Senior Content Marketing Manager II
July 13, 2023â˘9 min read
What is the Texas Data Privacy and Security Act?
How to prepare for Texasâ privacy law
The Texas Data Privacy and Security Act (TDPSA) was passed on June 18, 2023âmaking Texas the 11th state to pass a consumer data privacy law in the US. Going into effect on July 1, 2024 (the same day as the Florida Digital Bill of Rights), the TDPSA follows a similar framework to most existing state privacy laws.
Despite the similarities, there are a few unique provisions companies will need to consider, mainly:Â
The TDPSA gave Texans more control over their personal data and created new data protection obligations for businesses whose products or services are used by Texas residents. Under this law, consumers can request confirmation, access, correction, erasure, and transmission of their personal information (PI). They may also opt-out of the sale or sharing of their PI and must opt-in to the sale or sharing of their sensitive personal information (SPI).Â
Texas' new privacy law will be enforced solely by the Texas Attorney General and offers a 30 day cure period. If businesses fail to address violations within 30 days, they may face penalties of up to $7,500 per violation.Â
Weâll explore specific TDPSA provisions, as well as offer more insight into how this law differs from other state privacy laws below. But first letâs look at what businesses fall under the billâs scope.Â
Texasâ privacy law takes a three-factor approach to applicabilityâand, unlike all other existing state privacy laws, none of the three factors rely on revenue or specific data collection thresholds.Â
Businesses are subject to the Texas Data Privacy and Security Act if they:
For reference, the U.S. Small Business Administration defines small business as "an independent business having fewer than 500 employees."
Several commentators have noted that this approach to applicability will lead to the majority of businesses within Texas getting swept into the law (as 500 employees is a relatively low threshold). Some also believe the lawâs scope will lead some businesses to exclude Texas residents from using their goods or services, as the âconsumedâ language indicates the law will apply to businesses outside the state.
Weâll explore how this linguistic nuance may affect businesses below, but first letâs explore whoâs exempt from TDPSA.
Like all data privacy laws, the TDPSA does offer a few exemptions, specifically for:Â
These exemptions are fairly standard in the US state privacy law canon.Â
The TDPSA is the only US state privacy law that doesnât include a threshold based on revenue or consumer data collection. Rather, the TDPSA provisions a three factor applicability standard that considers:Â
This is a novel approach to applicability and itâll be interesting to see how it plays out in practice.
Drilling down on one piece of the TDPSAâs applicability standardâthe use of the word âconsumed,â rather than âtargeted,â is another standout.
The TDPSA applies to businesses whose goods or services are âconsumedâ by Texas residents. In most other state privacy laws, the scope covers businesses whose goods or services are âtargetedâ to residents of that state.Â
Though the distinction may seem nominal, the term âtargetedâ implies that the business was actively looking to engage consumers in Texasâwhereas âconsumedâ implies the business may have customers in Texas, but not as part of a purposeful effort.Â
The implications of this linguistic shift are still unknown, but some commentators have argued it will:
The majority of provisions in Texasâ privacy law go into effect on July 1, 2024, but there is one standout: the requirement that businesses recognize and honor universal opt-out mechanisms, such as the Global Privacy Control browser signal.Â
This provision is tucked into the language around authorized agents, stating:Â
âA consumer may designate an authorized agent using a technology, including a link to an Internet website, an Internet browser setting or extension, or a global setting on an electronic device, that allows the consumer to indicate the consumer âs intent to opt out of the processing.â 541.055(e)Â
This portion of the TDPSA doesnât go into effect until January 1, 2025âgiving companies an extra six months to comply.Â
Businesses under Texasâ privacy law will be required to provide âreasonably accessible and clearâ disclaimers in privacy notices if they sell or share sensitive or biometric information.
These disclosures must read, respectively, âWe may sell your sensitive personal dataâ or âWe may sell your biometric personal data.â
Offering a 30 day cure period to alleged violators is nothing new, but the nuances of the TDPSAâs cure approach are somewhat novel. For one, the cure period provision does not expire. In many state privacy laws, the cure period either expires or becomes discretionary within a few years of the law taking effect.Â
Whatâs more interesting, is the fact that violators must provide ample evidence and documentation that the alleged violations have actually been addressed.Â
Under most state privacy laws, a simple notification to the Attorney Generalâstating the cure has been completedâis sufficient. However, businesses under Texasâ privacy law have to go the extra mile to prove theyâve updated their privacy and data protection practices.
As with all state privacy laws, the Texas Data Privacy and Security Act provides Texas residents with new consumer data rights. Under the TDPSA, this includes the right to:
Businesses under the TDPSA must implement mechanisms that allow consumers to fulfill these rights in a simple and straightforward way.
The first step in complying with Texasâ new privacy law is to figure out whether or not it actually applies to your business. To recap, the TDPSA applies to companies that:Â
Once you know the law applies to you, itâs time to start taking steps towards compliance.
Data maps are a foundational piece of any privacy compliance programâhelping you conduct a thorough gap analysis that compares your companyâs data processing activities to the provisions outlined by any given law.Â
Though the TDPSA doesnât explicitly require data mapping, itâs a critical step in understanding how your company processes dataâgiving you a complete view of:Â
All this in mind, a complete data map should include:
Manual data mapping is an option, and is where many privacy teams start out. That said, as you add new systems, manual workflows can become time consuming and unsustainable. Using an automated data mapping tool, like Transcend Data Mapping, can help your team save time and ensure your data map is always up-to-date.
Under Texasâ privacy law, companies must conduct data protection assessments for data processing activities such as:Â
The TDPSA also outlines several components that companies must include within their DPAs, including:Â
Companies are not required to pre-emptively submit a DPA, but one must be made available upon request.
In whatâs quickly becoming the norm in US privacy law, the TDPSA includes language on the use of dark patterns, defining them as:Â
âA user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision-making, or choice.â
This definition also includes any practice deemed a dark pattern by the Federal Trade Commission (FTC).Â
Under Texasâ privacy law, consent obtained through use of a dark pattern is invalidâso businesses need to audit their user consent interfaces to make sure theyâre free of any elements that could be considered manipulative or confusing.Â
Check out our guide to dark patterns under the CPRA for more information on what dark patterns look like in practice.Â
The TDPSA takes an opt-in approach to sensitive data collection, so companies need to implement a mechanism that allows consumers to give (or not give) their consent before this processing begins.Â
A modern consent management platform is one of the most effective ways to do this and Transcend Consent may be able to help.Â
Texasâ privacy law requires that businesses honor universal opt-out signals, such as the Global Privacy Control browser signal, by January 1, 2025.Â
In the only state-level privacy enforcement action to date, Sephora settled with the California Attorney General for a range of violations. Chief among them was failing to honor GPC when consumers had the signal turned on.Â
Similar to providing opt-in consent for sensitive data processing, a consent management platform is going to be your best bet for ensuring your company meets this requirement.Â
Transcend is the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack.
Transcend Data Mapping is the only solution that goes beyond observability to power your privacy program with smart governance suggestions. Get unified data management through automated scanning, data silo discovery and advanced data classification, all in a collaborative platform.
Ensure nothing is tracked without user consent using Transcend Consent, automate data subject request workflows with Privacy Requests, and mitigate risk with smarter privacy Assessments.
Senior Content Marketing Manager II