Towards the close of an extremely active legislative session, the Texas governor signed the Texas Data Privacy and Security Act (TDPSA) (HB 4) into law, making Texas the tenth US state overall—and the fifth US state this year—to enact comprehensive privacy law.
The TDPSA is set to take full effect on 1 January 2025. We’ll explore how the law applies, its key definitions, and the new obligations for businesses operating in Texas.
The TDPSA applies to any company conducting business in Texas that processes personal data.
“Small businesses” are exempt from almost all provisions except the requirement to obtain consent before selling sensitive data.
The TDPSA takes its “small business” from the United States Small Business Administration (SBA): “An independent business having fewer than 500 employees.”
Exemptions apply, including to:
- State agencies.
- Financial institutions regulated by the Gramm-Leach-Bliley Act
- Covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA)
- Higher education institutions.
The TDPSA also exempts the processing of personal data in the context of various health-related regulations, employment, vehicle licensing, and household activity.
Some key definitions in the TDPSA include:
- Personal data: Any information, “including pseudonymous data and sensitive data” that is “linked or reasonably linkable to an identified or identifiable individual”, excluding “deidentified data or publicly available information”,
- Processing: Any operation performed on personal data, including its “collection, use, storage, disclosure, analysis, deletion, or modification”.
- Controller: An individual or other that “determines the purpose and means of processing personal data”.
- Processor: A person or organization that processes personal data on behalf of a controller.
- Consent: A “clear affirmative act signifying a consumer ’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer”, excluding:
- The acceptance of broad terms and conditions
- Hovering over or muting content
- Consent obtained via “dark patterns” (manipulative design).
The TDPSA also defines “sensitive data”, which includes:
- Personal data revealing:
- Racial or ethnic origin.
- Religious beliefs.
- Mental or physical health diagnosis.
- “Sexuality” (amended from “sexual orientation” in the original bill).
- Citizenship or immigration status.
- Biometric or genetic data processed for the purpose of uniquely identifying an individual.
- Personal data collected from a known child.
- Precise geolocation data.
Selling personal data: Targeted advertising
Like several US state laws, the TDPSA regulates the “sale” of personal data, which means “the exchange of personal data for monetary or other valuable consideration by the controller to a third party”.
A “sale” does not include the disclosure of personal data:
- To a processor that processes personal data on behalf of the controller.
- To a third party for the purposes of providing a product or service requested by the consumer.
- To an affiliate of the controller.
- Where the consumer:
- Intentionally made the personal data public via a mass media channel, and
- Did not restrict the disclosure to a restricted audience.
- As part of an acquisition, merger, or bankruptcy.
The TDPSA also regulates “targeted advertising”, defined as displaying an advertisement to a consumer when the following conditions are met:
- The advertisement is selected based on personal data.
- The personal data is obtained from the consumer’s activities over time and across nonaffiliated websites or apps.
- The personal data is used to predict the consumer’s preferences or interests.
The definition excludes “first-party” ads based on personal data collected via the controller’s own properties, contextual ads, certain engagement-measurement activities, or ads directed to the consumer based on the consumer’s response to a request for feedback.
The TDPSA provinces consumers with several rights over their personal data, including the right to:
- Confirm whether a controller is processing the consumer’s personal data and access such personal data.
- Correct inaccuracies in their personal data, taking into account the nature of the personal data of the purposes of processing the data.
- Delete personal data provided by or obtained about the consumer.
- Obtain a copy of personal data that the consumer provided to the controller in a portable, machine-readable format (if the personal data is available in digital form).
- Opt out of:
- The sale of their personal data.
- Targeted advertising.
- Profiling “in furtherance of decisions that produce legal or similarly significant effects”.
Consumers may opt out of the sale of personal information and targeted advertising via a browser or device setting (or an “opt-out preference signal”), but the rules in Texas are less strict than under comparable state laws, such as those in California and Colorado.
Among other exceptions, the controller does not need to honor a request made via an opt-out preference signal if it is “identical” to those received for the purposes of compliance with other state laws, or if the controller does not “possess the ability to process the request”.
This provision takes effect on 1 January, 2025.
Responding to a request
Controllers must respond to a request by a consumer to exercise these rights “without undue delay” and within 45 days, with a 45-day extension available when reasonably necessary.
Consumers can make a request once every 12 months, and controllers must not charge a fee—unless the request is manifestly unfounded, technically infeasible, excessive, or repetitive, in which case the controller can charge a fee to cover the administrative costs.
Controllers must make “commercially reasonable efforts” to verify a consumer’s identity.
If a customer is not satisfied with the response from a controller, they can appeal within a reasonable time. The controller must respond to the appeal within 60 days, stating a reason for the decision. If the customer is still not satisfied, they have the right to file a complaint with the Attorney General.
Obligations on Controllers
The TDPSA sets out several positive obligations on controllers, including to:
- Limit the collection of personal data to what is “adequate, relevant and reasonably necessary in relation to a specified purpose”.
- Establish, implement, and maintain administrative, technical, and physical measures to ensure the confidentiality, integrity, and availability of personal data.
There are also some negative obligations on controllers, including to:
- Not process personal data for reasons that are not reasonably necessary to or compatible with a specific purpose without consent.
- Not process personal data in violation of anti-discrimination laws.
- Not discriminate against consumers for exercising their consumer rights.
- Not process sensitive data without consent.
- Only process children’s personal data in compliance with the Children’s Online Privacy Protection Act (COPPA).
Controllers must maintain a “reasonably accessible, clear, and meaningful privacy notice“ that discloses:
- The categories of personal data processed by the controller.
- The categories of any sensitive data processed by the controller.
- The purposes for processing personal data.
- An explanation of the TCDPA’s consumer rights and appeal process.
- The categories of personal data the controller shares with third parties, if any.
- The categories of third parties with whom the controller shares personal data, if any.
- How consumers may exercise their consumer rights.
The TDPSA also requires certain controllers to display disclaimers alongside their privacy notices.
- If a controller sells sensitive data, the notice must read: “NOTICE: We may sell your sensitive personal data.”
- If a controller sells biometric information, the notice must read: “NOTICE: We may sell your biometric personal data.”
If a controller sells personal data to third parties or processes personal data for
targeted advertising, it must “clearly and conspicuously disclose that process and the manner in which a consumer may exercise the right to opt out of that process.”
Obligation on small businesses
As noted, small businesses are exempt from almost all of the TDPSA, except one provision: they may not sell sensitive data “without receiving prior consent from the consumer.”
A small business is liable for enforcement under the same terms as a larger business if it violates this rule.
Obligations on Processors
Processors must also help controllers facilitate consumer rights requests and must notify controllers of security breaches.
A controller may only engage a processor subject to a written agreement that contains:
- Clear instructions for the data processing.
- The nature and purpose of the processing.
- The types of data
- The duration of the processing.
- The rights and obligations of the controller and processor.
- A section that requires the processor to:
- Bind anyone processing personal data to a duty of confidentiality.
- Delete or return all personal data to the controller as requested at the end of the contract, if allowed by law.
- Provide the controller with any necessary information to demonstrate the processor’s TDPSA compliance.
- Allow reasonable assessments (audits) by the controller, or arrange an independent audit and provide a report on request.
- Only engage subcontractors under a written contract with the same terms as above.
Data Protection Assessments
Controllers must conduct a Data Protection Impact Assessment (DPA) before engaging in certain activities, including:
- Targeted advertising.
- Selling personal data.
- Certain profiling activities that could result in risk, injury, or intrusion.
- Processing sensitive data.
- Any other processing that presents “a heightened risk of harm to consumers”.
A DPA must identify and weigh:
- The benefits that may flow from the processing to the controller, the consumer, other stakeholders, and the public.
- The potential risks to the rights of the consumer, taking safeguards into account.
The DPA should include consideration of:
- Consumers’ reasonable expectations
- The context of the processing
- The relationship between the controller and the consumers
- The use of safeguards such as deidentification
The Attorney General can demand access to a copy of a DPA.
Texas hands enforcement of the TDPSA exclusively to the state’s Attorney General, who must provide controllers or processors suspected of violating the law with a 30-day notice period. If the controller can “cure” the violation within this period, it will not face enforcement action.
The Attorney General can pursue a civil penalty of up to $7,500 per violation, plus costs. The law does not provide a private right of action.