Texas Data Privacy & Security Act
October 3, 2024 | By Bronté Story, Jeff Villalobos
Texas has enacted the Texas Data Privacy and Security Act. Along with clarifying what rights Texas residents have over their personal data, the Act also imposes responsibilities on qualifying businesses for how those businesses may use a person’s personal data. These obligations came into effect July 1, 2024.
Texas Data Privacy and Security Act
Texas is the 11th state to enact comprehensive consumer privacy protections, doing so through the Texas Data Privacy and Security Act (“TDPSA”). Effective July 1, 2024, the TDPSA establishes which entities have additional responsibilities under the TDPSA, contains expansive definitions, and defines consumer rights regarding personal data. The TDPSA complements Senate Bill 2105 (described below), which defined and established duties for Data Brokers, and House Bill 2545, which governs the collection and use of genetic data. If you are running a business in Texas, or servicing any consumer that resides there, you need to be aware of these regulations and act accordingly if they currently apply to your company.
What Businesses does the TDPSA apply to?
The TDPSA applies to persons, or entities, that: (1) conduct business in Texas or produce products or services that Texas residents consume acting in an individual or household context (“Consumer”); (2) process any volume of personal data or engage in personal data sales; and (3) do not qualify as a small business as defined by the US Small Business Administration Program. Tex. Bus. & Com. Code Ann. §§ 541.002(a) and 541.107. Title 13 Chapter 1 Part 121.201 (set size standards describing a small business by industry and subsector).
Exceptions to the TDPSA
The TDPSA has the following limited exceptions to entity and data coverage: state agencies or political subdivisions, nonprofits, institutions of higher education; electric utilities, generation companies, and retail electric providers; entities or data regulated by other sector-specific laws, such as the health industry (HIPAA), finance industry (Gramm-Leach-Bliley Act), credit industry (FCRA), or child privacy laws (COPPA).
Processors and Controllers of Data under the TDPSA
If your business is governed by the TDPSA, it is important to know how to comply with TDPSA duties relevant to you. First of these is to determine whether your company is considered a Processor, Controller, or both.
If your business collects, uses, stores, discloses to a third party, analyzes, or modifies personal data, where personal data means “any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual,” you are considered a “Processor”. See Tex. Bus. & Com. Code §§ 541.001(19) and 541.001(23). For example, if you provide bookkeeping or software services that require you to collect, analyze, and/or process information of your customers in order to provide your services, this likely means you collect, store, or disclose the personal data of your customers as a Processor. Think of Processors as those who process data on behalf of the person or entity that controls personal data (the “Controller”). If you or your business determines the purpose and means of processing that personal data, you are a “Controller”. Tex. Bus. & Com. Code § 541.001(7). As a Controller, you are likely either the owner of the personal data being processed or you are a third party that controls how that personal data is processed (by your own company or any third-party processor) provided you have all appropriate permissions and consents from the original owner of the personal data to do so. Businesses can be Processors and Controllers, or just one or the other. An example of a Controller is a payment processing company. Let’s say you engage a third-party payment processor to process the payments your customers make to purchase your goods or services. Because you have no say over what personal data is collected, how it is stored, and how it is used (i.e. you don’t ‘control’ these things), you are not the Controller, the payment processor is.
Controllers must first provide a reasonably accessible and clear privacy policy and must obtain consumer consent before processing Sensitive Data as defined under the TDPSA Tex. Bus. & Com. Code § 541.001(29). Once disclosure is made and consent is secured, Controllers must limit the collection of personal data to what is “adequate, relevant, and reasonably necessary in relation to the disclosed purposes for which that data is processed.” § 541.101(a). After collecting consumer data, Controller duties include, but are not limited to, establishing and implementing data security practices that are appropriate to the volume and nature of the personal data collected, and responding to consumer rights requests within 45 days or within an additional 45 days if an extension is properly executed. § 541.101(29). Finally, if a consumer exercises their rights, a Controller may NOT discriminate or retaliate by denying goods or services, charging different prices or rates, or provide a different level of quality. § 541.101(b).
Processors must adhere to the Controller’s instructions regarding data processing, storage, security, and consumer rights; help the Controller meet their TDPSA obligations by responding to consumer requests, comply with data security and breach notification rights, and conduct data protection assessments; and enter into a binding contract with Controllers that contain specific terms governing the Processor and Controller relationship. § 541.104.
A binding contract between a Processor and Controller must include: clear processing instructions describing the nature and purpose of processing, the types of personal data processed, and the duration of processing; a description of the rights and obligations of both parties; and require the Processor to ensure the duty of confidentiality, return or destroy all personal data when the relationship ends, and make available all information necessary to confirm compliance with data security obligations. § 541.101(b)-(c).
Consumer Rights under the TDPSA
The TDPSA also grants Consumers various Consumer Rights. “A Consumer has the right to exercise their rights at any time by submitting a request to a Controller specifying the rights the Consumer wishes to exercise.” § 541.051(a). A request may be made by email if the Controller is a solely online business. If the Controller has a physical location, it is likely required to provide a contact email and phone number for Consumer requests. Controllers must provide a response, free of charge, up to twice annually per consumer provided the request is not unfounded, excessive, or repetitive. Tex. Attorney General Website.
Consumer Rights can be broken up into two distinct categories: the right to access, modify, or delete collected data (“Access Rights”); and the right to optout of certain processing (“Opt-Out Rights”).
- A Consumer’s Access Rights include the right to confirm a business is processing their data, the right to see and correct data, the right to delete Personal Data provided by or obtained about the consumer, and the right to view their data in an easily portable and readable format. § 541.051(b).
- A Consumer’s Opt-Out Rights allow the Consumer to request their data not be sold, to request that their data not be used for targeted advertising, and to optout of profiling that furthers any type of decision that produces legal or similarly significant effects. § 541.051(b).
What this means is that if the TDPSA applies to your business, you must comply with Consumer requests regarding their rights under this law. Even if your company does not meet TDPSA thresholds, it is our advice to start complying with these requests received from both Texas Consumers and consumers located in other states as a best practice to stay ahead of ever evolving data privacy laws.
Finally, Consumer Rights also prohibit Controllers from processing personal data in violation of state and federal laws that prohibit discrimination under the TDPSA, and discrimination against a Consumer for exercising their personal data rights. However, a Controller may decline to provide a product or service that requires a Consumer’s Personal Data when the Controller does not collect it. Further, Controllers may “offer a different price, rate, level, quality, or selection of goods or services, including for no fee, if the Consumer: exercises an opt-out right; or voluntarily participates in a bona fide loyalty, rewards, premium features, discounts, or club card program.” § 541.101(c).
Data Brokers
Senate Bill 2105 applies to “business entities whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly from the individual linked or linkable to the data” (“Data Broker”), and was effective on September of 2023. Tex. Bus. & Com. Code § 509.001(4).
This bill only applies to a Data Broker that, in a 12-month period, derives: “(1) more than 50 percent of the data broker’s revenue from processing or transferring personal data that the data broker did not collect directly from the individuals to whom the data pertains; or (2) revenue from processing or transferring the personal data of more than 50,000 individuals that the data broker did not collect directly from the individuals to whom the data pertains.” § 509.003(a)(1)-(2).
If your business qualifies as a Data Broker in the state of Texas, you must register as such with the Texas Secretary of State office by filing a Data Broker Registration Form, which must be accompanied by a $300 registration fee.
Some of the key requirements of Data Brokers are to maintain a website or mobile app that has a conspicuously posted notice which, in part, contains the applicable language provided in 1 TAC §106.5(1) or 1 TAC §106.5(2), and to develop, implement, and maintain a comprehensive information security program. § 509.007.
Conclusion
Vela Wood is here to assist you to make sure your company meets the new requirements for data privacy and security in Texas. As a best practice, we recommend that you review your privacy policy each year. With diligent review and by understanding your business classification under the TDPSA and SB 2105, you can be confident your business is compliant in this new era of Consumer Privacy.
Public Resources
Consumer Data Protection:
Tex. Bus. & Com. Code §§ 541.001 – 2.05
Data Brokers:
Tex. Bus. & Com. Code §§ 509.001 – 509.010
Texas Attorney General Guidance on TDPSA
Texas Secretary of State: Data Brokers