Texas Data Privacy and Security Act — What You Should Know

Introducing the Texas Data Privacy and Security Act

The Texas Data Privacy and Security Act (TDPSA) was passed by the Texas legislature on May 28, 2023. The Act was passed by The TDPSA updates House Bill 4 (HB 4), which also covers aspects of digital consumer protection, including electronic information systems and use of biometric identifiers, voiceprints and the internet.

Texas is the sixth state to pass new privacy law this year, with others proposing similar legislation. If signed into law by the state Governor, the Act will come into force from July 1, 2024.

The TDPSA is similar to the Virginia legislation that came into effect from January 1, 2023, although there are some differences.

What You Should Know About the TDPSA

The main elements addressed by the TDPSA include:

• Definitions — The TDPSA includes pseudonymous data, but only where this is used by controllers or processors in conjunction with other information that links the data to an identifiable individual.
• Scope — The TDPSA applies to persons conducting business, providing services or producing goods for the consumption of Texas residents, as well as businesses that engage in or process the sale of personal data. Small business are exempt beyond obtaining consumer consent prior to sale of sensitive data.
• Consumer rights — As with similar legislation, consumers are granted rights to their data, including the rights to access, correct, delete and transfer their data. They also have the right to opt-out of processing, sale or profiling using their data.
• Biometric data — The sale of sensitive of biometric data must be disclosed by data controllers in a privacy policy.
• Business responsibilities — As well as providing consumers’ rights as defined by the act, controllers and processers have specific obligations under the new bill. Processors must support controllers in satisfying their data privacy responsibilities. Controllers must complete data protection assessments to include their processors for specific data handling activities such as targeted advertising, sale of personal data, and any activities that may present a higher risk of harm to consumers.

The Texas Attorney General is authorized to investigate potential breaches and violations of data handling and is the enforcement authority for the new legislation. While the new law doesn’t allow private right of action, the Attorney General can apply penalties of up to $7,500 per violation.

How to Prepare for the TDPSA

For organizations looking to prepare for the new act, understanding their data is the best place to start. Businesses that are subject to other state legislation such as the California Consumer Privacy Act (CCPA) may have an advantage, but they will need to review the new legislation and update their processes to comply where there are gaps.

Among the most important steps for businesses to take is a periodic inventory of all personal information across the organization, specifically identifying information that relates to Texas residents.

Ground Labs’ Enterprise Recon simplifies this process by automating the discovery process and focusing on specific targets based on over 300 pre-packaged data types from over 50 countries including the US.

To find out how Enterprise Recon can streamline your TDPSA compliance efforts, request your complimentary data security risk assessment today.