Search:
Recent Posts
Popular Topics
Contributors
Archives
Legal developments in data, privacy, cybersecurity, and other emerging technology issues
On June 18, 2023, Texas Governor Greg Abbott signed the Texas Data Privacy and Security Act (TDPSA) into law, making Texas the next state to enact a comprehensive state-wide data privacy statute. The TDPSA will take effect on July 1, 2024, and applies to businesses that produce a product or service that is “consumed” by Texas residents, and process or engage in the sale of personal data.
The TDPSA is similar to other state privacy laws, such as the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA). However, there are a few differences between the TDPSA and these other laws.
- Private right of action: Unlike the CCPA, the TDPSA does not have a private right of action, meaning that consumers cannot sue businesses for violating the law. Under the TDPSA, the Texas Attorney General has the exclusive right to enforce the law.
- Applicability: The TDPSA does not include a revenue requirement or a number of consumers whose personal information is processed. Rather, the TDPSA exempts “small businesses” as defined by the Small Business Administration, which typically includes businesses with fewer than 500 employees.
Similar to other state comprehensive privacy laws, the TDPSA requires businesses to implement reasonable security measures to protect the security of personal data from unauthorized access, use, disclosure, alteration, or destruction. Businesses must also provide Texas residents with several rights with respect to their personal data, including the right to opt out of the processing for purposes of (a) targeted advertising, (b) the sale of personal data; or (c) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. The law also requires businesses to implement opt-out preference signals by January 1, 2025.
With respect to sensitive data, businesses are required to obtain consent before processing a consumer’s data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexuality, or citizenship or immigration status; genetic or biometric data processed to identify individuals; personal data collected from a known child; and precise geolocation data. The law also requires businesses to conduct data protection assessments of processing activities that involve targeted advertising, the sale of personal data, profiling, or other activities that otherwise present a heightened risk of harm to consumers.