States are continuing to pass privacy laws at a rapid-fire pace; with the passage of the Texas Data Privacy and Security Act (TDPSA), the number of state laws has jumped to double digits. (For context, at the beginning of 2021, only California had a comprehensive data privacy law.)
For businesses that may need to comply with the TDPSA, here are some quick facts to get you oriented.
When Does It Go Into Effect?
The Texas Data Privacy and Security Act will go into effect on July 1, 2024.
What Businesses Must Comply?
The TDPSA defines its scope differently than other privacy laws. It applies to for-profit businesses that (1) do business in Texas (or produce products/services that are targeted to Texas residents), (2) process and/or sell personal data, and (3) are not “small businesses” as described by the U.S. Small Business Administration.
The SBA’s definition of a small business is a little tricky, as it varies widely by industry. To determine whether your business qualifies, you can find your industry on this table.
Importantly, the TDPSA prohibits even small businesses from selling sensitive data without a consumer’s consent.
What Rights Do Consumers Have Under the Texas Law?
Texas consumers now have the following privacy rights:
- Right to Know - Consumers have the right to confirm whether a business is processing their personal data and, if so, to access that data.
- Right to Correct - Consumers can request that a business correct any inaccurate personal information it holds about a consumer.
- Right to Delete - Upon request, businesses must delete personal data about the consumer.
- Right to Portability - Upon request, businesses must provide a copy of the consumer’s personal data in a readily portable format so that it can be transmitted to another controller.
- Right to Opt Out - Consumers can opt out of:
- Targeted advertising
- The sale of their personal data
- Profiling in furtherance of automated decision-making that produces legal or similarly significant effects for the consumer (e.g., financial lending, housing, etc.)
What Is “Personal Data”?
The TDPSA defines “personal data” along the same lines as other state privacy laws, i.e. any information “that is linked or reasonably linkable to an identified or identifiable individual.” It does does not include deidentified data or publicly available information.
This definition covers more information than some might think, from IP addresses to internet cookies to shopping habits.
Are Data Protection Impact Assessments Required?
The Texas Data Privacy and Security Act requires businesses to perform data protection impact assessments for certain types of processing activities. Texas requires a DPIA required for the following processing activities:
- Targeted advertising
- Sale of personal data
- Profiling of consumers, where it presents a foreseeable risk of harm
- Processing of sensitive personal data
- Any other processing activity that presents a heightened risk of harm to consumers
How Much Do Violations Cost?
Courts may impose fines of up to $7,500 per violation per consumer.
Can Businesses Be Sued by Consumers?
The Texas Data Privacy and Security Act does not grant a private right of action to consumers, meaning they cannot sue a business over alleged violations.
Cross-Country Privacy Compliance
The pace of state privacy legislation is picking up, with many states likely to pass their own laws in the near future. With each new law, compliance becomes a little more complicated to manage, especially for businesses without in-house privacy experts.
TrueVault US helps businesses of all sizes get compliant with privacy laws from across the country with one streamlined platform. Designed by attorneys, TrueVault US is a software solution that guides you at every step of the way, from onboarding vendors to responding to consumer privacy requests.
To learn more about how TrueVault US can help your business, contact our team today.
