In a significant advance towards protecting consumer data, the Texas Data Privacy and Security Act (TDPSA) officially became law in Texas on June 16, 2023. This milestone positions Texas as the 11th state to enact a comprehensive consumer data privacy law. As companies now wrestle with the implications of this legislation, it is crucial to understand the specific state resident, data and revenue thresholds involved. Moreover, businesses must prepare to address potential surges in data subject requests while also navigating the new compliance and reporting obligations.

Understanding TDPSA

The TDPSA reflects a response to the escalating concerns surrounding consumer data protection. As the digital landscape continues to evolve, the institution of data protection laws is a growing trend. TDPSA is designed with the consumer in mind and grants them greater control over their personal information. At the same time, it places the bulk of the responsibility to properly secure and handle consumer data on businesses. The TDPSA applies to all persons that:

    • Conduct business in Texas or produce products or services consumed by Texas residents;
    • Process or engage in the sale of personal data; and
    • Are not small businesses as defined by the Small Business Act.

It is important to note that contrary to its counterparts in other states, the TDPSA does not provide for specific thresholds based on annual revenue or the volume of data processed by a particular business.

Summary of Key Considerations for Controllers:

TDPSA requires that data controllers meet specific requirements in the process of collecting personal data:

    • Only collect data that is “adequate, relevant and reasonably necessary”;
    • Ensure that data is collected in a nondiscriminatory manner;
    • Provide opt-out opportunities for the sale of personal data, targeted advertising, or profiling. Opt-outs must be clearly and conspicuously disclosed.;
    • Obtain prior consent in the processing of sensitive personal data. If the individual is a child, the data must be processed in compliance with the Children’s Online Privacy Protection Act of 1998. Controller must provide notice of potential sale of sensitive data. It must state: “NOTICE: We may sell your sensitive personal data“, or for biometric data collected such as fingerprint or face scans, it must state: “NOTICE: We may sell your biometric personal data.”;
    • Controller must provide consumers with a reasonably accessible and clear privacy notice with the following information:
        • The categories of personal data processed by the controller, including any sensitive data;
        • The purpose for processing personal data;
        • The categories of personal data shared with third parties;
        • The categories of third parties with whom the data is shared; and
        • A description of the methods required for a consumer to submit a request to exercise their rights under the TDPSA, including any rights to appeal.
    • Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue.

Exemptions to the Law

Like many other data privacy laws cropping up across the country, the TDPSA allows for “entity-level, data-specific, and employment-related” exemptions. Further, the law only applies to consumers acting in an individual or household capacity and does not apply to business to business transactions.

 


Entity Level Exemptions

    • Electric utilities, power generation companies and retail electric providers;
    • Financial institutions subject to Title V of the Gramm-Leach-Bliley Act;
    • Covered entities governed by HIPAA;
    • State agencies and political subdivisions;
    • Nonprofit organizations; and
    • Institutions of higher education.

Data-Specific Exemptions

    • Health information protected by HIPAA;
    • Information processed in accordance with the Fair Credit Reporting Act, Driver’s Privacy Protection Act, Family Educational Rights and Privacy Act, the Farm Credit Act; others.
    • Personal data processed by an individual in the act of a personal or household activity; and
    • Emergency contact information.

    Employment-Related Exemptions

Information processed or maintained in the course of an individual applying to, employed by, or acting as an agent or independent contractor and the information is used for the purposes of that individual’s employment.


Data Subject Requests

With the enactment of TDPSA, companies should anticipate a potential influx of data subject requests. These requests may involve inquiries about the collection, use and deletion of personal information. Consumers may also request corrections of their personal data. Consumers may also request a copy of their personal data that was collected.  Businesses must establish at least two or more secure accessible ways for a consumer to access their data. For example, these methods could include through the website or via email.  All requests must be responded to within 45 days, with a possible extension of an additional 45 days if necessary. Establishing efficient response mechanisms is crucial to ensuring compliance and maintaining trust with consumers.

 


Compliance and Reporting Guidelines

TDPSA introduces a complex framework of compliance and reporting obligations that companies must navigate. From ensuring the implementation of privacy policies to reporting data breaches promptly, adherence to these obligations is essential for avoiding legal repercussions. Controllers must conduct regular document data protection assessments that identify the potential risks to consumers and balance the benefit of the business in utilizing that information. The categories of information that must be assessed under the law include:

    • Processing personal data for targeted advertising;
    • The sale of personal data;
    • Processing personal data for prog=filing customers if there is a danger of unfair or deceptive treatment as a result;
    • Processing sensitive data; and
    • Any data processing that presents a “heightened risk to consumers.”

Data Security Measures

The law underscores the importance of robust data security measures. Companies are expected to implement safeguards to protect consumer data from unauthorized access, disclosure, alteration, and destruction. This includes adopting encryption, access controls, and other industry-standard security practices.

 


Enforcement

The Texas attorney general has the exclusive authority to enforce the TDPSA and may impose fines of up to $7,500 per violation as well as seeking injunctive relief and attorney fees. Consumers do not have a private right of action to bring suit under the TDPSA. If the attorney general discovers a violation of the TDPSA, it will give the business 30 days to “cure” the problem. If the problem is resolved no charges may be brought.

 


Conclusion

As Texas joins the ranks of states prioritizing consumer data protection, businesses are tasked with adapting to the new regulatory landscape. Beyond compliance, companies have an opportunity to build trust with their customers by demonstrating a commitment to data privacy and security. Navigating the intricacies of TDPSA requires a proactive approach, with companies taking steps to understand the law’s nuances, establish compliance frameworks and foster a culture of data responsibility.

The cybersecurity law practice team at Wood, Smith, Henning, and Berman are well versed in the implications of this law and its impact on business. Should you have any questions or require legal assistance in achieving compliance with this law please do not hesitate to reach out to a member of our team.

 


Meet the Authors

Headshot of Christopher SeusingChristopher Seusing Chris Seusing is the managing partner of WSHB’s Boston, MA and Westport, CT offices. He also leads the firm’s national Cybersecurity & Data Privacy team. With more than 15 years of collective experience in cyber, professional and management liability areas, Chris represents companies and professionals in complex litigation matters around the country. He counsels clients on responding to data breach incidents and regulatory inquiries and investigations, oversees forensic investigations of incidents, drafts information management policies and procedures in compliance with privacy regulations, and collaborates with case teams to implement cost-effective processes using state-of-the-art litigation tools, including analytics and technology-assisted review. Chris leads WSHB’s National Cyber Incident Team which is available 24/7 to respond to cyber incidents and suspected data breaches, and is part of an international legal team focused on data protection and cybersecurity which is regularly called upon by public and private entities to navigate emerging challenges. He is well-regarded for his real time knowledge based on best practices which dovetails into his sage counsel on risk management, mitigation and claim avoidance. Additionally, Chris is a published thought leader, guest lecturer at law schools, and sought after speaker on cybersecurity, data privacy and litigation issues.

 

Headshot of Daniel ParetDaniel Paret An accomplished civil and commercial litigation attorney, Daniel J. Paret is a partner in WSHB’s Texas offices. His practice includes commercial and business litigation, labor and employment, oil and gas, and professional liability matters. Dan also handles cybersecurity and data privacy matters, including data breach class actions, tech litigation, breach response cases, and state/federal enforcement of data privacy statutes. He has successfully represented clients throughout the State of Texas in both state and federal courts. A certified mediator, Dan also represents clients with alternative dispute resolution issues. He has worked as a neutral and arbitrator of disputes. Dan is a graduate of Pepperdine University Caruso School of Law. While in law school, he served as the Third Year Students’ Class Representative, Chair of the Sports & Entertainment Law Society, and the Student Mentor Program. Dan also participated in moot court, where he was a semi-finalist in the Moriarty Moot Court Competition. He was born in San Juan, Puerto Rico and is fluent in Spanish. After moving to north Texas, he graduated from TCU with a degree in Finance. His legal accolades include recognition as a “Rising Star” from 2020 – 2023 in civil litigation by Super Lawyers Magazine. Dan has also been named a “Top Attorney” by 360 West Magazine, a distinction he’s held since 2017, and a “Top Attorney in Fort Worth” by Texas Magazine from 2015 to the present day.

 

News Type

PLUS Blog

Business Line

Other Business Lines

Topic

Professional Liability (PL) Insurance

Contribute to

PLUS Blog

Contribute your thoughts to the PLUS Membership consisting of 38,000+ Professional Liability Practitioners.

Related Podcasts

Related Articles

May 14, 2024

Contribute Thought Leadership with PLUS

Are you a new PLUS member looking for ways to get involved?…

House key in front door
April 30, 2024

Pennsylvania Strengthens Application of One-Year Statute of Repose Under Pennsylvania Home Inspection Law

In two recent decisions, the Pennsylvania Superior Court reaffirmed the application of…

supreme court of the usa
April 19, 2024

Strategic Defenses to Appellate Malpractice Claims

Defending appellate malpractice cases requires an understanding of the state and federal…