practice. This means that violations will be dealt with as per the Texas Deceptive Trade Practices-Consumer Protection Act.
Fines per violation can vary based on the specifics of the violation. TDPSA violations could also result in criminal charges.
Enforcement of the TDPSA is entrusted to the Texas Attorney General and district attorneys, who bear the responsibility of implementing injunctions, penalties, and settlements. It is important to note, however, that the TDPSA does not provide a private right of action, meaning that individuals cannot file lawsuits against businesses for violating their rights.
Before the Attorney General or district attorneys can initiate any enforcement measures, they are obliged to issue a notice of violation to the relevant business. This notice grants the violators a 60-day cure period, during which they can rectify the violations.
If the business remains non-compliant after the cure period, the district attorneys or Attorney General can proceed with enforcement actions.
As of January 1, 2025, the 60-day cure period will no longer be in effect. Instead, violators will have the option to request interpretative guidance and opinion letters from the office of the Attorney General.
When will the TDPSA go into effect?
The TDPSA tasks the Texas Attorney General with implementing and enforcing the TDPSA, including adopting new rules. The TDPSA is a part of the State of Texas’s Deceptive Trade Practices-Consumer Protection Act and goes into effect on July 1, 2025.
Complying with the TDPSA
The TDPSA stands as one of the comprehensive data privacy laws, and other states, such as Indiana, Iowa, Tennessee, and Colorado, are also introducing their own privacy bills. As businesses operate across multiple states, it becomes increasingly difficult to navigate and adhere to the intricate network of state data privacy laws.
Maintaining compliance begins with staying informed about the evolving legislation that may impact your company. Keeping track of these laws as they progress through state legislatures is essential. Subscribing to relevant newsletters and resources can be helpful.
When a new law is enacted but not yet in effect, it is advisable to review its text in collaboration with legal counsel. They can assess your compliance status and provide guidance on necessary actions.
To streamline the data compliance process, consider utilizing a Consent Management Platform (CMP) like Pandectes GDPR Compliance. A CMP relieves the burden on your team by offering customizable consent management, automation of data subject access requests, and tools for cookie & vendor management. Pandectes GDPR Compliance is specifically designed for Shopify Stores and is ready to assist you in achieving and maintaining compliance within the ever-changing landscape of data privacy.