Background Brief: Texas Data Privacy and Security Act | TrustArc
This page contains a cleaned, text-based version of publicly available content from TrustArc.com. It is provided to support knowledge retrieval and AI system understanding while preserving canonical attribution to the original source page on TrustArc.com.
Source URL: https://trustarc.com/resource/texas-data-privacy-and-security-act/
Content Type: resource
Section 1
Texas has followed California’s lead and adopted the Texas Data Privacy and Security Act (TDPSA), a set of consumer privacy laws similar to the California Consumer Privacy Act (CCPA) giving consumers greater protections for their personal data and more control over how organizations may collect and process that data. TDPSA was signed into law on June 18, 2023, and most of its provisions are effective from July 1, 2024. Texas Data Privacy and Security Act: Key dates – responding to growing demand among Texans for stronger consumer privacy protections like those in California, two Texan Representatives file privacy bills in the House on the same day. Rep. Giovanni Capriglione files (aka the) ‘Texas Privacy Protection Act’ and Rep. Trey Martinez
Section 2
Fischer files (aka the) ‘Texas Consumer Privacy Act’. – both bills are heard during a public meeting of the Texas House Committee on Business and Industry. During his presentation, Rep. Caprigliogne says, “What my bill aims to do is to provide a little bit more regulation, a little bit more oversight, into the information that is being collected on us, about us, every single day without our knowledge – a lot of times without our permission.” As Rep. Martinez Fischer’s presentation is second, he notes, “I fully appreciate and recognize that there might be higher-ups in the federal government that could grade our papers on this, and come up with a solution that can be applied to the entire nation.
Section 3
But unless and until that happens, I think we can’t just sit on our hands and watch time go by.” Reps. Martinez Fischer and Capriglione then collaborate on revising HB 4390 to get it ready for a vote in the House. – Texas House Bill 4390 goes to vote in the House and passes with a unanimous 140-0 vote in favor. – Rep. Martinez Fischer explains to the San Antonio Report why he backed HB 4390 “Data privacy is becoming a big issue. More importantly, as we continue to see pretty much nothing happening in the United States Congress, it’s incumbent upon the states to act.” A statement from Rep. Capriglione published in the same article says: “Today, data privacy
Section 4
initiatives require unique and robust solutions to defend people’s right to privacy. A Texas solution would not burden businesses, but would put Texans first.” – Texas Governor Greg Abbott signs into law the Texas Data Privacy and Security Act. – Texas Data Privacy and Security Act becomes effective. – Additional provision in TDSPA for universal opt-out signals (e.g. Global Privacy Control) becomes effective. Texans’ personal data privacy rights under TDPSA Consumers are defined in the Texas Data Privacy and Security Act as residents of Texas acting as individuals (on their behalf) or a households. This definition excludes individuals acting in a business or employment capacity. is defined as any information “linked or reasonably linkable to an identified or identifiable individual”.
Section 5
This definition of personal information covers pseudonymous data when “the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. The term does not include de-identified data or publicly available information.” The main personal data privacy rights gained by Texans include: Right to know/confirm whether a data controller is processing their personal data. their own data held and processed by a controller. Right to data portability , allowing a consumer to obtain a copy of their personal data they’ve previously given the provider. inaccuracies in records of personal data held by a controller. records of personal data held by a controller, whether that data was provided
Section 6
by the consumer, or obtained about them through other means (such as data sharing arrangements). Right to opt-out from processing of personal data , including opting-out from having their personal data processed for sale, profiling and/or targeted advertising. Right not to be discriminated against for exercising privacy rights (the Act also covers consumers’ rights not to have personal data processed in violation of state and federal laws that prohibit unlawful discrimination against consumers). Right to only have sensitive data collected by prior – this provision restricts controllers from collecting or processing any personal data defined as ‘sensitive’. is defined as information about a person’s: Mental or physical health diagnosis Citizenship or immigration status Genetic or biometric data that could be
Section 7
used to identify a person Precise geolocation (i.e. data identifying where a person is located within a radius of 1,750 feet). Consumers can exercise their personal data rights under the Texas Data Privacy and Security Act by lodging requests with data controllers, noting which consumer right/s they want to exercise. Parents and legal guardians of children (defined as children under age 13) can exercise a child’s rights on their behalf. Universal opt-out signals / Global Privacy Control under TDPSA From January 1, 2025, some provisions for consumers to assign (or submit) universal opt-out signals via authorized third parties (for example, via Global Privacy Control) will become effective. Controllers must comply with opt-out requests from authorized agents if they can verify
Section 8
“with commercially reasonable effort” a consumer’s identity and the authorized agent’s authority to act on the consumer’s behalf. The rules for opt-out signals state: “A consumer may designate another person to serve as the consumer’s authorized agent and act on the consumer ’s behalf to opt out of the processing of the consumer’s personal data.” “A consumer may designate an authorized agent using a technology, including a link to an Internet website, an Internet browser setting or extension, or a global setting on an electronic device, that allows the consumer to indicate the consumer ’s intent to opt out of the processing.” GPC and Known User Consent Understand GPC and the regulations that require universal opt-out mechanism compliance. Nymity Privacy
Section 9
Management Accountability Framework A operational structure to comply with the world’s privacy requirements. Which businesses are subject to Texas privacy law? The Texas Data Privacy and Security Act has a very broad definition of business organizations and individuals who must comply with its rules – and unlike similar privacy laws in other states, it does not have thresholds based on revenue or other numbers (such as the size of customer base). The text in Section 541.002 of the TDPSA states the act “applies only to a person” that: Conducts business in Texas; or Produces a product or service consumed by residents of Texas; or Processes or engages in the sale of personal data (note: this part of the definition means
Section 10
more individuals or small businesses are not excluded by the next qualifier; though it is restated anyway); or Is not defined as a small business by the United States Small Business Administration (the SBA defines a small business as “an independent business having fewer than 500 employees”) – “except to the extent that Section 541.107 applies to a person described by this subdivision” Sec. 541.107 states that a person covered by the definitions listed above “may not engage in the sale of personal data that is sensitive data without receiving prior consent from the consumer”. Which organizations are not subject to TDPSA? The Act includes exemptions for several types of organizations under Sec. A541.002 (3)(b), which states its rules do
Section 11
not apply to any: Texas state agency; or Political subdivision of Texas; or Financial institution or data subject to Title 10 V of the Gramm-Leach-Bliley Act (15 U.S.C. Section 6801 et seq.), which already “requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data”; or Covered entity or business associate already governed by the Health Insurance Portability and Accountability Act (HIPAA) and other applicable federal and state healthcare and medical laws; or Nonprofit organization; or Higher education institution; or Electricity industry organization such as an electric utility, power generation company or retail electric provider. Texas Data Privacy and Security Law compliance obligations The key compliance obligations for controllers subject to TDPSA aim to give
Section 12
Texans more control over how much personal information and what that data is used for. Controllers are required to: of personal information only to what is adequate, relevant and necessary for the stated purposes of processing (i.e. to deliver a product or service). – with a clear, easy-to-understand privacy notice – of their privacy rights, including rights to opt out, the categories of personal information that may be collected, and the purposes of collecting and processing that data. Controllers must also notify consumers with separate notices and gain consent if the controller intends to collect and sell sensitive data or biometric data; or sell personal data for targeted advertising. Not process personal data in violation of state and federal laws
Section 13
that prohibit unlawful discrimination against consumers. against a consumer for exercising their privacy rights. Gain a consumer’s informed and unambiguous consent (or in the case of a child under 13, consent from their parent/guardian) before collecting any sensitive data (see notes above outlining Texans’ Personal Data Privacy Rights). of personal data by implementing and maintaining “reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue”. Conduct data protection assessments to reduce risks associated with any of the following: processing data for targeted advertising or profiling, selling personal data, and processing sensitive data. Maintain contracts with any third-party processors that ensure they are also compliant with TDPSA requirements for
Section 14
processing data. Respond to consumer personal data requests within 45 days (in some cases a 45-day extension is allowed). any data breach within two months. Penalties for non-compliance with Texas Data Privacy and Security Law Texas Attorney General is the only office in Texas with authority to enforce TDPSA compliance. Individuals cannot initiate a private right of action, but they can notify the Attorney General of alleged violations. The Attorney General must give a person (i.e. controller or processor) alleged to violate TDPSA: At least 30 days written notice it intended to take enforcement action – the notice will explain the specific provision/s of the Act that have been or are being violated; and Opportunity to cure the alleged violation/s
Section 15
within 30 days. Cures of alleged violations must be completed within the 30 days and the persona must deliver a written statement to the AG detailing: Action taken to cure the violation/s; Changes made to internal policies (if necessary) to prevent further violations; Notices given to consumer/s whose privacy was violated about the actions taken to address privacy violation/s (if the consumer’s contact information has been made available to the person alleged to violate the Act); An individual or organization failing to cure any violation/s can be fined up to $7,500 per violation. TrustArc solutions for compliance with Texas Data Privacy Laws TrustArc helps businesses manage compliance with all relevant privacy regulations, including the Texas Data Privacy and Security Act.
Section 16
Consent & Preference Manager Honor customer preferences at every touchpoint. Stay up to date on hundreds of global privacy laws, regulations, and standards.