The Texas Data Privacy and Security Act
(TDPSA) went into effect on June 16, 2023, making Texas the 11th state to enact a comprehensive consumer data privacy law. The TDPSA is designed to regulate how businesses handle the personal information of Texas consumers. Scheduled to go into effect on July 1, 2024, the law places Texas among the leading states in the nation to enact comprehensive data privacy legislation.
Which businesses need to comply with the TDPSA?
The TDPSA applies to companies that conduct business in Texas or produce products or services that are consumed by Texas residents. It specifically targets those that process or engage in the sale of personal data. Notably, the law takes a unique approach by not applying solely based on annual revenue or the volume of data processed, and instead excludes small businesses as defined by the U.S. Small Business Administration, unless they engage in the sale of sensitive personal information.
What Is the TDPSA about?
- Consumer Rights: The TDPSA grants consumers the right to access, correct, delete, and obtain copies of their personal data. In addition, consumers can opt out of the processing of their data for targeted advertising, the sale of personal data, or its use in profiling.
- Transparency, purpose limitation, data security: Controllers must follow transparency principles, limit data collection to necessary purposes, refrain from secondary use without explicit consent, and maintain appropriate data security measures. In addition, by January 1, 2025, controllers offering online services must support global opt-out functionality through standardized technical methods.
Impact on Businesses
- Compliance Challenge: Compliance with the TDPSA will be burdensome for companies, especially smaller ones that may not have extensive legal and IT departments.
- Opportunity to build trust: As consumers become more aware and concerned about their digital footprints, companies that embrace the spirit of the TDPSA can differentiate themselves from competitors that still rely on a laissez-faire approach to consumer data.