FREE CONSULTATION
FREE CONSULTATION

Understanding the Texas Data Privacy and Security Act (TDPSA): Key Compliance Requirements for Businesses

As data privacy continues to be a growing concern, businesses must stay ahead of regulations that impact their operations. The Texas Data Privacy and Security Act (TDPSA) introduces critical measures to ensure consumer privacy protection, specifically for organizations handling personal data. This guide breaks down the key provisions of the TDPSA, what businesses need to know to comply, and how Curated Privacy LLC can help organizations navigate these regulations effectively.

The Texas Data Privacy and Security Act, enacted on June 18, 2023, and effective from July 1, 2024, establishes comprehensive data protection requirements for businesses operating in Texas. This legislation aims to safeguard consumer privacy by imposing specific obligations on organizations that handle personal data.

Scope and Applicability

The TDPSA applies to entities that:

  • Conduct business in Texas or produce products or services consumed by Texas residents;
  • Process or engage in the sale of personal data;
  • Do not qualify as small businesses under the U.S. Small Business Administration’s (SBA) definition.

What is a Small Business?

A small business, according to the U.S. Small Business Administration (SBA), typically refers to an entity that has fewer than 500 employees, depending on the industry. These businesses are often exempt from certain regulatory requirements under federal law, including those in the TDPSA.

The TDPSA does not set explicit revenue or data processing thresholds, thereby encompassing a broad range of businesses. However, exemptions exist for certain entities, including state agencies, organizations subject to the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA), and those processing data in specific contexts, such as employment.

Consumer Rights

Under the TDPSA, Texas consumers are granted the following rights:

  • Access: Confirm whether their personal data is being processed and obtain access to it;
  • Correction: Rectify inaccuracies in their personal data;
  • Deletion: Request the deletion of their personal data;
  • Data Portability: Obtain a copy of their personal data in a digital format;
  • Opt-Out: Decline the processing of their personal data for purposes like targeted advertising, sale, or profiling.

Businesses are required to provide mechanisms, such as website forms or email addresses, for consumers to submit these requests. Responses must be provided within 45 days, with a possible extension of an additional 45 days for complex or excessive requests.

Obligations for Businesses

To comply with the TDPSA, businesses must ensure:

  • Data Minimization: Limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the intended purpose;
  • Data Security: Implement reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data;
  • Non-Discrimination: Process personal data in a non-discriminatory manner and refrain from discriminating against consumers who exercise their rights under the TDPSA;
  • Data Protection Assessments: Conduct assessments for certain data processing activities, such as targeted advertising, sale of personal data, and processing sensitive data;
  • Privacy Notices: Provide clear and accessible privacy notices detailing categories of personal data processed, purposes for processing, consumer rights, and data sharing practices;
  • Consent for Sensitive Data: Obtain consumer consent before processing sensitive personal data, including information revealing racial or ethnic origin, religious beliefs, health conditions, or precise geolocation;
  • Opt-Out Mechanisms: Offer consumers the ability to opt out of the sale of their personal data and targeted advertising; and
  • Data Processing Agreements: Establish contracts with data processors outlining processing instructions, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.

At Curated Privacy LLC, we can help by conducting a thorough audit of your current business procedures to ensure they align with TDPSA requirements. Our team will identify any gaps in compliance and guide you through implementing the necessary measures to safeguard your data practices and avoid potential penalties.

Enforcement and Penalties

The Texas Attorney General has the authority to enforce the provisions of the TDPSA. Businesses that fail to comply with the law may be subject to civil penalties, which can reach up to $7,500 per violation. In addition to fines, businesses may also face injunctive relief, requiring them to take corrective actions. It’s important to note that the TDPSA does not allow individuals to take legal action directly. Instead, enforcement is carried out by the Attorney General, who has discretion over how violations are addressed.

Conclusion

The TDPSA signifies Texas’s commitment to enhancing consumer data protection. Businesses operating in Texas should thoroughly assess their data processing activities and implement necessary measures to ensure compliance with the Act’s provisions. At Curated Privacy LLC, we specialize in helping businesses navigate the complexities of data privacy laws like the TDPSA. We provide expert consulting services to ensure your organization remains compliant with the Act’s provisions, including data protection assessments, privacy notices, and consent management for sensitive data.

If you want more information on how to become compliant or need assistance with meeting these legal requirements, contact us at info@curatedprivacy.com. Our team is here to guide you through the process and ensure your data practices align with Texas regulations.

 

Share this post:

Related Articles