The Texas Data Privacy and Security Act (TDPSA): Overview

I. Introduction

On May 28, 2023, the Texas legislature passed the Texas Data Privacy and Security Act (TDPSA), also known as H.B. 4, making Texas the tenth US state to pass a comprehensive data privacy law. The TDPSA and Virginia’s Consumer Data Protection Act (VCDPA) share several similarities, although some distinctions exist. Signed into law on 18 June 2023 by Gov. Greg Abbott, the TDPSA will take effect on July 1, 2024.

Becoming the fifth US state to pass comprehensive data privacy legislation in 2023, the other four being Iowa, Montana, Tennessee, Indiana, and Nevada, TDPSA joins the growing list of US states having comprehensive data privacy legislation.

II. Who Needs to Comply with TDPSA

A. Material Scope

The TDPSA applies only to persons who:

1. conduct business in Texas or produce product or service consumed by Texas residents;
2. process or engage in the sale of personal data; and
3. are not small businesses as defined by the United States Small Business Administration (SBA), i.e., an independent business having fewer than 500 employees.

B. Exemption

The TDPSA does not apply to:

1. a state agency or a political subdivision of Texas;
2. a financial institution or data subject to Title V, Gramm-Leach-Bliley Act (15 U.S.C. Section 6801 et seq.);
3. the processing of personal data by a person during a purely personal or household activity;
4. a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services (HHS), established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Health Information Technology for Economic and Clinical Health Act (HITECH);
5. a nonprofit organization;
6. an institution of higher education; and
7. an electric utility, a power generation company, or a retail electric provider.

Following information is also exempt from application of the TDPSA:

• Medical data covered under any medical laws: Many forms of health information, records, data, and documents protected and covered under HIPAA or other federal or state medical/healthcare laws;
• Personal data used for research: Identifiable private information collected, used, or shared in research conducted in accordance with applicable laws;
• FCRA-covered data: Any personal information of consumers collected or used for consumer credit scoring and reporting to the extent the activity is authorized and regulated by the federal Fair Credit Report Act (FCRA);
• GLBA data: Financial data subject to Title V of the federal Gramm-Leach-Bliley Act;
• Driver data: Personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994;
• FERPA data: Personal data regulated by the federal Family Educational Rights and Privacy Act (FERPA);
• FCA data: Personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act (FCA);
• Employment data: Personal data maintained for employment records.

III. Definitions of Key Terms

A. Personal Data

Any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual, including pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. Personal data does not include de-identified data or publicly available information.

B. Biometric Data

Data generated by automatic measurements of an individual’s biological characteristics, including a fingerprint, voiceprint, eye retina or iris, or other unique biological pattern or characteristic that is used to identify a specific individual. Biometric data does not include a physical or digital photograph or data generated from a physical or digital photograph, a video or audio recording, data generated from a video or audio recording, or information collected, used, or stored for health care treatment, payment, or operations under HIPAA.

C. Child

An individual younger than 13 years of age.

D. Consent

Consent means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. The term includes a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.

E. Consumer

An individual who is a resident of Texas and acting only in an individual or household context, but does not include an individual acting in a commercial or employment context.

F. Controller

An individual or another person that, alone or jointly with others, determines the purpose and means of processing personal data.

G. Processor

A person that processes personal data on behalf of a controller.

H. Dark Pattern

A user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision-making, or choice, and includes any practice the Federal Trade Commission refers to as a dark pattern.

I. Deidentified Data

Data that cannot reasonably be linked to an identified or identifiable individual, or a device linked to that individual.

J. Identified or Identifiable Individual

A consumer who can be readily identified, directly or indirectly.

IV. Obligations for Organizations Under TDPSA

A. Data Minimisation and Purpose Limitation

Controllers must ensure transparency regarding their data collection activities and limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which that personal data is processed, as initially disclosed to the consumer.

B. Security Measures

Controllers must also establish, implement, and maintain acceptable administrative, technical, and physical data security procedures that are appropriate to the volume and nature of the personal data at stake to safeguard the privacy, accuracy, and accessibility of personal data.

C. Non-Discrimination

Controllers are barred from discriminating against the consumers for exercising their rights under the provisions of TDPSA or processing their personal data in violation of state and federal laws that prohibit unlawful discrimination. However, the law allows the controllers to offer different prices, rates, levels, quality, or selection of goods or services to a consumer if the consumer has exercised his/her right to opt-out of the sale of personal data or the offer is based on the consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.

D. Methods for Submission of DSR Requests

Controllers must establish two or more secure and reliable methods to enable the consumers to submit a request to exercise their consumer rights under the TDPSA. Such methods must take into account the following:

• the ways in which the consumers normally interact with the controller;
• the necessity for secure and reliable communications of those requests; and
• the ability of the controller to authenticate the identity of the consumer making the request.

E. Consent Requirements

Controllers must not process the personal data of a consumer for a purpose that is neither reasonably necessary to nor compatible with the disclosed purpose for which the personal data is processed, unless the controller obtains the consumer’s consent.

Further, a controller must not process sensitive data concerning a consumer without obtaining the consumer's consent. In the case of the processing of sensitive data concerning a known child, the controller must process the data in accordance with the federal Children's Online Privacy Protection Act (COPPA).

F. Universal Opt-Out Mechanism Requirements

As of January 1, 2025, the TDPSA will require that controllers establish global opt-out mechanisms, such as the Global Privacy Control ("GPC"), to allow consumers to refuse the sale of their personal information and targeted advertising.

G. Privacy Notice Requirements

A controller must provide consumers with a reasonably accessible and clear privacy notice that includes the following:

• the categories of personal data that the controller processes, including, if relevant, any sensitive data that the controller processes;
• the purpose of processing personal data;
• how consumers can exercise their consumer rights, including the procedure for appealing a controller's decision about a consumer's request;
• the categories of personal data, if any, that the controller shares with third parties;
• the categories of third parties, if any, that the controller shares personal data with; and
• a description of the procedures for submitting consumer rights requests.

When engaging in the sale of sensitive personal data:

A controller must include the following notice in the same location and in the same manner as the privacy notice:

“NOTICE: We may sell your sensitive personal data."

When engaging in the sale of biometric data:

A controller must include the following notice in the same location and in the same manner as the privacy notice:

“NOTICE: We may sell your biometric personal data."

H. Deidentified or Pseudonymous Data Requirements

A controller in possession of de-identified data must:

• make reasonable efforts to ensure that the data cannot be associated with an individual;
• publicly commit to maintaining and using de-identified data without attempting to re-identify it;
• contractually obligate any recipient of the de-identified data to comply with the provisions of the TDPSA.

I. Data Protection Impact Assessment

A controller must conduct and document a data protection assessment (DPA) of each of the following processing activities involving personal data:

• Processing personal data for the purposes of targeted advertising;
• Selling personal data;
• Processing personal data to profile consumers, if the profiling presents a reasonably foreseeable risk of:
  • Unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
  • Financial, physical, or reputational injury to consumers;
  • Physical or other intrusions upon the solitude or seclusion, or the private affairs or concerns, of consumers; or
  • Other substantial injury to consumers;
• Processing sensitive data; and
• Any other processing of personal data that presents a heightened risk of harm to consumers.

A DPA must identify and weigh any potential direct or indirect benefits to the controller, the consumer, other stakeholders, and the public from the processing against any potential risks to the consumer's rights, as mitigated by the controller's use of safeguards that reduce the risks.

A DPA carried out by the controller to comply with other regulations may also be used for the purposes of TDPSA if the DPA has a reasonably comparable scope and effect to a DPA conducted under the provisions of TDPSA.

V. Data Processor Responsibilities

1. Assistance to Controller

A processor must comply with a controller's instructions and assist the controller in fulfilling their obligations, including:

• assisting the controller in responding to consumer rights requests;
• considering the nature of processing and the information at the processor's disposal, support the controller in complying with the obligation relating to the security of processing personal data and the notification of a system security breach; and
• providing the information required for the controller to carry out and record data protection assessments.

 2. Processing under Contract

The processor shall be required to process the personal data on behalf of the controller in accordance with the terms of the contract between the controller and the processor. The contract must include the following:

• clear instructions for processing data;
• the nature and purpose of processing data;
• the type of data subject to processing;
• the duration of processing;
• the rights and obligations of both the parties; and
• a requirement that the processor shall:
  • ensure the confidentiality of the personal data;
  • delete or return the personal data to the collector on the direction of the controller, unless retention of personal data is required by the law;
  • upon reasonable request from the controller, make available all the information in possession necessary to demonstrate compliance with its obligations;
  • allow the controller to conduct an assessment, or arrange for a qualified and independent assessor to conduct an assessment, of the processor's policies and technical and organizational measures in support of the processor's obligations; and
  • engage any subcontractor or agent through a written instrument requiring them to fulfill obligations towards the personal data.

VI. Data Subject Rights

The TDPSA grants consumers the following rights:

A. Right to Confirm

The right to confirm whether a controller is processing a consumer’s personal data.

B. Right to Access

The right to access personal data that is being processed.

C. Right to Correct Inaccuracies

The right to correct any inaccuracies in consumers’ personal data.

D. Right to Delete

The right to delete personal data provided by or obtained about the consumer.

E. Right to Obtain a Personal Copy

The right to obtain a portable copy of the consumer’s personal data.

F. Right to Opt-Out

The right to opt-out of processing of personal data for purposes of:

1. targeted advertising (defined as displaying to a consumer an advertisement that is selected based on personal data obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s preferences or interests),
2. the sale of personal data; or
3. profiling (defined as any form of solely automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements).

How can consumers exercise their rights:

Consumers have the right to exercise their rights at any time by making a request to a data controller and specifically highlighting the consumer rights they want to exercise. A parent or legal guardian of the child may exercise the child's consumer rights concerning the processing of personal data belonging to a known child.

Controller’s response to data subject rights:

A controller must comply with a request made by a consumer to exercise their rights unless an exemption applies. A controller must respond to a consumer's request without undue delay and no later than 45 days from the day the request was received. However, when it is deemed reasonably necessary, taking into account the complexity and volume of the customer's requests, the controller may extend the response period once by an additional 45 days. However, the controller must notify the consumer of the extension within the first 45 days of the response period, along with the reason for the extension.

A controller is required to respond to a consumer request for information without charge at least twice a year for each consumer. Consumers may be charged a reasonable fee to offset the administrative costs of complying with requests that are clearly unjustified, excessive, or recurrent, or the controller may choose not to act on the request altogether. However, the controller must prove that a request is manifestly unfounded, excessive, or repetitive.

A controller is not required to comply with a consumer request submitted if the controller cannot authenticate the request using commercially reasonable efforts. Instead, the controller may request that the consumer provide any additional information reasonably required to authenticate the consumer and the consumer's request.

Lastly, if the controller has obtained the personal data about a consumer from a source other than the consumer, the controller is considered in compliance with the consumer’s request for deletion of personal data if the controller:

• retains a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remains deleted from the business’s records and not using the retained data for any other purpose; and
• opts the consumer out of the processing of that personal data for any purposes other than a purpose that is exempt under the provisions of the TDPSA.

Appeal process:

A controller must set up a procedure for the consumer to appeal the controller's denial of a request within a reasonable amount of time after receiving the decision. The appeal procedure must be clearly available and similar to the procedure for requesting action to exercise consumer rights. A controller must provide written notice to the consumer of any action taken or not taken in response to an appeal no later than 60 days after the date the appeal was received. This notice must include a documented justification for the decision. The online method for contacting the Attorney General to file a complaint must be made available to the consumer if the controller rejects an appeal.

VII. Limitations

The obligations imposed under TDPSA do not restrict a controller’s or a processor's ability to:

• Comply with federal, state, or local laws, rules, or regulations;
• Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
• Investigate, establish, exercise, prepare for, or defend legal claims;
• Provide a product/service specifically requested by a consumer, perform a contract, fulfill the terms of a written warranty, or take steps at the request of the consumer before entering into a contract;
• Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or another natural person;
• Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activity, or illegal activity;
• Preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for such action;
• Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board that determines if:
  • Deletion of the information is likely to provide substantial benefits to the controller;
  • The expected benefits of the research outweigh the privacy risks;
  • The controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including risks associated with reidentification; and
• Assist another controller, processor, or third party with their obligations under TDPSA.

Nothing under TDPSA may restrict a controller or processor's ability to collect, use, or retain data to:

• Conduct internal research to develop, improve, or repair products, services, or technology;
• Initiate a product recall;
• Identify and repair technical errors that impair existing or intended functionality; or
• Perform internal operations that are reasonably aligned with the consumer's expectations or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.

Similarly, any obligations placed on a controller or a processor under TDPSA do not apply if:

• compliance by the controller or processor would violate an evidentiary privilege under Texas law or adversely affect the rights or freedoms of a person; and
• compliance by the controller, processor, or third party requires them to disclose a trade secret.

 VIII. Regulatory Authority

The Texas Attorney General has the exclusive authority to enforce the provisions of the TDPSA. The attorney general has the right to issue a civil investigative demand if there is reason to believe an individual has violated the TDSPA or is doing so.

The attorney general must issue a 30-day notice of violation to a person before bringing any enforcement action for any violation of the law. The attorney general must not bring an action against the person if:

• within the 30-day period, the person cures the identified violations;
• the person provides the attorney general a written statement that the person:
  • cured the alleged violation;
  • notified the consumer that the consumer’s privacy violation was addressed, if the consumer’s contact information has been made available to the person;
  • provided supportive documentation to show how the privacy violation was cured; and
  • made changes to the internal policies, if necessary, to ensure that no such further violations will occur.

IX. Penalties for Non-Compliance

A person who violates any provision of the TDPSA and fails to cure that within the 30-day cure period, or who breaches a written statement provided to the attorney general pursuant to notice of violation is liable for a civil penalty in an amount not to exceed $7,500 for each violation.

X. How an Organization Can Operationalize the TDPSA

Organizations can operationalize the Texas Data Privacy and Security Act (TDPSA) by:

• Establishing policies and procedures for processing data in compliance with the requirements of the TDPSA;
• Developing clear and accessible privacy notices in compliance with the requirements of the TDPSA;
• Obtaining informed consent from individuals before processing their sensitive personal data;
• Developing a robust framework for receiving and processing data requests and complaints from consumers; and
• Train employees who handle the consumers’ data on the organization's policies and procedures, as well as the requirements of the TDPSA.

XI. How Can Securiti Help

Securiti’s Data Command Center framework enables organizations to comply with Texas Data Privacy and Security Act (TDPSA) by securing the organization’s data and enabling organizations to maximize data value and fulfilling an organization’s obligations around data security, data privacy, data governance, and compliance.

Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.

Request a demo to learn more.