Another day, another U.S. data privacy bill passes into law — Texas’s House Bill 4, to be exact.
On June 19, 2023, Texas became one of the latest US states to pass data privacy legislation, the Texas Data Privacy and Security Act or TDPSA.
In this guide, I compiled all the necessary information to help businesses prepare for the new consumer privacy rights, business obligations, and other requirements outlined by the TDPSA.
- What Is The Texas Data Privacy And Security Act (TDPSA)?
- TDPSA Key Terms and Definitions
- What Does the Texas Data Privacy and Security Act Cover?
- Requirements of the Texas Data Privacy and Security Act
- Texas’s Law vs. Other State Data Privacy Laws: Similarities and Differences
- How Will Consumers Be Impacted by the TDPSA?
- How Will Businesses Be Impacted By The TDPSA
- Who Must Comply With Texas’s New Data Privacy Law?
- How Can Businesses Get Ready For the TDPSA?
- How Will the TDPSA Be Enforced?
- Fines and Penalties Under the Texas Data Privacy and Security Act
- How Will Termly Help With TDPSA Compliance?
- Are There Other Privacy-Related Laws In Texas?
What Is The Texas Data Privacy And Security Act (TDPSA)?
The Texas Data Privacy and Security Act, or TDPSA, aims to regulate how businesses collect, use, and process the personal data of Texas consumers.
It also explains the rights that those consumers have over their information and outlines the civil penalties that business entities face for violating the requirements of this new state law.
TDPSA Effective Date
The Texas Data Privacy and Security Act enters into force on July 1, 2024, giving businesses around a year to prepare for compliance.
However, specific provisions related to consumers’ universal opt-out mechanisms do not go into effect until January 1, 2025.
TDPSA Key Terms and Definitions
The Texas Data Privacy and Security Act defines key terms in Section 541.001.
Here are some of the most critical phrases exactly as this new state law describes them:
Biometric data: Data generated by automatic measurements of an individual’s biological characteristics. The term includes fingerprint, voiceprint, eye retina or iris, or other unique biological pattern or characteristic used to identify a specific individual.
- It does not include a physical or digital photograph or data generated from a physical or digital photograph, a video or audio recording or data generated from a video or audio recording, or information collected, used, or stored for health care treatment, payment, or operations under the Health Insurance Portability and Accountability Act (HIPAA).
- Child: Means an individual younger than thirteen years of age
Consent: When referring to a consumer, consent means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. The term does not include:
- Hovering over, muting, pausing, or closing a given piece of content
- Agreement obtained through the use of dark patterns
- Consumer: An individual who is a resident of this state acting only in an individual or household content. The term does not include an individual acting in a commercial or employment contest.
- Controller: An individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data.
- Dark pattern: A user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision-making, or choice and includes any practice the Federal Trade Commission refers to as a dark pattern.
- Personal data: Any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. The term does not include de-identified data or publicly available information.
- Precise Geolocation Data: information derived from technology, including global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet.
- Process/Processing: An operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.
- Processor: A person that processes personal data on behalf of a controller.
Sale of personal data: The sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party. The term does not include:
- The disclosure of personal data to a processor that processes personal data on the controller’s behalf
- The disclosure of personal data to a third party for purposes of provisioning a product or service requested by the consumer
- The disclosure or transfer of personal data to an affiliate of the controller
- The disclosure of information that the consumer intentionally made available to the general public through a mass media channel and did not restrict to a specific audience
- The disclosure or transfer of personal data to a third party as an asset that is part of a merger or acquisition
- Sensitive data: This is a category of personal data that includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, citizenship or immigration status, genetic or biometric data, personal data collected from a known child, or precise geolocation.
What Does the Texas Data Privacy and Security Act Cover?
The Texas Data Privacy and Security Act covers Texas residents acting as individuals or in a household context.
Those acting in a commercial or employment context are not considered “consumers” under the law, as explained in Section 541.001 Part (7).
The TDPSA mandates entities to only collect personal data from consumers that is reasonably necessary and proportionate as it relates to the purposes for processing, which must be provided to the consumer.
Requirements of the Texas Data Privacy and Security Act
The TDPSA outlines several requirements businesses must implement to legally collect, process, and use personal data from Texas consumers.
To help you better understand how to comply, I’ve highlighted the most important features of the law in the following sections.
Data Controllers and Transparency
If your business qualifies as a controller, you must limit the collection of personal data to what is adequate, relevant, and reasonably necessary as it relates to the purpose you’ve disclosed to the consumer for why you’re processing their data.
The only exception to this requirement is if you obtained explicit customer consent to do otherwise.
Data Security Requirements
The TDPSA also requires data controllers to protect the confidentiality and integrity of the data they collect by establishing, implementing, and maintaining:
“… reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue.”
This security portion of the Texas Data Privacy and Security Act is described in Section 541.101 Part (a)(2).
Under the TDPSA, data controllers only need to obtain user consent under specific circumstances:
- You must obtain consent from a legal guardian to process personal data about a child under the age of thirteen.
- Consent is also necessary if a controller wants to process personal data for purposes that are neither “reasonably necessary” nor “compatible with the disclosed purposes for which the personal data was processed initially”.
- Finally, you must obtain user consent to process sensitive personal data.
Authenticated Consumer Requests
Under the TDPSA, consumers have the right to submit authenticated requests that businesses are obligated to respond to in certain ways.
According to Section 541.051 Part (a) and (b), a consumer (or legal guardian of a child) can submit this request by specifying which right they wish to exercise.
The data controller must respond without undue delay, which means no longer than 45 days, with the possibility of a 45-day extension in some cases.
Your response as the data controller must be free of charge at least twice annually per consumer.
However, if you cannot authenticate the request using commercially reasonable efforts, you can request more information from the individual before complying with their request.
The TDPSA describes the approved processes for submitting consumer requests in Section 541.055 of the law.
First, controllers must establish two or more secure and reliable methods to enable consumers to submit these requests, taking into account:
- The ways your consumers normally interact with you
- The necessity for secure and reliable communications
- The ability of the controller to authenticate the identity of the consumer making the request
If you have a website, you must provide the mechanism on that site.
But if you operate exclusively online and have a direct relationship with the consumer, you only need to provide an email address.
However, legally, you can’t require consumers to make a new account to act on their rights.
Texas consumers also have the right to appeal your decision, as explained in Section 541.053.
The appeal process must be conspicuously available and similar to the process for submitting consumer requests.
Data Protection Assessments
The TDPSA requires businesses to conduct and document data protection assessments if you perform any of the following data processing activities, as explained in Section 541.105:
- Process personal data for targeted advertising
- Take part in the sale of personal data
- Process personal data for the purposes of profiling
- Process sensitive data
- Any processing activities involving data that present an increased risk of harm to consumers
The assessment must identify and weigh the direct and indirect benefits that flow from the processing against the potential risks it could cause, especially regarding the rights of the consumers.
You must also factor the following criteria into your assessments:
- The use of deidentified data
- The reasonable expectations of your consumers
- The context of the processing
- The relationship between the controller and the consumer
You must make your data protection assessments available to the Attorney General to assist with civil investigations. Otherwise, it should remain confidential.
The TDPSA allows you to use the same data protection assessment conducted to comply with other data privacy laws as long as those other pieces of legislation have similar requirements.
Contractual Obligations Between Controllers and Processors
If a data controller relies on a third-party data processor, both parties must sign a contract that includes all stipulations outlined in Section 541.104, Part (b) of the TDPSA. Those include:
- Clear instructions for processing data
- The purpose and nature of the processing
- The type of data that’s subject to the processing
- The duration of the processing
- The rights and obligations of both parties
- A requirement that the processor shall ensure that each person processing the data is subject to a duty of confidentiality
- A requirement that the processor will delete or return all data to the controller as requested
- A requirement that the processor will make all information in their possession available to the controller to demonstrate compliance with the TDPSA
- A requirement that the processor will allow and cooperate with reasonable assessments by the controller and their designated assessor
- A requirement that the processor will only engage with subcontractors under contracts that meet these same stipulations
Texas’s Law vs. Other State Data Privacy Laws: Similarities and Differences
The Texas Data Privacy and Security Act shares some similarities with other U.S. data privacy laws but presents some interesting and unique differences.
Below is a table comparing the TDPSA to these other active or soon-to-be-active U.S. data protection laws:
- California Consumer Protection Act (CCPA), as amended by the California Privacy Rights Act (CPRA) — currently in force
- Colorado Privacy Act (CPA) — currently in force
- Connecticut Data Privacy Act (CTDPA) — currently in force
- Delaware Personal Data Privacy Act (DPDPA) — effective January 1, 2025
- Florida Digital Bill of Rights (FDBR) — effective July 1, 2024
- Indiana Consumer Data Protection Act (Indiana CDPA) — effective January 1, 2026
- Iowa Consumer Data Protection Act (Iowa CDPA) — effective January 1, 2025
- Montana Consumer Data Privacy Act (MCDPA) — effective October 1, 2024
- Oregon Data Privacy Act (ODPA) — effective July 1, 2024
- Tennessee Information Protection Act (TIPA) — effective July 1, 2024
- Utah Consumer Privacy Act (UCPA) — effective December 31, 2023
- Virginia Consumer Data Protection Act (VCDPA) — currently in force
Check out the details below:
How Will Consumers Be Impacted by the TDPSA?
The TDPSA impacts consumers by granting them new rights over how their personal information gets collected, processed, and used.
Consumers under the TDPSA have the right to submit a request to a controller at any time to exercise their rights.
A legal guardian can do the same on behalf of a known child, as explained in Section 541.051 of the law.
The consumer rights include submitting requests to:
- Confirm if a controller is processing their data
- Access the personal data collected about them
- Correct inaccuracies in their data, taking into account the nature of it and the purpose of processing
- Delete the data provided by or obtained about the consumer
- Obtain a portable copy of their data, if it’s available in a digital format
Consumers also retain the right to non-discrimination and to opt out of processing personal data for targeted advertising, the sale of their data, or profiling.
Businesses that receive authenticated requests must fulfill them without undue delay and within 45 days, with a possibility of a 45-day extension.
Who Does the TDPSA Protect?
The TDPSA applies to the personal information of natural persons who are residents of Texas in a personal or household context only.
It does not protect the information of people in the state who are operating in a commercial or employment context.
How Will Businesses Be Impacted By The TDPSA
Businesses should expect to be impacted by the TDPSA in several ways.
Plus, websites must create a way to honor universal opt-out preferences on users’ browsers.
Let’s discuss all three of these aspects of the law in more detail.
- The categories of personal data processed, including sensitive data
- The purpose for processing the data
- How consumers can exercise their rights and the process for appealing the decision
- The categories of data shared with third parties, if any
- The categories of the third parties you share the data with, if any
- A description of how consumers can submit requests to exercise their rights under the TDPSA
Additionally, if you qualify as a controller and sell sensitive personal data or biometric information, you must include the following notice in “the same location and in the same manner as the privacy notice”:
- NOTICE: We may sell your sensitive personal data
- NOTICE: We may sell your biometric personal data.
How Will the TDPSA Affect My Cookie Banner?
While the TDPSA doesn’t directly reference cookie banners, several provisions impact how a company should display one on its platform.
According to Section 541.051 of the law, consumers have the right to opt out of the sale of their personal data, targeted advertising, and profiling, and controllers must disclose these activities to their users.
This will provide consumers with appropriate control over whether they are tracked and/or profiled by your website.
An opt-out option is also required if a controller’s cookies process sensitive personal data or information from known children.
If this is the case for your business, pay close attention to the TDPSA definition of consent, specifically in avoiding dark patterns and automatic opt-in through hovering, so you don’t violate the law.
Specific Provisions for Universal Opt-Out Signals
The Texas Data Privacy and Security Act describes requirements for controllers and consumers regarding the use of universal opt-out mechanisms in Section 541.055 Parts (e) and (f).
Specifically, it states that consumers can:
“designate another person to serve as the consumer’s authorized agent and act on the consumer’s behalf to opt out of the processing of the consumer’s personal data…”
This encompasses universal opt-out mechanisms like Global Privacy Controls (GPC) or the upcoming Google Privacy Sandbox.
These features allow individuals to opt-out directly from their browser, which then sends signals communicating their consent preferences to the websites they visit.
Under the TDPSA, a consumer may:
“… designate an authorized agent using a technology, including a link to an Internet website, an Internet browser setting or extension, or a global setting on an electronic device, that allows the consumer to indicate the consumer’s intent to opt out of the processing.”
It explains that the controller must comply with these opt-out requests as long as they can verify with a commercially reasonable effort the consumer’s identity and the authorized agent’s authority to act on their behalf.
These provisions on consumers’ universal opt-out mechanisms go into effect on January 1, 2025, a few months after the rest of the law enters into action.
Who Must Comply With Texas’s New Data Privacy Law?
According to Section 541.002 of the TDPSA, your business must comply with this law if it meets the following thresholds:
- Conducts business in Texas or produces goods or services consumed by residents of the state
- Processes or sells personal data
- Is not a small business as defined by the United States Small Business Administration (SBA) — i.e., companies with fewer than 500 employees — unless the business engages in the sale of sensitive personal data
This is a unique legal scope, especially compared to other data privacy laws in the U.S., which traditionally rely on specific monetary and data processing thresholds.
Who Is Exempt From the TDPSA?
All of the following persons or entities are exempt from following the requirements outlined by the Texas Data Privacy and Security Act:
- State agencies or political subdivisions of Texas
- Financial institutions subject to Title V of the Gramm-Leach-Bliley Act (GLBA)
- Covered entities or business associates governed by the privacy, security, and breach notification rules established under HIPAA
- Non-profit companies
- Institutions of higher education
- Electric utility, power generation companies, and retail electric providers
How Can Businesses Get Ready For the TDPSA?
Businesses can set themselves up for success by preparing for the TDPSA before the July 1, 2024 deadline.
If you collect sensitive data, you’ll need to start obtaining consent from your users.
Using our Consent Management Platform for your website or app can help you meet these opt-in and opt-out obligations.
Data Subject Access Requests
Depending on your role and the type of data you process, you may need to perform data protection assessments.
If you share the information with others or rely on a third-party data processor, you should also create contracts meeting all TDPSA guidelines.
Finally, you must implement appropriate security measures to protect that personal information.
How Will the TDPSA Be Enforced?
The Texas Attorney General has exclusive enforcement authority under the TDPSA.
According to Sections 541.151 to 541.154 of the law, information will be available on the Attorney General’s website relating to the responsibilities of controllers and processors, consumer rights, and a mechanism through which consumers can submit TDPSA complaints.
The Attorney General can issue a civil investigative demand if they have reasonable cause to believe a person is violating the TDPSA and may demand that a controller disclose any data protection assessment relevant to the investigation to assess compliance.
The entity then has 30 days to cure the violation and provide a written statement to the Attorney General stating:
- That you remedied the violation
- You notified the consumer that you addressed their privacy issue
- Supportive documentation showing how you fixed the offense
- The changes made to internal policies to ensure that no such further violations will occur
Fines and Penalties Under the Texas Data Privacy and Security Act
According to Section 541.155, persons who fail to comply with the Texas Data Privacy and Security Act after the 30-day cure period face a potential fine of up to $7,500 per violation.
The Attorney General may also take the following actions:
- Recover civil penalties
- Restrain or enjoin the person from violating the TDPSA
- Seek injunctive relief
- Recover attorney’s fees and other reasonable expenses incurred in the investigation
However, consumers protected by this law don’t have a private right of action.
How Will Termly Help With TDPSA Compliance?
Termly can help you navigate the Texas Data Privacy and Security Act by providing the tools and resources you need to set your website or app up for full compliance.
We work hard to stay current on new and evolving data protection laws worldwide so our customers can know that the tools they’re using on their platform genuinely reflect the present data privacy landscape.
Are There Other Privacy-Related Laws In Texas?
The TDPSA is Texas’s first data privacy law that applies to consumer data online.
However, the state also has laws like the Texas Medical Records Privacy Act, which protects sensitive health and medical data from being released for marketing purposes without consent from the individual.
There’s also the Texas Identity Theft Enforcement and Protection Act, which requires peace officers in different jurisdictions of Texas to write reports and provide copies of them whenever a person living in their region allegedly falls victim to an identity crime.
You now know how to prepare your business for the Texas Data Privacy and Security Act.
Before July 2024, businesses that fall under this new state law should plan to:
- Add opt-out options to their cookie consent banners
- Implement data protection assessments as needed
- Follow contractual obligations with any third-party data processors
- Implement a method for honoring consumer universal opt-out mechanisms (before January 1, 2025)
We simplify data privacy compliance, even with new and upcoming laws like the TDPSA.