Texas Data Privacy and Security Act

Privacy Plus+

Privacy, Technology and Perspective

Let’s consider the Texas Data Privacy and Security Act (“TDPSA”), which has just been signed into law.  A link to the text of the TDPSA follows:

https://capitol.texas.gov/tlodocs/88R/billtext/pdf/HB00004F.pdf#navpanes=0

We’ll offer this summary:

Who is required to comply?

Section 541.002 of the TDPSA provides that the law will apply to any person (inside or outside of Texas) that:

  • -      conducts business in Texas or produces a product or service consumed by Texas residents;

  • -       processes or engages in the sale of personal data; and

  • -       is not a small business defined by the U.S. Small Business Administration (SBA) (though Section 541.107 does require small businesses to receive consent from consumers before selling consumers’ sensitive data). The SBA’s Office of Advocacy generally defines a small business as “an independent business having fewer than 500 employees,” and the SBA also has industry-level small business size standards used in government programs and contracting. A link to the current SBA’s Office of Advocacy guidance follows:

  • https://advocacy.sba.gov/wp-content/uploads/2023/03/Frequently-Asked-Questions-About-Small-Business-March-2023-508c.pdf

Relevant definitions: Section 541.001 of the TDPSA contains the definitions.  Under subsection (19), “personal data" is “any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual.  The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.  The term does not include deidentified data or publicly available information.” Under subsection (8), “controllers" are individuals or other persons that, alone or jointly with others, determine the purpose and means of processing personal data.  Under subsection (22), an organization “processes” (or is a processor of) personal data if it collects, uses, stores, discloses, analyzes, deletes, or modifies such data.  With several exceptions, under subsection (28), an organization engages in the “sale of personal data” if it shares, discloses, or transfers such data for monetary or other valuable consideration to a third party.

Who is exempted?

The TDPSA exempts certain organizations. Exempted entities, which don’t have to comply, include:

  • -       nonprofit organizations,

  • -       state agencies,

  • -       political subdivisions,

  • -       financial institutions subject to the Gramm-Leach-Bliley Act (“GLBA”),

  • -       covered entities or business associates governed by the Health Insurance Portability and Accountability Act (“HIPAA”),

  • -       institutions of higher education, and

  • -       electric utilities.

What information is exempted?:

The TDPSA, which generally covers “personal data,” exempts certain information from its scope.  Exempted information includes:

  • -       employee/applicant personal data to the extent the data is collected within the context of employment or recruitment and several other related types of data,

  • -       Protected Health Information under HIPAA, health records, patient identifying information, and

  • -       personal data regulated by other federal laws, including the Fair Credit Reporting Act (“FCRA”), the Driver’s Privacy Protection Act (DPPA), the Family Educational Rights and Privacy Act (“FERPA”), and the Farm Credit Act.

New Consumer Rights for Texas Residents:

Section 541.051 of the TDPSA gives consumers the following personal data rights concerning their personal data:

  • -       Right to have a controller confirm whether it is processing a consumer’s personal data;

  • -       Right to correct inaccuracies in the personal data;

  • -       Right to delete personal data;

  • -       Right to access,

  • -       Right to portability, and

  • -       Right to opt out of sales, targeted advertising, and certain profiling activities.

What Obligations Do Controllers Have?:

Under TDPSA, controllers have certain obligations related to their collection and processing of “personal data.” These obligations include:

  • -       Data minimization – Section 541.101(a)(1) – Limiting the collection of personal data to what is adequate, relevant and reasonably necessary for the purpose they've disclosed to consumers in their privacy notices.

  • -      Data Security Section 541.101(a)(2) – Establishing, implementing, and maintaining reasonable administrative, technical, and physical data security practices, which should be appropriate for the amount and native of the data they have.

  • -       Purpose limitation – Section 541.101(b)(1) – Not processing personal data for purposes they've disclosed to consumers in their privacy notices, absent consent;

  • -       Non-discrimination – Section 541.101(b)(2)-(3) – Not processing personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers and may not discriminate against consumers for exercising any of their rights under the TDPSA.

  • -      Consent to process sensitive data – Section 541.101(b)(4) – Obtaining consent from consumers to process sensitive data and children’s data, if not processed in accordance with the Children’s Online Privacy Protection Act (“COPPA”). “Sensitive data" includes:

    • + personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, or citizenship or immigration status;

    • + genetic or biometric data that is processed for the purpose of uniquely identifying an individual (the term, “biometric data” includes a fingerprint, voiceprint, eye retina or iris, or other unique biological pattern or characteristic that is used to identify a specific individual. The term does not include a physical or digital photograph or data generated from a physical or digital photograph, a video or audio recording or data generated from a video or audio recording, or information collected, used, or stored for health care treatment, payment, or operations under HIPAA).

    • + personal data collected from a known child (younger than 13 years of age); or

    • + precise geolocation data (within a radius of 1,750 feet and not connected to a utility).

  • -       Privacy Notice – Section 541.101(a) – Providing consumers with a reasonably accessible and clear privacy notice that includes: (1) the categories of personal data and sensitive data processed by the controller, (2) the purposes for processing personal data, (3) how consumers may exercise their rights, (4) the categories of personal data shared with third parties, (5) the categories of third parties with whom the controller shares personal data, and (6) a description of the methods for submitting requests to exercise consumer rights under the TDPSA.

  • -      Posting a Notice Alerting of the Sale of Sensitive Data - Sections 541.101(b) and (c) - Posting a particular notice if the controller engages in the sale of sensitive data or the sale of biometric personal data.

  • -       Disclosing the Sale of Personal Data / Processing for Targeted Advertising – Section 541.103 - Clearly and conspicuously disclosing such sale and the method by which a consumer may exercise the right to opt out.

  • -       Data Protection Assessments - Section 541.105 - Conducting and documenting a data protection assessment concerning the following types of processing activities: (1) targeted advertising; (2) sale of personal data; (3) profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment or unlawful disparate impact, financial, physical or reputational injury, intrusion upon seclusion or private affairs and concern, or other substantial injury; (4) processing of sensitive data and (5) any processing activities involving personal data that present a heightened risk of
    harm to consumers.

  • -       Responding to consumer requests Under Section 541.052(b), controllers must respond within 45 days of receipt of a consumer request, which may be extended for an additional 45 days when “reasonably necessary,” so long as the controller notifies the consumer of the extension within the initial 45-day period.

  • -      Consumer right to appeal Under Section 541.053, controllers must establish a process for consumers to appeal the refusal to take action on a request, make that appeals process “conspicuously available,” and respond within 60 days of receipt of an appeal.

  • See also Contracting Requirements, below.

What Obligations Do Processors Have?:

A "Processor" is a person that processes personal data on behalf of a controller. Under TDPSA, processors have this obligation:

  • -     Instructions and Assistance – Section 541.104(a) – Adhering to the controller’s instructions for processing personal data and assisting the controller in meeting its obligations, including responding to consumer requests, securing personal data, and providing necessary information for data protection assessments.

Contracting Requirements:

 Like many other privacy laws, Section 541.104(b) of the TDPSA requires a contract between a controller and a processor governing the processor’s data processing procedures.  The contract must include the following: (1) clear instructions for processing data; (2) the nature and purpose of processing; (3) the type of data subject to processing; (4) the duration of the processing; (5) the rights and obligations of both parties; and (6) obligations on the processor to:

  • -       Ensure that each person processing personal data is subject to a duty of confidentiality;

  • -       Delete or return all personal data to the controller, at the controller’s discretion, at the end of the provision of services, unless retention is required by law;

  • -       Make available to the controller upon request all information in the processor’s possession necessary to demonstrate the processor’s TDPSA compliance;

  • -       Cooperate with reasonable assessments by the controller or the controller's designated assessor; and

  • -       Enter into a written contract with any subcontractor to meet the requirements of the processor with respect to personal data.

Enforcement
Unlike under the CCPA, as amended by CPRA, which contains a limited private right of action for data breaches, there is no private right of action under the TDPRA. The Texas Attorney General will have exclusive authority to enforce the TDPSA, subject to its 30-day cure period (Section 541.154). If the controller or processor fails to cure violations of the statute, the Texas Attorney General may bring an action and seek an injunction to restrain any violations, with civil penalties of up to $7,500 for each violation.

Effective Date:

Most of the TDPSA will take effect on July 1, 2024, though its provision under subsection 541.055(e) related to opt-out mechanisms on websites won’t take effect until January 1, 2025.

---

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.

 

Previous
Previous

FTC Charges Genetic Testing Company 1Health.io with Privacy and Security Failures

Next
Next

US Intelligence Community Is Buying “Commercially Available” Surveillance Data – What are the Implications?