The Texas Data Privacy and Security Act grants Texas residents several key rights over their personal data. The Act establishes data collection, processing, and disclosure requirements that apply to consumer-facing companies conducting business with Texas residents.
Timeline for implementation
The Texas Data Privacy and Security Act became effective on 1 July 2024 after being enacted on 18 June 2023. Importantly, the provisions that allow consumers to direct a third party to opt out of the processing of personal data on their behalf do not enter into effect until 1 January 2025.
Who does the TDPSA apply to?
The Act applies to companies that do business in Texas or produce products or services consumed by Texas residents. The provisions of the TDPSA also apply to companies that collect, use, store, sell, share, analyse or process Texas consumer’s personal data. Small businesses are generally exempt from the Act, except if a small business sells the sensitive data of a consumer. So, the Act has an extra-territorial scope that companies must be aware of.
The Act defines personal data as any information, including sensitive data, linked or reasonably linkable to an identified or identifiable individual. The TDPSA defines sensitive data as precise geolocation data and the personal data of a child under age 13.
Rights created by the TDPSA
Consumer rights under the Act include:
- The right to know whether a company is processing the consumer’s personal data.
- The right to obtain personal data in a readable format.
- The right to correct inaccuracies in the consumer’s personal data, taking into account the nature of the data and the purposes for processing the data.
- The right of deletion of personal data provided by or obtained about the consumer
- The right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling.
- Right to not face retaliation or discrimination for exercising these rights.
Prohibitions created by the TDPSA
The Act prohibits companies from doing the following:
- Requiring a consumer to create a new account in order to submit requests to exercise their rights.
- Discrimintating against a consumer for exercising rights under the Act.
- Processing sensitive data without first obtaining a consumer’s consent.
- Processing the data of a known child without first obtaining parental consent.
- Processing data in violation of state and federal laws which prohibit unlawful discrimination.
- Processing personal data for a purpose that is neither reasonably necessary to, nor compatible with the purpose for which the personal data is processed without obtaining the consumer’s consent first.
Enforcement of the TDPSA
The Texas Attorney General has exclusive authority to implement and enforce the Act. The Attorney General may issue civil investigative demands, and file enforcement actions to obtain civil penalties, injunctive relief, attorney’s fees and costs against non-compliant companies.
The Atorney General must provide written notification to a company before filing an enforcement action. Companies have 30 days following the notice to rectify the violations. Companies must provide written documentation of the changes implemented to rectify the violations, including whether changes to internal policies were necessary to ensure that no future violations occur.
A company that violates the Act and does not rectify the violation after receipt of written notice by the Attorney General is liable for a civil penalty of up to $7500 per violation.
The Act does not provide a right of action.
Finding out more
You can read the full text of the Texas Data Privacy and Security Act here.