Texas Data Privacy and Security Act (TDPSA): An Overview

Texas was the eleventh state in the US to pass a consumer privacy bill, HB 4, with an effective date of July 1, 2024. As of June 18, 2023, when the law was signed, organizations have just over a year to prepare for TDPSA compliance.

Data privacy has clearly been on US state lawmakers’ minds in the first half of 2023, with six laws passed between March and June: Iowa, Indiana, Tennessee, Montana, Florida, and Texas.

The law passed in Texas used Virginia’s Consumer Data Privacy Act (VCDPA) as a foundation for the bill. The US does not have a federal data privacy law.

The Texas Data Privacy and Security Act protects the privacy and personal data rights of the state’s 31 million-plus residents, and establishes data privacy responsibilities for companies doing business in the state or providing goods or services consumed by Texas residents.

The language using “consumed” is unusual among US data privacy laws, as the others usually refer to goods or services “targeting” residents of the state in question. There is some thought that this is designed to catch out of state businesses doing business in Texas and ensure they comply with the TDPSA or exclude Texans from their customer base if they are not otherwise required to comply with other state-level or similar privacy laws.

In the course of doing business these organizations process consumers’ personal information. Texas defines a consumer as a resident of the state acting in an individual or household context, but not acting in a commercial or employment context.

The TDPSA uses an opt-out model, as do the laws in all the other states that have passed comprehensive data privacy regulations to date. This means that businesses that are required to become TDPSA-compliant must inform consumers about data collection and processing that they perform, i.e. what data, for what purposes, third parties with whom the data will be shared, etc. Businesses must give consumers a way to opt out of data collection and processing. They and any third parties they engage for data processing must also implement reasonable security and protections.

Personal data definition in the TDPSA

The TDPSA uses a fairly standard definition of personal data (also called personal information in some other laws): “any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.” The law excludes publicly available information or de-identified data.

The Act does not list specific examples of personal data, as some other state-level data privacy laws do, but common types include name, phone number, account/username, IP address, email address, Social Security number, driver’s license number, or passport number.

Consent definition in the TDPSA

The European Union’s General Data Protection Regulation (GDPR) has set the standard for defining consent and has been followed by many data privacy laws passed since it came into effect in 2018.

Under TDPSA, consent is defined as: “clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. The term includes a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.”

Interestingly, like Montana’s law, the TDPSA includes some specific exceptions to consent, which reflect common online or digital user experiences:

• acceptance of a general or broad term of use or similar document that contains descriptions of personal data processing along with other unrelated information
• hovering over, muting, pausing, or closing a given piece of content
• an agreement obtained using dark patterns

The Texas law, unlike several other recently passed ones, does not include a requirement for consumers to have a means to revoke their consent.

Sensitive data / sensitive personal information in the TDPSA

This is a more specific category of personal information, particularly that which could cause harm if misused. It includes personal data that reveals:

• racial or ethnic origin
• religious beliefs
• mental or physical health diagnosis
• sexuality
• citizenship or immigration status
• genetic or biometric data that is processed for the purpose of uniquely identifying an individual
• personal data collected from a known child (under 13 years of age)
• precise geolocation data (within 1,750 feet or 533.4 meters)

Controller in the TDPSA

Businesses that collect and process personal information will likely qualify as controllers, which the TDPSA defines as “an individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data.”

Processor in the TDPSA

For businesses that share personal data for processing purposes, the business will be the controller and the third-party entity with which personal data is shared will be the processor, defined in the Texas privacy act as “a person that processes personal data on behalf of a controller.”

Sale in the TDPSA

This is defined as the “the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.” Several notable exclusions to the definition of sale of personal data include:

• disclosure of personal data to a processor that processes the personal data on the controller’s behalf
• disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer
• disclosure or transfer of personal data to an affiliate of the controller
• disclosure of personal data that the consumer intentionally made available to the public through a mass media channel and did not restrict to a specific audience
• disclosure or transfer of personal data to a third party as an asset that is part of a merger or acquisition

Targeted advertising in the TDPSA

Refers to “displaying to a consumer an advertisement that is selected based on personal data obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s preferences or interests.”

The goal is to use the personal data to predict the consumers’ interests and preferences to increase relevance and personalize the advertising experience.

Targeted advertising does not include:

• advertisements based on activities within a controller’s own internet websites or online
  applications
• advertisements based on the context of a consumer’s current search query or visit to an
• internet website or online application
• advertisements directed to a consumer in response to the consumer’s request for information or feedback
• processing personal data solely for measuring or reporting advertising performance, reach, or frequency

TDPSA compliance threshold criteria differ from other US privacy laws in that they are not based on common criteria like how much personal data of a specific number of state residents is controlled or processed, nor gross annual revenue, nor annual revenue derived from sale of personal data.

The TDPSA compliance thresholds are:

• conducting business in Texas or generating products or services consumed by Texas residents
• processing or engaging in the sale of personal data
• not identifying as a small business as defined by the U.S. Small Business Administration (independent for-profit entity with fewer than 500 employees)

The exemptions in the Texas data privacy act are fairly consistent with the other existing US data privacy laws and defer to a number of existing federal laws, including:

• Health Insurance Portability and Accountability Act (HIPAA)
• Health Care Quality Improvement Act
• Health Information Technology for Economic and Clinical Health Act
• Patient Safety and Quality Improvement Act
• Fair Credit Reporting Act (FCRA)
• Children’s Online Privacy Protection Act (COPPA)
• Family Educational Rights and Privacy Act (FERPA)
• Driver’s Privacy Protection Act
• Farm Credit Act (FCA)

Other exemptions include HR data, health records, research data for human subjects that are covered by other federal laws or standards, and data that is processed or maintained for employment-related purposes.

Exempted institutions include:

• state government agencies
• electric utilities
• financial institutions (also entities and affiliates subject to the Gramm-Leach-Bliley Act)
• insurance companies
• institutions of higher education
• nonprofit organizations

Consumers have a number of main personal information rights under the new data protection law, which include:

• Right to access: confirmation if the controller is processing the consumer’s personal information and access to that data, with some exceptions
• Right to correction: any inaccurate or outdated information the controller has that was provided by the consumer
• Right to delete: any personal data the controller has about or from the consumer (with some exceptions)
• Right to portability: obtain a copy of the consumer’s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions
• Right not to be discriminated against: controllers cannot unlawfully discriminate against consumers, including for exercising their rights
• Right to opt out: of sale of personal data, targeted advertising, or profiling “in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer”

Parents or legal guardians of known children can invoke a child’s rights regarding processing of personal information. Like all other US state-level data privacy laws with the exception of California, private right of action is not included, which is the consumers’ ability to sue the controller that was processing personal data in the event of a violation of the law.

Controllers must notify consumers of their rights and ways that consumers can exercise those rights by submitting a verifiable request to the company. The controller must include clear information on how to exercise consumer rights in their privacy notice or policy page on their website.

After a consumer request is received, the controller has 45 days to respond. There are some limited reasons that they can decline, including if the consumer’s identity cannot be reasonably verified or if the consumer submits an excessive number of requests in a 12-month period.

If there are extenuating circumstances preventing fulfilling a consumer request, once the consumer has been notified, that response period can be extended by 45 days if reasonably necessary.

If a controller denies a request, the consumer can appeal such a decision, and the controller has to provide information on how to do so. The controller has 60 days to respond to appeals.

Purpose limitation in the TDPSA

Controllers can process personal data for the purpose(s) that they have communicated, as long as the processing is “adequate, relevant, and reasonably necessary” and proportional to those purposes.

Data security in the TDPSA

Controllers must protect personal data by establishing, implementing and maintaining reasonable administrative, technical, and physical security measures. These measures should be appropriate to the nature and volume of personal information being processed.

Data protection assessments (DPA) in the TDPSA

Controllers must conduct and document data protection assessments when they process information:

• for the purposes of targeted advertising
• to sell the personal data
• categorized as sensitive personal data
• for the purposes of profiling if there is a reasonably foreseeable or heightened risk of harm to consumers

The Attorney General can request a DPA from a controller for the purposes of investigating an alleged violation.

Consent requirements in the TDPSA

Like other US states that have passed privacy laws, Texas uses an opt-out model, so user consent is not required before collecting and processing personal data in many cases. The exception is that consent must be obtained before collecting or processing sensitive personal data. Consumers must be given clear notice about processing and be able to opt out of sale, targeted advertising, or profiling.

Where children are concerned, the TDPSA follows the federal Children’s Online Privacy Protection Act (COPPA). Consent from any known child’s parent or guardian must be obtained before processing of any personal data of any user known to be under 13 years of age. This would include all children’s personal data, as under the Texas data privacy regulation, data of children under 13 is classified as sensitive by default.

Nondiscrimination under the TDPSA

Controllers are prohibited from unlawful discrimination against consumers, and from processing personal data if doing so is in violation of state or federal laws governing discrimination. Controllers cannot discriminate against consumers for exercising their rights. For example, a consumer cannot be blocked from accessing a website if they opt out of allowing collection or processing of their personal data.

However, there are often website features or functions that will not work without certain cookies or trackers in use, so if a consumer does not opt in to their use because they collect personal information, the site may not work optimally. This is not discriminatory.

Controllers can offer voluntary incentives like discounts for consumers’ voluntary participation in activities like a loyalty program or signing up for a newsletter, where these operations collect and process personal data. Such offers have to be reasonable and proportionate, however, as data protection authorities frown on disproportionate incentives that look like bribes or payments for consent.

Transparency under the TDPSA

Controllers must provide consumers with clear and accessible information about data processing. Commonly this appears on the company’s website in a privacy notice or policy. Under the TDPSA, this information must include:

• categories of personal data processed by the controller (including sensitive data if applicable)
• purpose(s) for processing personal data
• how consumers may contact the controller, exercise their rights and/or appeal a controller’s decision (e.g. if a request for access is denied)
• categories of personal data that the controller shares with third parties, if any
• categories of third parties with whom the controller shares personal data, if any
• notice about the right to opt out of the sale of personal data to third parties or processing personal data for targeted advertising or profiling and how to exercise that right

If a controller sells sensitive personal data, they are required to publish the following notice, typically along with the privacy notice or policy: “NOTICE: We may sell your sensitive personal data.”

If a controller sells biometric personal data, they are required to publish the following notice, typically along with the privacy notice or policy: “NOTICE: We may sell your biometric personal data.”

Florida’s Digital Bill of Rights also requires such notices to be posted.

Third party contracts under the TDPSA

Controllers must have contracts in place with third-party processors (vendors and service providers) with clear information about:

• duty of confidentiality
• instructions for processing data
• nature and purpose of processing
• type of data subject to processing
• duration of processing
• rights and obligations of both parties
• requirements for deletion or return of data after processing completion

Universal opt-out signal under the TDPSA

The Texas Data Privacy and Security Act is one of an increasing number of US state-level laws that reference the Global Privacy Control (GPC) “universal opt-out” or similar mechanism. This is a form of the consumer’s right to have an “authorized agent” act on their behalf to exercise their rights. By January 1, 2025 controllers must recognize a universal opt-out signal from consumers.

The GPC is intended to standardize user consent online. Using it enables consumers to create a single set of their own personal data privacy consent preferences via browser settings or browser extension or plugin. These settings can then be communicated to all websites, online platforms, services, or apps that consumers visit, so users don’t have to set new preferences on every site. Use of this mechanism also helps ensure compliance with consumer privacy laws relevant to each user.

In Texas, the Attorney General is the enforcement authority for the TDPSA. As noted, the law does not provide consumers with private right of action, but they can report alleged violations or complaints about denial of requests to the Attorney General’s office. The Attorney General must provide parties with alleged violations against them with written notice that lists the violations.

There is a 30-day cure period, after a violating organization has been notified, when the entity can fix (or cure) the issues and take steps to prevent recurrence. Cure periods in other state-level data privacy laws range from 30 to 90 days. Unlike some other laws, the right to cure under the TDPSA does not have a sunset date, so will remain a permanent part of the law, unlike under Montana’s new privacy law, where there will only be a right to cure for the first 18 months that the law is in effect.

Organizations found to have violated the TDPSA also have to notify the Attorney General that they have made repair actions and provide a statement that no further violations will occur, as well as provide evidence of cure actions, which is unique to the Texas law.

If the controller or any of their data processors are still in violation after the cure period, or violates a written statement by the Attorney General, the AG can initiate punitive actions. Fines can be up to US $7,500 per violation as well as including recovery of reasonable related expenses.

The Texas consumer privacy law reflects the opt out model, as do all other current US state-level data privacy laws, except where sensitive personal data (including that of children) is concerned. Under this model, controllers generally do not have to obtain data subject consent prior to collecting or processing personal data.

Consumers do have to be provided with the ability to opt out of collection and processing of their personal data for sale, targeted advertising, or profiling at any point. Information about that must be provided on the website, typically under the privacy notice/policy page.

The mechanism to enable users to opt out of data processing can be presented in a banner and displayed, most commonly as a link or button. A consent management platform (CMP) like the Usercentrics CMP also helps to automate detection of the cookies and other tracking technologies in use on websites and apps.

Use of a CMP streamlines collecting and providing the information to users about categories of data and specific services in use by the controller and/or processor(s), and third parties with whom data is shared. The Texas privacy law, and most data privacy regulations around the world, require this notification.

Because the United States does not have a single federal data privacy law, companies doing business across the country and/or with other countries may need to comply with multiple consumer privacy laws to protect data. (Learn more: Comparing US state-level data privacy laws) A CMP can make this easier by enabling banner customization and geotargeting. Data processing, consent information and choices for specific regulations can be presented based on specific user location. Geotargeting can also improve clarity and user experience by presenting this information in the user’s preferred language.

This will enable companies to achieve data privacy TDPSA compliance, as well as with other current and upcoming regulations across the United States. For companies doing business internationally, using a consent management platform also enables compliance with regulations like the GDPR, which has more strict consent management requirements than the laws in the US.

Organizations doing business in Texas have until mid-2024 to prepare for compliance with the TDPSA. If they have already achieved compliance with other state-level data privacy laws in the US, like Virginia’s, a good portion of the work is already done. As always, a privacy by design approach will benefit all operations in an organization, whether specifically for regulatory compliance or not.

Achieving TDPSA compliance will mainly be a matter of confirming the Texas law’s specific requirements, including the unique compliance thresholds, and having a solution in place to provide users with the necessary notifications and opt-out options. The Usercentrics Consent Management Platform can help track and manage cookies on websites and in apps.

Updates to the TDPSA are likely over time, as these US regulations are all in their first version, and both technology and consumer expectations are rapidly changing. The TDPSA does not include private right of action, so consumer class-actions lawsuits will not be a potential influence on future amendments to the Texas privacy law as they may be in California.

Consulting qualified legal counsel and/or your organization’s data privacy expert, like a Data Protection Officer, is recommended to ensure responsibilities are met.

Beyond just meeting requirements, being proactive about protecting user privacy is a valuable business effort. It builds user trust and engagement, provides better user experiences, and strengthens customer relationships long-term, which leads to more high-quality data for marketing operations and contributes to increased revenue.

If you have questions or interest in implementing a consent management platform to help achieve compliance with privacy laws in the United States and around the world, talk to one of our experts.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.