How to prepare for Texas' new privacy law

• The Texas Data Privacy and Security Act (TDPSA) was passed on June 18, 2023—making Texas the 11th state to pass a consumer data privacy law in the US.

• Texas’ privacy law takes a three-factor approach to applicability—and, unlike all other existing state privacy laws, none of the three factors rely on revenue or specific data collection thresholds.

• To comply with the TDPSA, businesses must conduct data protection assessments, clean up any dark patterns, implement opt-in consent for sensitive personal information, and honor universal opt-out signals.

What is the Texas Data Privacy and Security Act?

• Who's subject to Texas’ privacy law?

• Texas' privacy law vs. other state privacy laws

• Consumer rights under the TDPSA

How to prepare for Texas’ privacy law

• Determine if the TDPSA applies to your business

• Create a data map

• Conduct a data protection assessment

• Clean up dark patterns

• Implement opt-in for sensitive data collection

• Honor opt-out preference signals

The Texas Data Privacy and Security Act (TDPSA) was passed on June 18, 2023—making Texas the 11th state to pass a consumer data privacy law in the US. Going into effect on July 1, 2024 (the same day as the Florida Digital Bill of Rights), the TDPSA follows a similar framework to most existing state privacy laws.

Despite the similarities, there are a few unique provisions companies will need to consider, mainly: 

• The broad applicability threshold

• Required disclosures around selling or sharing biometric information

• Cure documentation following an alleged violation

The TDPSA gave Texans more control over their personal data and created new data protection obligations for businesses whose products or services are used by Texas residents. Under this law, consumers can request confirmation, access, correction, erasure, and transmission of their personal information (PI). They may also opt-out of the sale or sharing of their PI and must opt-in to the sale or sharing of their sensitive personal information (SPI). 

Texas' new privacy law will be enforced solely by the Texas Attorney General and offers a 30 day cure period. If businesses fail to address violations within 30 days, they may face penalties of up to $7,500 per violation. 

We’ll explore specific TDPSA provisions, as well as offer more insight into how this law differs from other state privacy laws below. But first let’s look at what businesses fall under the bill’s scope. 

Texas’ privacy law takes a three-factor approach to applicability—and, unlike all other existing state privacy laws, none of the three factors rely on revenue or specific data collection thresholds. 

Businesses are subject to the Texas Data Privacy and Security Act if they:

• Conduct business in Texas or offer goods or services “consumed” by Texas residents

• Process or sell any quantity of personal data

• Do not identify as a small business, as defined by the U.S. Small Business Administration

For reference, the U.S. Small Business Administration defines small business as "an independent business having fewer than 500 employees."

Several commentators have noted that this approach to applicability will lead to the majority of businesses within Texas getting swept into the law (as 500 employees is a relatively low threshold). Some also believe the law’s scope will lead some businesses to exclude Texas residents from using their goods or services, as the “consumed” language indicates the law will apply to businesses outside the state.

We’ll explore how this linguistic nuance may affect businesses below, but first let’s explore who’s exempt from TDPSA.

Like all data privacy laws, the TDPSA does offer a few exemptions, specifically for: 

• Nonprofits

• Organizations under HIPPA

• Higher education institutions

• Financial institutions under GLBA

• Utility providers

• Employee information

These exemptions are fairly standard in the US state privacy law canon. 

The TDPSA is the only US state privacy law that doesn’t include a threshold based on revenue or consumer data collection. Rather, the TDPSA provisions a three factor applicability standard that considers: 

• Whether a company conducts business in Texas, or offers goods or services “consumed” by Texans

• Processes or sells any quantity of personal data

• Whether or not the company is a “small businesses”

This is a novel approach to applicability and it’ll be interesting to see how it plays out in practice.

Drilling down on one piece of the TDPSA’s applicability standard—the use of the word “consumed,” rather than “targeted,” is another standout.

The TDPSA applies to businesses whose goods or services are “consumed” by Texas residents. In most other state privacy laws, the scope covers businesses whose goods or services are “targeted” to residents of that state. 

Though the distinction may seem nominal, the term “targeted” implies that the business was actively looking to engage consumers in Texas—whereas “consumed” implies the business may have customers in Texas, but not as part of a purposeful effort. 

The implications of this linguistic shift are still unknown, but some commentators have argued it will:

• Sweep in a wider array of out-of-state businesses, and

• Potentially lead businesses to exclude Texans from their offerings—so as to not fall under the scope of Texas’ privacy law

The majority of provisions in Texas’ privacy law go into effect on July 1, 2024, but there is one standout: the requirement that businesses recognize and honor universal opt-out mechanisms, such as the Global Privacy Control browser signal. 

This provision is tucked into the language around authorized agents, stating: 

“A consumer may designate an authorized agent using a technology, including a link to an Internet website, an Internet browser setting or extension, or a global setting on an electronic device, that allows the consumer to indicate the consumer ’s intent to opt out of the processing.” 541.055(e) 

This portion of the TDPSA doesn’t go into effect until January 1, 2025—giving companies an extra six months to comply. 

Businesses under Texas’ privacy law will be required to provide “reasonably accessible and clear” disclaimers in privacy notices if they sell or share sensitive or biometric information.

These disclosures must read, respectively, “We may sell your sensitive personal data” or “We may sell your biometric personal data.”

Offering a 30 day cure period to alleged violators is nothing new, but the nuances of the TDPSA’s cure approach are somewhat novel. For one, the cure period provision does not expire. In many state privacy laws, the cure period either expires or becomes discretionary within a few years of the law taking effect. 

What’s more interesting, is the fact that violators must provide ample evidence and documentation that the alleged violations have actually been addressed. 

Under most state privacy laws, a simple notification to the Attorney General—stating the cure has been completed—is sufficient. However, businesses under Texas’ privacy law have to go the extra mile to prove they’ve updated their privacy and data protection practices.

As with all state privacy laws, the Texas Data Privacy and Security Act provides Texas residents with new consumer data rights. Under the TDPSA, this includes the right to:

• Confirm whether a controller is processing their personal data 

• Access personal data held by a company

• Correct inaccuracies in their personal data

• Delete personal data 

• Obtain an easily transmissible copy of their data

• Opt-out of data processing for the purpose of targeted advertising, selling or sharing personal data, and automated profiling or decision making

Businesses under the TDPSA must implement mechanisms that allow consumers to fulfill these rights in a simple and straightforward way.

The first step in complying with Texas’ new privacy law is to figure out whether or not it actually applies to your business. To recap, the TDPSA applies to companies that: 

• Conducts business in Texas or offers goods/services “consumed” by Texans

• Process or sell any quantity of personal data

• Are not a small businesses, as defined by the U.S. Small Business Administration

Once you know the law applies to you, it’s time to start taking steps towards compliance.

Data maps are a foundational piece of any privacy compliance program—helping you conduct a thorough gap analysis that compares your company’s data processing activities to the provisions outlined by any given law. 

Though the TDPSA doesn’t explicitly require data mapping, it’s a critical step in understanding how your company processes data—giving you a complete view of: 

• What personal data your organization collects

• How that data is being used

• Where data is stored

• How long it’s retained

• When/where it’s shared with third parties

All this in mind, a complete data map should include:

• The categories of personal data being processed

• What, if any, sensitive personal information is being processed

• Where, when, and how you’re processing personal data

• Why you’re processing that data

Manual data mapping is an option, and is where many privacy teams start out. That said, as you add new systems, manual workflows can become time consuming and unsustainable. Using an automated data mapping tool, like Transcend Data Mapping, can help your team save time and ensure your data map is always up-to-date.

Under Texas’ privacy law, companies must conduct data protection assessments for data processing activities such as: 

• Targeted advertising

• Selling or sharing personal data

• Automated profiling and decision making

• Processing sensitive personal information 

• Activities that present a “heightened risk of harm to the consumer”

The TDPSA also outlines several components that companies must include within their DPAs, including: 

• Identifying and weighing the benefits and risks of their data processing activities

• Details on whether the company considered consumers’ expectations, the context of the processing, and the relationship between the consumer and the company

• An evaluation of whether or not de-identified data would be sufficient

Companies are not required to pre-emptively submit a DPA, but one must be made available upon request.

In what’s quickly becoming the norm in US privacy law, the TDPSA includes language on the use of dark patterns, defining them as: 

“A user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision-making, or choice.”

This definition also includes any practice deemed a dark pattern by the Federal Trade Commission (FTC). 

Under Texas’ privacy law, consent obtained through use of a dark pattern is invalid—so businesses need to audit their user consent interfaces to make sure they’re free of any elements that could be considered manipulative or confusing. 

Check out our guide to dark patterns under the CPRA for more information on what dark patterns look like in practice. 

The TDPSA takes an opt-in approach to sensitive data collection, so companies need to implement a mechanism that allows consumers to give (or not give) their consent before this processing begins. 

A modern consent management platform is one of the most effective ways to do this and Transcend Consent may be able to help. 

Texas’ privacy law requires that businesses honor universal opt-out signals, such as the Global Privacy Control browser signal, by January 1, 2025. 

In the only state-level privacy enforcement action to date, Sephora settled with the California Attorney General for a range of violations. Chief among them was failing to honor GPC when consumers had the signal turned on. 

Similar to providing opt-in consent for sensitive data processing, a consent management platform is going to be your best bet for ensuring your company meets this requirement. 

Transcend is the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack.

Transcend Data Mapping is the only solution that goes beyond observability to power your privacy program with smart governance suggestions. Get unified data management through automated scanning, data silo discovery and advanced data classification, all in a collaborative platform.

Ensure nothing is tracked without user consent using Transcend Consent, automate data subject request workflows with Privacy Requests, and mitigate risk with smarter privacy Assessments.

• Texas Data Privacy and Security Act (HB4)

• Don’t Mess with Texas or Its Cybersecurity and Data Privacy Laws

• Texas latest to add comprehensive state privacy law

• Texas Passes Data Privacy and Security Act

• Texas Data Privacy and Security Act Goes Into Effect with Impact Far Beyond Its Borders

• Texas Legislature Passes Consumer Data Privacy Bill