Everything’s bigger in Texas—even the state’s recent initiative to protect consumer data.
On Monday, July 1, 2024, the Texas Data Privacy and Security Act (TDPSA) goes into effect. Signed into law by Gov. Abbott back in June 2023, the TDPSA is one of the most comprehensive data privacy laws in the country.
Under the TDPSA, nearly all consumer-facing companies doing business in Texas will soon face data collection, processing, and disclosure requirements similar to those in California’s CCPA and CPRA. Although Texas and California are usually on different ends of the political spectrum, the states are apparently quite like-minded when it comes to data privacy.
The fact that Texas has decided to join California in passing one of the most stringent data privacy laws in the country suggests a few things: (1) consumer data privacy has become a bipartisan, hot-button issue; (2) consumers are paying more attention than ever to how companies are collecting, using, and selling their personal data, and (3) many state legislators don’t have much confidence in our dysfunctional Congress passing an effective federal data privacy law.
One of the TDPSA’s authors, Giovanni Capriglione (R-TX), certainly didn’t have faith in federal lawmakers taking the initiative back in 2019. While advocating for an earlier iteration of the TDPSA, Texas House Bill 4390, Capriglione bluntly told his colleagues, “I disagree that this is the duty of the federal government, mostly because I don’t have much faith that they will do it.”
Businesses affected by the Texas Data Privacy and Security Act
Most large organizations doing business in Texas will be affected. Unlike nearly all the other states with comprehensive data privacy laws in place, the TDPSA doesn’t exclude organizations that don’t meet volume thresholds (such as processing data of at least 100,000 residents). In Texas, there’s no minimum volume threshold.
According to the language in the TDPSA, the new law applies to any entity that (1) conducts business in Texas or produces a product or service consumed by residents of Texas; (2) processes or engages in the the sale of personal data, and (3) is not a small business as defined by the U.S. Small Business Administration.
As a quick aside, whether a business qualifies as “small” varies by industry; it’s usually based on annual revenue, number of employees, or both of these variables. Also, under the TDPSA, even “small” businesses are required to obtain consent before selling sensitive personal data.
Exceptions
In addition to the small business exception, the TDPSA doesn’t apply to (1) state agencies or political subdivisions; (2) financial institutions subject to the Gramm-Leach-Bliley Act (which already requires covered entities to safeguard sensitive data and explain their data sharing practices to customers); (3) covered entities or business associates already governed by the Health Insurance Portability and Accountability Act (HIPAA), and any other applicable federal and state healthcare laws; (4) non-profit organizations; (5) institutions of higher education; or (6) electric utility, power generation companies, or retail electric providers.
Compliance obligations
Under the letter of the law, data controllers now must: (1) only process information that is completely necessary to deliver the product or service; (2) notify consumers of their privacy rights, including the type of personal information collected, consumers’ rights to opt out, and the purposes of the collecting and processing consumer data; (3) not discriminate against consumers for exercising their privacy rights; (4) not process any personal data that violates existing state and federal discrimination laws; (5) gain consent before collecting sensitive data; (6) ensure security of personal data through reasonable data security practices; (6) conduct data protection assessments; (7) respond to consumer data requests within 45 days; (8) maintain contracts with third-party data processors and ensure that these third parties are compliant with the TDPSA as well; and (9) disclose any data breach within 60 days.
TDPSA compliance will be enforced by the Texas Attorney General. Texas residents can’t initiate a private right of action (file a civil case); however, they can inform the Texas AG about the alleged violations. Businesses face fines of up to $7500 per violation.
How businesses should prepare
If you’re already in compliance with the CCPA and CPRA, you should be well on your way toward TDPSA compliance. However, in some respects, the TDPSA goes beyond the scope of the CCPA. As a quick example, the TDPSA includes provisions for privacy policy disclosures related to the sale of biometric data, and there’s also a mechanism in place for consumers to appeal a denial of a request.
To prepare for TDPSA enforcement, businesses should organize and assess all of the data they’re collecting. It is vital that all consumer consent requirements are compliant with TDPSA. Adjustments may need to be made to corporate policies and procedures; moreover, all vendor agreements and privacy policies should be reviewed.
The growing patchwork of state laws
According to the International Association of Privacy Professional’s privacy legislation tracker, eighteen states currently have signed comprehensive consumer privacy bills into law: California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, and now, Texas.
Rhode Island appears to be next up, as its Data Transparency and Privacy Protection Act passed on June 24, 2024. And Illinois, Louisiana, Massachusetts, Michigan, North Carolina, Ohio, and Pennsylvania all have data privacy bills in either committee, cross chamber, or cross committee.
Interestingly, Vermont’s Data Privacy Act, which passed 139-3 in the House, appears to be dead on arrival after a recent veto by Republican Gov. Phil Scott. Nevertheless, with so many bills coming down the pike, the pressure is certainly on Capitol Hill to enact privacy legislation at the federal level.
Key takeaways
Texas just passed one of the strongest privacy laws in the country, signaling to the folks on Capitol Hill that the state is serious about consumer data privacy.
If legislators in Washington don’t enact a federal data privacy law soon, the headache of complying with a patchwork of state laws will continue for many businesses. The Texas law is particularly stringent; in fact, as of July 1, it won’t be uncommon for companies to be subject to California and Texas’ data privacy laws, and not many others.
In the wake of the TDPSA, hopefully folks in D.C. are realizing it’s past time for a federal law. After all, when California and Texas—two state legislatures that don’t often see eye-to-eye—agree that consumer data privacy protections are sorely needed, odds are, they’re onto something.
