The Texas Data Privacy and Security Act (TDPSA) was passed in June and signed into law by Governor Greg Abbott in July, joining a rash of states to pass comprehensive data privacy regulation so far in 2023. That group includes Iowa, Indiana, Tennessee, Montana, Florida, Delaware, and now Texas.

As the second most populous state as well as the second biggest state economy in the United States (and the ninth largest economy globally on its own), Texas’s data privacy law immediately becomes the headliner for the 2023 lineup. It’s of note that TDPSA is 39 pages long, considerably longer than the 25 or so pages most state laws run, so the Texas legislature did a lot of legwork in clarifying terms and covering a litany of circumstances.

In addition to bringing data subject rights to over 30 million people, TDPSA imposes new bars for businesses to reach data compliance. Here’s what you need to know about the new Texas data privacy law.

Texas Data Privacy Law at a Glance

While the Texas data privacy law follows large parts of the framework laid out in Virginia’s VCDPA and other laws that have passed this year, perhaps its biggest deviation is its applicability threshold, which takes a completely new route. 

All other states have set the threshold at handling the personal data of a certain number of citizens or setting a revenue threshold, but Texas has set these three conditions for which organizations need to comply with TDPSA (Compliance is not required when personal data is processed for personal or household reasons): 

• Conducts business in the state or offer a product or service consumed by Texas residents
• Processes or engages in the sale of personal data
• Is not a small business as defined by the U.S. Small Business Administration *(500 employees or fewer, revenue under $30 million)
  

The first two requirements are so broad that nearly every company in the state would need to comply, while the third brings some complications into the picture.

The U.S. Small Business Association does not have a blanket definition for what constitutes a small business, as instead it varies based on the industry. As far as headcount, 500 employees is a rough average, but the revenue scales vary by industry, with some industries such as real estate having a cap of $15 million in average annual receipts while others such as housing development have a cap at $45 million in average annual receipts to still be considered “small businesses.” 

Even with that never before seen factor, the TDPSA might end up with much greater applicability than any of the other comprehensive laws passed this year. 

In fact, the word “consumed” when describing a company’s products and services might link state laws together in a de facto sense. For example, if a company with 501 employees based in Colorado has even a single Texan using its services, that company would seemingly need to comply with the CPA and the TDPSA, even if it has no physical presence in Texas.

It’s hard to say if that was the Texas legislature’s intention, but the wording could open up a better fit between state laws than any other regulation has. 

Texas Data Privacy Law Exemptions

Before getting into how to comply with the Texas data privacy law, it’s important to note the other end of the compliance spectrum: exemptions. 

A large list of institutional and data exemptions is standard for American data privacy regulations, and Texas is no different:

• State government and administrative organizations
• Institutions and data subject to the Gramm-Leach-Billey Act (GLBA)
• Entities, associates, and data covered by HIPAA
• Nonprofit organizations
• Higher education institutions
• Electric utility and power generation companies
• Data related to the Health Care Quality Improvement Act of 1986
• Data in compliance with the Driver’s Privacy Protection Act of 1994
• Data in compliance with the Family Educational Rights and Privacy Act of 1974
• Data in compliance with the Farm Credit Act of 1971

As well as these types of data:

• Protected health data (the way health data was originally defined within CTDPA)
• Employee data, including job applicant data
• De-identified data or publicly available information
• Aggregate information
• Personal information collected for research of human subjects or as part of a clinical trial

The only unique exemption here is for electric utilities and power generation companies, a carveout not seen in other state regulations. However, given Texas’s position as the only state in the nation reliant on its own power grid rather than a regional one, empowering those entities makes sense.

Texas Consumer Data Rights

The 30+ million residents of Texas now have access to these data rights under the Texas Data Privacy and Security Act:

• Right to access – consumers have the right to know if a controller is processing their personal data, why they are processing it, and who they have shared it with.

(The Right to access must include special clauses noting if a data controller sells a consumer’s sensitive or biometric data).

• Right of delete – consumers have the right to have a controller delete any data held on them;
• Right to correction – consumers have the right to correct inaccuracies in their personal data;
• Right to data portability – consumers have the right to obtain their data in a portable and accessible format to transmit it to other businesses;
• Right to opt-out – consumers have the right to opt out of data processing for targeted advertising, selling or sharing personal data, and automated profiling or decision making

The bill lacks a few data rights given to citizens across other states, notably  the private right of action and the right to revoke consent. 

The right of action, only found in California’s CCPA, gives citizens the ability to sue companies over noncompliant and harmful data processing behavior.

The right to revoke consent, present in Connecticut, Colorado, and Montana, means people can take back their consent at any time. 

Data subject request timelines are 45 days to respond and a 45 day extension if filed on time and properly justified, both of which are the standard windows for most DSR handling in the United States. 

Texas Data Privacy Law Requirements

The Texas data privacy law requires organizations fulfill several tasks to demonstrate compliance, including receiving opt-ins from people when processing sensitive data as is the case with Virginia's VCDPA, adding an extra layer of security and rights.

Chief among them are transparent and simple ways for Texans to practice their data rights as well as data protection assessments (DPA), the latter of which every state except for Iowa requires.

DPAs in compliance with the TDPSA cover:

• Targeted advertising
• Selling or sharing personal data
• Automated profiling and decision making
• Processing sensitive personal information 
• Activities that present a “heightened risk of harm to the consumer”

DPAs are not subject to public release and like in most states, are not necessary to upkeep as an annual submission, but rather as proof of compliance and data protection best practices. 

Other business requirements:

• Data processing for sensitive information requires a freely given opt-in, the same as is true of Virginia’s VCDPA
• Clear and straightforward privacy and consent notices, free of dark patterns as defined by the FTC
• Acknowledge and honor universal opt-out systems by January 1, 2025
  

Texas Data Privacy Enforcement

The Texas Data Privacy and Security Act will be enforced purely by the state Attorney General, the near universal American standard with the exception of California, which created an entire agency–the CPPA–to handle enforcement.

Violations carry fines of $7500 each, also in line with most other states’ data privacy laws.

The law will fully enter force on July 1, 2024, one year from its passing. There is a 30-day indefinite cure period, meaning companies will have a slight buffer if the Texas AG contacts them in regards to a potential violation. 

One interesting bit about TDPSA enforcement is that businesses must include evidence of compliance and correction of alleged violations when given written notices by the AG. 

Several states simply require a response that the alleged violations have been corrected, but the Texas data privacy law puts the impetus on businesses to prove it, raising the bar for compliance. 

Given this reality and the potential scope of the law, companies would be wise to proactively comply by conducting a data map and building out DPAs.