Deep in the Heart of Privacy: Understanding the Texas Data Privacy and Security Act's Impact on Businesses
On May 28, 2023, the Texas Legislature passed the Texas Data Privacy and Security Act (TDPSA). Once this law becomes effective on July 1, 2024, Texas will become the tenth state to adopt a consumer data privacy law. This Texas law stands apart from its counterparts in other states and is not merely an extension of prior California regulation.
Is my business regulated by the TDPSA?
Unlike other state privacy laws, which have more clearly laid-out thresholds, the TDPSA applies to any company that:
- Conducts business in Texas or produces a product or service consumed by residents of Texas;
- Processes or engages in the sale of personal data (this includes maintaining personal information of customers and/or employees); and
- Is not a small business, as defined by the Small Business Administration (SBA).
The SBA identification adds a unique test when comparing the TDPSA with other existing state data privacy laws.
The SBA generally defines a small business as an independent business with fewer than 500 employees. However, the SBA also takes other items into consideration, such as industry and affiliation—complicating the definition. But if your company employs approximately 500 employees or more, you should assume the TDPSA applies to you.
Who is protected by the TDPSA?
Under the TDPSA, Texas residents are granted new rights to control their personal data. These rights include the right to access, correct, delete or obtain copies of their personal data, subject to specific exemptions and stipulations. For example, a customer of a manufacturing business may be concerned with personal data such as payment details, shipping history or contact information. Employees may be concerned with personal data related to compensation and benefits, employment history, marital and family status, and workplace incident and health information.
Additionally, Texans are empowered to decline the sale of their personal data, abstain from the processing of their personal data for targeted advertising, as well as certain types of profiling.
Consumers may exercise their rights at any time by submitting a request to businesses which hold their personal data and identifying the rights they wish to assert and how they want their data used.
How do I protect my business?
- Limiting the collection of personal data to what is necessary.
- Providing consumers with an accessible and clear privacy notice. For example, post a notice on your company website or in an employee handbook.
- Establishing reasonable administrative, technical and physical data security practices. For example, hiring specialists to manage data intake, installing passwords on folders and applications containing HR files, and limiting access to employee and customer data to only those who need to know.
- Establishing two or more secure ways for consumers to submit requests. For example, establishing a 1-800 number and an email address for consumers to contact you.
What do I do if a consumer submits a request?
Companies should be equipped to respond to consumer requests without delay. Under the TDPSA, companies have 45 days from the date of the request to respond. Companies also reserve the right to decline to respond to excessive requests. If that is the case, the company should inform the consumer of the justification for declining to take action.
How does the TDPSA differ from existing state laws?
In California, before initiating a CCPA action, the California Attorney General must give the subject entity at least 30 days to cure it. The business is only subject to civil penalties if it does not cure the violations. The TDPSA has a similar procedure but increases the burden on entities to prove that the issues have been solved. Specifically, under the TDPSA, the company must provide a written statement that it:
- Resolved the alleged violation;
- Notified the consumer that the consumer’s privacy violation was resolved;
- Provided supporting documentation to show how the privacy violation was resolved; and
- Made changes to internal policies, if necessary, to ensure that no such violation will occur in the future.
If an entity fails to comply with this procedure, the Texas Attorney General may initiate an action to recover a civil penalty of up to $7,500 for each violation. The TDPSA does not create a private right of action.
Companies have until July 1, 2024, to comply with the TDPSA’s provisions. While companies that are currently subject to other state data privacy laws may be more likely to be in compliance with the TDPSA, the new law’s unique standards may apply more broadly. Over the next year, companies should ensure that they develop adequate measures to satisfy the requirements of the TDPSA.
For questions on your company’s policies and practices, reach out to Gray Reed’s Cybersecurity, Data Management and Data Privacy team.
A special thanks to Gray Reed Summer Associate Kamal Omar, a rising 3L at SMU Law School, for his assistance in researching and drafting this alert.