On June 18, 2023, Governor Abbott signed the Texas Data Privacy and Security Act (“TDPSA”) into law to regulate the collection, use, processing, and treatment of Texas consumers’ “personal data” by businesses. The TDPSA becomes effective on July 1, 2024, and will be enforced by the Texas Attorney General. The passage of the TDPSA makes Texas the tenth U.S. state to enact a comprehensive data privacy law, alongside California, Colorado, Connecticut, Indiana, Iowa, Montana, Tennessee, Utah, and Virginia.
This patchwork of U.S. state privacy regimes follows suit after the E.U.’s General Data Protection Regulation (“GDPR”) revolutionized modern consumer privacy rights in Europe and has now become a global legislative trend. While no federal comprehensive data privacy law has been enacted, the American Data Privacy Protection Act is the one proposal that has made it the furthest on Capitol Hill, with a new draft to be issued later this year. In the meantime, states are taking the lead to protect their consumers’ data from abusive business practices; slowly but surely vesting their residents with GDPR-inspired privacy rights, including the rights to know when their personal data is collected over the internet and access that data collected, to request data controllers correct and/or delete their personal data, to prohibit the sale of their personal data, and to opt out of the processing of their personal data for targeted advertising and profiling, as well as protections against being discriminated against or subject to retaliation for exercising such data privacy rights. The most stringent of the U.S. privacy laws is the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), and the new March 2023 regulations implementing the CPRA.
Although the TDPSA typically mirrors the business-friendly Virginia Consumer Data Protection Act model, several key differences exist which more closely align with more protective data privacy provisions in Colorado and Connecticut. Most notably, the TDPSA more broadly applies to persons and businesses that: conduct business in Texas or produce products or services consumed by Texas residents, without specifying a minimum number, and process or engage in the sale of any personal data; however, there is a carve out for small businesses as defined by the U.S. Small Business Administration. 11 Tex. Bus. & Comm. Code § 541.002. The other nine states’ data privacy laws only apply to entities that either control or process a minimum number of consumers’ data (generally 100,000) or that derive a set amount of revenue from the sale of personal data and control the personal data of a minimum number of consumers (generally 25,000). Just like its wider scope, the TDPSA has also adopted a broader definition of “personal data” as including “any information, including pseudonymous data and sensitive data, which is linked or reasonably linkable to an identified or identifiable individual” but not publicly available information or deidentified data, id. at § 541.001(19), thereby including personal data that could be combined with other information to identify a consumer. “Sensitive data” is a subset of personal data afforded heightened protections, and which under the TDPSA includes: personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data; personal data collected from a known child; and precise geolocation data. Id. at § 541.001(29). One of the key requirements imposed under the TDPSA, along with all the other nine state laws, concern mandatory privacy notices which must be provided whenever that state’s residents’ personal data is collected over the internet, if any of that personal data gathered will be sold for targeted advertising purposes, and if any sensitive personal data gathered will be sold to third parties. Id. at §§ 541.102, 541.103.
The TDPSA also requires that, beginning January 1, 2025, data controllers must recognize consumers’ use of “universal opt-out mechanisms” to prohibit the sale of their personal data and targeted advertising. Id. at § 541.055(e). A “controller” is “the individual or other person which, alone or jointly with others, determines the purpose and means of processing personal data,” id. at § 541.001(8), while a “processor” is the person “that processes personal data on behalf of a controller,” id. at § 541.001(23). For example, an employer is the controller of the personal data of its employees and the payroll company it utilizes is the processor. The distinction between data controllers and processors is a GDPR concept that is reflected in all data privacy laws. All ten of the U.S. state comprehensive data privacy laws contain requirements for Data Processing Agreements (“DPAs”), the contract between a data controller and a processor which governs data processing procedures. To be TDPSA compliant, DPAs must include clear instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. Id. at § 541.104(b). Reach out to Liskow if you have questions about steps you can take now to prepare.
Disclaimer: This Blog/Web Site is made available by the law firm of Liskow & Lewis, APLC (“Liskow & Lewis”) and the individual Liskow & Lewis lawyers posting to this site for educational purposes and to give you general information and a general understanding of the law only, not to provide specific legal advice as to an identified problem or issue. By using this blog site you understand and acknowledge that there is no attorney-client relationship formed between you and Liskow & Lewis and/or the individual Liskow & Lewis lawyers posting to this site by virtue of your using this site. The Blog/Web Site should not be used as a substitute for legal advice from a licensed professional attorney in your state regarding a particular matter.