US
Texas Data Privacy and Security Act (TDPSA)
Overview
The Texas Data Privacy and Security Act (TDPSA), signed into law on June 18, 2023, establishes regulations regarding the collection, use, processing, and protection of personal data by businesses operating in Texas. It aims to enhance transparency and accountability in the handling of consumer data, introducing rights for individuals and responsibilities for data controllers and processors. The TDPSA provides for civil penalties for violations and grants enforcement authority to the Texas Attorney General. It is comparable to the Virginia Consumer Data Protection Act but less stringent than California and Colorado privacy laws.
Regulation Summary
- June 18, 2023: TDPSA signed into law by Governor Greg Abbott.
- July 1, 2024: TDPSA becomes effective.
- January 1, 2025: Requirements for unified opt out mechanisms and GPC signals take effect.
Unlike other state laws, the TDPSA does not use specific revenue (e.g., $25 million) or record count (e.g., 100,000) thresholds. Instead, it applies to any person or entity that:
- Conducts business in Texas or produces products/services consumed by Texas residents;
- Processes or sells personal data; and
- Is NOT a "Small Business" as defined by the U.S. Small Business Administration (SBA).
The "Small Business" Exception: Even if an entity qualifies as a "Small Business" under SBA standards, they are not entirely exempt. Under Section 541.107, small businesses are strictly prohibited from selling sensitive personal data without receiving prior explicit consent from the consumer.
- State agencies, nonprofits, and institutions of higher education.
- Entities governed by HIPAA, GLBA, or FERPA.
- Personal data processed for employment purposes or publicly available data.
- Transparency: Provide clear and accessible privacy notices detailing data collection and sharing practices.
- Consumer Rights: Allow consumers to:
- Access and delete their personal data.
- Opt out of targeted advertising, data sales, and profiling.
- Data Security: Implement administrative, technical, and physical safeguards appropriate to the volume and sensitivity of the data.
- Display privacy notices and explicit opt-out mechanisms for data sales and targeted advertising.
- Respond to verified consumer requests within 45 days, extendable by another 45 days if necessary.
- Honor opt-out preference signals starting January 1, 2025.
- Data Protection Assessments: Conduct assessments for high-risk activities, including:
- Targeted advertising.
- Sale of personal data.
- Profiling with significant consumer impact.
- Sensitive Data: Obtain explicit consent before processing sensitive data.
- Access: Request confirmation of data processing and obtain copies of personal data.
- Correction: Rectify inaccuracies in personal data.
- Deletion: Request deletion of personal data.
- Portability: Receive data in a portable format.
- Opt-Out: Refuse targeted advertising, profiling, and data sales.
- Enforced by the Texas Attorney General.
- Cure Period: 30 days to address violations.
- Penalties: Civil penalties of up to $7,500 per violation.
- No private right of action.