Texas Data Privacy and Security Act (TDPSA)

Who is excluded from compliance with Texas Data Privacy and Security Act? 

The Texas Data Privacy and Security Act (TDPSA) excludes several types of entities and data as follows: 

• a state agency or a political subdivision of Texas;
• a financial institution or data covered by Title V of the Gramm-Leach-Bliley Act;
• a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services;
• a nonprofit organization;
• an institution of higher education; 
• an electric utility, a power generation company, or a retail electric provider, as defined by the Utilities Code;
• protected health information under HIPAA;
• health records;
• patient identifying information;
• identifiable private information for purposes of the federal policy for the protection of human subjects; collected as part of human subjects research; or personal data used or shared in research;
• information and documents created for purposes of the HealthCare Quality Improvement Act of 1986;
• patient safety work product for purposes of the Patient Safety and Quality Improvement Act of 2005;
• healthcare-related information that is deidentified in accordance with the requirements under HIPAA; 
• information collected or used only for public health activities and purposes as authorized by HIPAA;
• the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency or furnisher that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that the activity is covered by the Fair Credit Reporting Act (FCRA);
• personal data collected, processed, sold, or disclosed in compliance with the Driver’s Privacy Protection Act of 1994;
• personal data regulated by FERPA (Family Educational Rights  and Privacy Act), or the Farm Credit Act of 1971;
• data processed or maintained in the course of an individual applying to, being employed by, or acting as an agent or independent contractor of controller, processor, or third party, to the extent that the data is collected and used within the context of that role;
• data processed or maintained as the emergency contact information of an individual that is used for emergency contact purposes; 
• data that is processed or maintained and is necessary to retain to administer employment related benefits for another individual and used for the purposes of administering those benefits;
• processing of personal data by a person in the course of a purely personal or household activity.

How can I keep my organization compliant with the Texas Data Privacy and Security Act?

According to the text of the Texas Data Privacy and Security Act (TDPSA), controllers have a number of obligations, such as to show transparency or to display a privacy notice, as well as additional notices, where applicable. What this means, in more detail, is that as a controller, you have to observe the following:

• limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which that personal data is processed, as disclosed to the consumer;
• for the purpose of protecting the confidentiality, integrity, and accessibility of personal data, you have to establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue;
• do not process personal data for a purpose that is neither reasonably necessary to nor compatible with the disclosed purpose for which the personal data is processed, as disclosed to the consumer, unless you obtain the consumer's consent;
• do not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers;
• do not discriminate against a consumer for exercising any of the consumer rights contained in this chapter, including by denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer; 
• do not process the sensitive data of a consumer without obtaining the consumer's consent, or, in the case of processing the sensitive data of a known child, without processing that data in accordance with the Children's Online Privacy Protection Act of 1998;
• provide consumers with a reasonably accessible and clear privacy notice that includes:
  • the categories of personal data processed, including, if applicable, any sensitive data processed; 
  • the purpose for processing personal data; 
  • how consumers may exercise their consumer rights, including the process by which a consumer may appeal your decision; 
  • if applicable, the categories of personal data that you share with third parties; 
  • if applicable, the categories of third parties with whom you share personal data;
  • a description of the methods through which consumers can submit requests to exercise their consumer rights.
• if you sell sensitive personal data or biometric personal data, you have an obligation to include the following notice: "NOTICE: We may sell your sensitive (or biometric) personal data" in the same location and in the same manner as the privacy notice;
• conduct and document data protection assessment of each of the following processing activities involving personal data:
  • the processing of personal data for purposes of targeted advertising;
  • the sale of personal data;
  • the processing of personal data for purposes of profiling, if the profiling presents a reasonably foreseeable risk of: unfair or deceptive treatment of or unlawful disparate impact consumers; financial, physical, or reputational injury to consumers; a physical or other intrusion on the solitude or seclusion, or the private affairs or concerns of consumers, if the intrusion would be offensive to a reasonable person; or other substantial injury to consumers;
  • the processing of sensitive data; and
  • any processing activities involving personal data that present a heightened risk of harm to consumers.
• establish two or more secure and reliable methods to enable consumers to submit a request to exercise their consumer rights, which must take into account: 
  • the ways in which consumers normally interact with you;
  • the necessity for secure and reliable communications of those requests; and
  • your ability to authenticate the identity of the consumer making the request.
• establish a process for a consumer to appeal your refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision, for which the process has to be “conspicuously available and similar to the process for initiating action to exercise consumer rights by submitting a request.”
• you are not permitted to require a consumer to create a new account to exercise their rights, but you are allowed to require a consumer to use an existing account.

One particularity of the Texas Data Privacy and Security Act (TDPSA) is that consumers are given the right to designate another person to serve as their authorized agent and act on their behalf to opt out of the processing of personal data for the purpose of targeted advertising or the sale of personal data, such as Global Privacy Control signals (GPC). The designation of an authorized agent can be done “using a technology, including a link to an Internet website, an Internet browser setting or extension, or a global setting on an electronic device, that allows the consumer to indicate the consumer's intent to opt out of the processing.” As a controller, you have an obligation to comply with an opt-out request received from an authorized agent if you can verify, “with commercially reasonable effort,” the identity of the consumer and the authorized agent's authority to act on their behalf.

The technology described above has to meet the following criteria: 

• It cannot unfairly disadvantage another controller; 
• It cannot make use of a default setting, but must require the consumer to make an affirmative, freely given, and unambiguous choice to indicate their intent to opt out of any processing of personal data;and
• It must be consumer-friendly and easy to use by the average consumer.

As a processor, you have to adhere to the instructions of the controller and assist the controller in meeting or complying with their duties or requirements, and any data processing done on behalf of the controller has to be governed by a contract between the controller and the processor which includes among other things clear instructions for data processing, the duration of processing, or the rights and obligations of both parties.

What data access rights does the Texas Data Privacy and Security Act grant? 

The TDPSA grants the following data subject rights to consumers: 

• The right to confirm data processing 
• The right to access the data; 
• The right to correct; 
• The right to delete; 
• The right to data portability; 
• The right to opt out of personal data processing for the purposes of targeted advertising, the sale of personal data, or “profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.”

How to address data subject access requests under the Texas Data Privacy and Security Act? 

As a controller, you have to  reply to data subject requests without undue delay, but within 45 days. You can extend the response period by an additional 45 days where reasonably necessary, “taking into account the complexity and number of the consumer's requests”as long as you inform the consumer of the extension within the initial 45-day response period, together with the reason for the extension.

If you decline a consumer request, you must inform the consumer within the same timeframe  of the refusal, providing them with the justification  and instructions on how your decision can be appealed. 

Information in response to a consumer request has to be provided free of charge, when consumers requested it, however, when this is a repeating request, and you have replied to a consumer two times already, within the past twelve month,  such request can be considered   “manifestly unfounded, excessive, or repetitive,” and you may charge the consumer “a reasonable fee to cover the administrative costs of complying with the request or may decline to act on the request.” In such situations, it would be your responsibility to prove that a request is manifestly unfounded, excessive, or repetitive. 

Upon receiving a consumer request, you have to authenticate it. If you are unable to do so “using commercially reasonable efforts,” then you are not required to comply with the consumer request and may ask the consumer to provide additional information reasonably necessary to authenticate them and their request.

Enforcement and penalties

The Attorney General has exclusive authority to enforce this chapter. Covered entities have a 30 day cure period, after which the civil penalty for each violation is $7,500 and there is no private right of action. 

Data Subject Rights - GDPR vs. Texas Data Privacy and Security Act

FAQs About the Texas Data Privacy and Security Act (TDPSA)

TDPSA Resources

• Texas Lawmakers May Tell The World To Not Mess With Their Data Privacy

• New Privacy Legislations Proposed in Several US States