The Texas Data Privacy and Security Act (“TDPSA”) goes into effect on July 1, 2024. Unlike some recent consumer privacy statutes, the TDPSA does NOT tie compliance to revenue or amount of data processes. Rather, the applicability of the TDPSA is based on the type of business and the purpose of the data collected (such as for the purpose of targeted advertising. There are a number of exceptions for the type of data that is collected and processed.

The TDPSA applies to the following businesses:

• Those conducting business in Texas, or generating products or services consumed by Texas residents
• Those engaged in processing, or in the sale of personal data

However, businesses are exempt if they are identified as a “small business” as defined by the U.S. Small Business Administration. Generally, this means businesses with fewer than 500 employees are not affiliated with larger companies. Other types of organizations are also exempt from compliance, including:

• State government agencies
• Electric utilities
• Certain financial institutions (those who are subject to the Gramm-Leach-Bliley Act)
• Insurance companies
• Institutions of higher education
• Not-for-profit organizations

As for data, certain types of data are exempt from compliance with the Texas Data Privacy and Security Act. The most important of which is an exemption for data that is processed or maintained for employment-related purposes. There may also be exemptions for data that is processed manually. See, e.g., the definition of “profiling.” Other exemptions are for data covered by federal privacy laws. In this respect, the TDPSA is similar to other U.S. consumer privacy laws. The exemptions include data collected and processed covered by statutes like:

• Health Insurance Portability and Accountability Act
• Fair Credit Reporting Act
• Children’s Online Privacy Protection Act
• Family Educational Rights and Privacy Act
• Driver’s Privacy Protection Act

The Texas Data Privacy and Security Act classifies covered businesses into two categories: controllers and processors. Controllers are defined as “an individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data.” A processor is “a person that processes personal data on behalf of a controller.” The TDPSA imposes the most obligations on controllers. By contrast, processors are required to carry out their processing operations in conformity with a controller’s instructions, confirm that such instructions adhere to the TDPSA’s requirements, and have required contractual agreements in place with a controller.

Among other things, the TDPSA requires controllers to do the following:

• Restrict data collection to what is “pertinent, adequate, and necessary” OR obtain consumer consent for the collection of more expansive data
• Obtain consent for collecting and process “sensitive data” defined as (i) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status, (ii) genetic or biometric data that is processed for the purpose of uniquely identifying an individual, (iii) personal data collected from a known child, and (iv) precise geolocation data (data that would locate a consumer within 1,750 feet)
• Not engage in discrimination with respect to collecting or processing
• Not engage in retaliation against consumers who exercise their rights under the TDPSA
• Provide notices to consumers at the point that data is collected, disclosing what data is collected, the purpose of processing such data, and the consumer’s rights and how to exercise those rights, and more
• Provide additional and more specific disclosures if the controllers collect data for targeted advertising or who sells sensitive personal data
• Prepare and have available written data protection assessments for any controller who (i) processes sensitive data (through its own procedures or through a processor), (ii) processes personal data for targeted advertising or for selling such data, (iii) profiles data which is defined as “any form of solely automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements or (iv) engages in any other processing activity that could potentially escalate risk of harm to consumers

Contact the Consumer Data Privacy Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.