In an era where data breaches and online privacy concerns are becoming increasingly prevalent, states across the United States have taken significant steps to protect their residents’ personal information. Joining the ranks of California and Virginia, Texas has now passed its own comprehensive data privacy legislation – The Texas Data Privacy and Security Act (TDPSA). This comprehensive consumer privacy law empowers Texans with the right to control their personal data, while also imposing strict obligations on businesses to ensure data security and transparency. In this blog post, we will explore the key provisions of the TDPSA, its applicability, and the rights it grants to consumers.
Applicability and Scope
The TDPSA represents a groundbreaking shift in the landscape of data privacy laws. Unlike its predecessors, it applies to a much broader range of individuals and businesses both within and outside the state. It encompasses any entity conducting business in Texas, producing products or services consumed by Texas residents, and involved in processing or selling personal data. Even small businesses, with certain exemptions, must obtain consumer consent before selling sensitive personal data.
Notably, the TDPSA looks beyond a business’s targeting strategy and focuses on whether their products or services are consumed by Texas residents. Thus, it has the potential to affect a wide array of entities, regardless of size or revenue.
Central to the TDPSA’s mission is empowering consumers with comprehensive rights over their personal data. These rights are consistent with similar laws, such as the Virginia Consumer Data Protection Act (VCDPA). Among the key rights granted to consumers under the TDPSA are:
- Right to Know: Consumers have the right to inquire whether a controller is processing their personal data.
- Right to Portability: Consumers are entitled to receive a portable copy of their processed personal data in digital format.
- Right to Deletion: Consumers can request the deletion of personal data held by controllers.
- Right to Correction: Consumers can request the correction of any inaccurate personal data.
- Right to Opt-Out: Consumers have the right to opt-out of the sale of their personal data, targeted advertising, and profiling with significant consequences.
The TDPSA places substantial responsibilities on businesses, referred to as controllers, that handle personal data. Controllers must adhere to data minimization practices, limiting the use of personal data only to what is reasonably necessary. They must also conduct data protection assessments for specific processing activities that pose a higher risk to consumers, such as targeted advertising or processing sensitive data.
Furthermore, controllers in possession of de-identified or pseudonymous data must ensure that such data cannot be linked to an individual. They are also required to contractually bind any recipient of this data to compliance measures and oversee their adherence to these commitments.
Compliance and Enforcement
The TDPSA will take effect on July 1, 2024, and businesses must be prepared to comply with its provisions. The Texas Attorney General is designated as the primary enforcer of the TDPSA, with the authority to investigate violations and impose penalties of up to $7,500 for each breach. Notably, businesses are provided a 30-day grace period to cure any violations, subject to certain conditions and notifications.
The Texas Data Privacy and Security Act represents a significant milestone in the ongoing efforts to protect consumer data privacy. By granting Texans greater control over their personal information and imposing strict obligations on businesses, the TDPSA sets a robust framework for safeguarding data privacy and security in the state. As Texas joins the ranks of other privacy-conscious states, businesses must prepare diligently for the TDPSA’s implementation to ensure they are compliant and ready to uphold their customers’ privacy rights effectively. By navigating the path forward with diligence and dedication, Texas will lead the way in fostering a privacy-centric environment that serves as a model for other states and nations in the pursuit of data protection.