<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=5678177&amp;fmt=gif">

Texas Data Privacy and Security Act (TDPSA)

Also known as House Bill No. 4 .

Book a Demo

Find out your website's compliance score!

Data Privacy Scanner Results Home Screen

 

What is the Texas Data Privacy and Security Act ?

The Texas Data Privacy and Security Act (TDPSA) is Texas’ data privacy law, signed into law on June 18, 2023. Its effective date is July 1, 2024, however, Section 541.055, outlining the obligation of controllers to recognize universal opt-out mechanisms, such as GPC signals, becomes effective as of January 1, 2025. 

The Texas Data Privacy and Security Act is less robust than the ones enacted in California and Colorado, although it can be compared with the Virginia Consumer Data Protection Act. TDPSA requires that controllers specifically highlight when sensitive or biometric data is being sold by providing two separate notices. It can be achieved by posting: “NOTICE: We may sell your sensitive personal data'' or “NOTICE: We may sell your biometric personal data” in the same location as a Privacy Notice on your website.

 

What is Personal Information and what are other key definitions?

Under the Texas Data Privacy and Security Act, 'personal data’ is defined as “any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual” and includes “pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual,” but excludes “deidentified data or publicly available information.”

‘Sensitive personal data’ is defined by Texas privacy law as a category of personal data which includes “personal racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status; genetic or biometric data that is processed for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data.” A child means here “an individual younger than 13 years of age,” and ‘biometric data’ means “data generated by automatic measurements of an individual’s biological characteristics” which includes things such as “a fingerprint, voiceprint, eye retina or iris, or other unique biological pattern or characteristic that is used to identify a specific individual,” but does not include “a physical or digital photograph or data generated from a physical or digital photograph, a video or audio recording or data generated  from a video or audio recording,or information collected,used, or stored for healthcare treatment, payment, or operations under HIPAA.”

As far as ‘consent’ is concerned, when referring to a consumer, the law states that this has to be “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data” which includes “a written statement, including a statement written by electronic means, or any other unambiguous, affirmative action.” A ‘controller’ is an “individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data,” and a ‘processor’ is “a person that processes personal data on behalf of a controller.”

Last but not least, the Texas Data Privacy and Security Act (TDPSA) defines  ‘sale of personal data’ as “the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.”

Who has to comply with Texas Data Privacy and Security Act? 

Unlike other US privacy laws currently in force, Texas Data Privacy and Security Act does not set out annual revenue or number of consumers whose personal data is processed as the threshold for applicability, and only applies to entities that meet the below criteria:

  • conduct business in Texas or produce a product or service consumed by residents of Texas; 
  • process or engage in the sale of personal data; and
  • are not considered small businesses (as defined by the United States Small Business Administration), except for the requirement that small businesses obtain consent before selling the sensitive personal data of data subjects.

Still, this means that most companies conducting business in Texas must comply with the Texas Data Privacy and Security Act (TDPSA).

Who is excluded from compliance with Texas Data Privacy and Security Act

The Texas Data Privacy and Security Act (TDPSA) excludes several types of entities and data as follows: 

  • a state agency or a political subdivision of Texas;
  • a financial institution or data covered by Title V of the Gramm-Leach-Bliley Act;
  • a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services;
  • a nonprofit organization;
  • an institution of higher education; 
  • an electric utility, a power generation company, or a retail electric provider, as defined by the Utilities Code;
  • protected health information under HIPAA;
  • health records;
  • patient identifying information;
  • identifiable private information for purposes of the federal policy for the protection of human subjects; collected as part of human subjects research; or personal data used or shared in research;
  • information and documents created for purposes of the HealthCare Quality Improvement Act of 1986;
  • patient safety work product for purposes of the Patient Safety and Quality Improvement Act of 2005;
  • healthcare-related information that is deidentified in accordance with the requirements under HIPAA; 
  • information collected or used only for public health activities and purposes as authorized by HIPAA;
  • the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency or furnisher that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that the activity is covered by the Fair Credit Reporting Act (FCRA);
  • personal data collected, processed, sold, or disclosed in compliance with the Driver’s Privacy Protection Act of 1994;
  • personal data regulated by FERPA (Family Educational Rights  and Privacy Act), or the Farm Credit Act of 1971;
  • data processed or maintained in the course of an individual applying to, being employed by, or acting as an agent or independent contractor of controller, processor, or third party, to the extent that the data is collected and used within the context of that role;
  • data processed or maintained as the emergency contact information of an individual that is used for emergency contact purposes; 
  • data that is processed or maintained and is necessary to retain to administer employment related benefits for another individual and used for the purposes of administering those benefits;
  • processing of personal data by a person in the course of a purely personal or household activity.

 

How can I keep my organization compliant with the Texas Data Privacy and Security Act?

According to the text of the Texas Data Privacy and Security Act (TDPSA), controllers have a number of obligations, such as to show transparency or to display a privacy notice, as well as additional notices, where applicable. What this means, in more detail, is that as a controller, you have to observe the following:

  • limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which that personal data is processed, as disclosed to the consumer;
  • for the purpose of protecting the confidentiality, integrity, and accessibility of personal data, you have to establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue;
  • do not process personal data for a purpose that is neither reasonably necessary to nor compatible with the disclosed purpose for which the personal data is processed, as disclosed to the consumer, unless you obtain the consumer's consent;
  • do not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers;
  • do not discriminate against a consumer for exercising any of the consumer rights contained in this chapter, including by denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer; 
  • do not process the sensitive data of a consumer without obtaining the consumer's consent, or, in the case of processing the sensitive data of a known child, without processing that data in accordance with the Children's Online Privacy Protection Act of 1998;
  • provide consumers with a reasonably accessible and clear privacy notice that includes:
    • the categories of personal data processed, including, if applicable, any sensitive data processed; 
    • the purpose for processing personal data; 
    • how consumers may exercise their consumer rights, including the process by which a consumer may appeal your decision; 
    • if applicable, the categories of personal data that you share with third parties; 
    • if applicable, the categories of third parties with whom you share personal data;
    • a description of the methods through which consumers can submit requests to exercise their consumer rights.
  • if you sell sensitive personal data or biometric personal data, you have an obligation to include the following notice: "NOTICE: We may sell your sensitive (or biometric) personal data" in the same location and in the same manner as the privacy notice;
  • conduct and document data protection assessment of each of the following processing activities involving personal data:
    • the processing of personal data for purposes of targeted advertising;
    • the sale of personal data;
    • the processing of personal data for purposes of profiling, if the profiling presents a reasonably foreseeable risk of: unfair or deceptive treatment of or unlawful disparate impact consumers; financial, physical, or reputational injury to consumers; a physical or other intrusion on the solitude or seclusion, or the private affairs or concerns of consumers, if the intrusion would be offensive to a reasonable person; or other substantial injury to consumers;
    • the processing of sensitive data; and
    • any processing activities involving personal data that present a heightened risk of harm to consumers.
  • establish two or more secure and reliable methods to enable consumers to submit a request to exercise their consumer rights, which must take into account: 
    • the ways in which consumers normally interact with you;
    • the necessity for secure and reliable communications of those requests; and
    • your ability to authenticate the identity of the consumer making the request.
  • establish a process for a consumer to appeal your refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision, for which the process has to be “conspicuously available and similar to the process for initiating action to exercise consumer rights by submitting a request.”
  • you are not permitted to require a consumer to create a new account to exercise their rights, but you are allowed to require a consumer to use an existing account.

One particularity of the Texas Data Privacy and Security Act (TDPSA) is that consumers are given the right to designate another person to serve as their authorized agent and act on their behalf to opt out of the processing of personal data for the purpose of targeted advertising or the sale of personal data, such as Global Privacy Control signals (GPC). The designation of an authorized agent can be done “using a technology, including a link to an Internet website, an Internet browser setting or extension, or a global setting on an electronic device, that allows the consumer to indicate the consumer's intent to opt out of the processing.” As a controller, you have an obligation to comply with an opt-out request received from an authorized agent if you can verify, “with commercially reasonable effort,” the identity of the consumer and the authorized agent's authority to act on their behalf.

The technology described above has to meet the following criteria: 

  • It cannot unfairly disadvantage another controller; 
  • It cannot make use of a default setting, but must require the consumer to make an affirmative, freely given, and unambiguous choice to indicate their intent to opt out of any processing of personal data;and
  • It must be consumer-friendly and easy to use by the average consumer.

As a processor, you have to adhere to the instructions of the controller and assist the controller in meeting or complying with their duties or requirements, and any data processing done on behalf of the controller has to be governed by a contract between the controller and the processor which includes among other things clear instructions for data processing, the duration of processing, or the rights and obligations of both parties.

 

Texas Data Privacy and Security Act (TDPSA) Compliance Checklist

compliance checklist for TDPSA Texas Data Privacy and Security Act

What data access rights does the Texas Data Privacy and Security Act grant? 

The TDPSA grants the following data subject rights to consumers: 

  • The right to confirm data processing 
  • The right to access the data; 
  • The right to correct; 
  • The right to delete; 
  • The right to data portability; 
  • The right to opt out of personal data processing for the purposes of targeted advertising, the sale of personal data, or “profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.”

 

How to address data subject access requests under the Texas Data Privacy and Security Act

As a controller, you have to  reply to data subject requests without undue delay, but within 45 days. You can extend the response period by an additional 45 days where reasonably necessary, “taking into account the complexity and number of the consumer's requests”as long as you inform the consumer of the extension within the initial 45-day response period, together with the reason for the extension.

If you decline a consumer request, you must inform the consumer within the same timeframe  of the refusal, providing them with the justification  and instructions on how your decision can be appealed. 

Information in response to a consumer request has to be provided free of charge, when consumers requested it, however, when this is a repeating request, and you have replied to a consumer two times already, within the past twelve month,  such request can be considered   “manifestly unfounded, excessive, or repetitive,” and you may charge the consumer “a reasonable fee to cover the administrative costs of complying with the request or may decline to act on the request.” In such situations, it would be your responsibility to prove that a request is manifestly unfounded, excessive, or repetitive. 

Upon receiving a consumer request, you have to authenticate it. If you are unable to do so “using commercially reasonable efforts,” then you are not required to comply with the consumer request and may ask the consumer to provide additional information reasonably necessary to authenticate them and their request.

Texas Data Privacy and Security Act (TDPSA) compliant website with Clym

Book a Demo

Enforcement and penalties

The Attorney General has exclusive authority to enforce this chapter. Covered entities have a 30 day cure period, after which the civil penalty for each violation is $7,500 and there is no private right of action. 

 

Data Subject Rights - GDPR vs. Texas Data Privacy and Security Act

 

How can Clym help?

Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:

  • All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
  • Seamless integration into your website;
  • Adaptability to your users’ location and applicable regulation;
  • Customizable branding;
  • ReadyCompliance™: Covering 30+ data privacy regulations;
  • Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.

You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.

FAQs About the Texas Data Privacy and Security Act (TDPSA)

Who does the Texas Data Privacy and Security Act apply to?

The Texas Data Privacy and Security Act applies to any entity that conducts business in or targets residents of Texas; processes or sells personal data; and is not considered a small business (as defined by the United States Small Business Administration), except for the requirement that small businesses obtain consent before selling the sensitive personal data of data subjects.

What is exempt from compliance with The Texas Data Privacy and Security Act (TDPSA)?

The Texas Data Privacy and Security Act (TDPSA) exempts several types of data such as health data protected by HIPAA, or data covered by the Gramm-Leach-Bliley Act, and several types of entities such as non-profit organizations, institutions of higher education, or state agencies or political subdivisions of Texas.

What rights does the Texas Data Privacy and Security Act provide to Texas residents?

The Texas Data Privacy and Security Act gives residents the following consumer rights: the right to confirm data processing; to access, correct, or delete their personal data;  the right to data portability; and the right to opt out of personal data processing for the purposes of targeted advertising, the sale of personal data, or “profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.”

Who enforces the Texas Data Privacy and Security Act (TDPSA)?

Texas Data Privacy and Security Act (TDPSA) is enforced by the Attorney General, with penalties of $7,500 for each violations.

illustration of contact means

Questions?

If you would like to learn more, our compliance experts are happy to support you.

Leave us a Message
support@clym.io
+1 980 446 8535 +1 866 275 2596