Locke Lord QuickStudy: Texas Data Privacy and Security Act

Locke Lord LLP
May 18, 2023

After passing the Texas Senate on May 10, 2023, the Texas Data Privacy and Security Act (the “TDPSA”)[1] awaits final approval from Governor Greg Abbott. The TDPSA is intended to be a comprehensive regime for how consumers and companies interact with personal data, maximizing “both the utility of the rights provided to consumers and interoperability with other states to minimize compliance costs for businesses.”[2] However, as we have seen with many other state consumer privacy statutes to date, the law is not consistent and defines terms in a different manner than other state comprehensive privacy regimes.

  • Compliance Date and Enforcement Authority: If signed by Governor Abbott, the TDPSA will go into effect on March 1, 2024. The TDPSA grants exclusive enforcement and investigative authority to the Texas Attorney General; there is no private right of action under the TDPSA.  The TDPSA directs the Texas Attorney General to provide consumers: (1) information outlining consumer rights and the responsibilities of controllers and processors under the TDPSA and (2) an online portal for submitting consumer complaints by March 1, 2024.
    1. In the event that the Texas Attorney General identifies a violation of the TDPSA, they must notify the individual or entity in violation at least 30 days before bringing an enforcement action. Upon receiving notice, the person has a 30-day cure period to resolve the violation and provide a written statement attesting that the both the present violation and all potential future violations have been cured.

      If a violation is not cured within 30 days, the offending individual or entity may face penalties including: civil penalties of up to $7,500 for each ‎violation‎ and/or injunctive relief to restrain or enjoin the person’s operations. Additionally, the person will be liable for reasonable attorney’s fees and other expenses incurred from investigating and bringing an action under the TDPSA.

  • Who is subject to the TDPSA? The TDPSA applies broadly to individuals and entities that process or engage in the sale of personal data and: (1) conduct business in Texas or (2) produce a product or service consumed by residents of Texas. Unlike other state privacy laws that exempt businesses from their privacy regimes based on revenue or data volume thresholds, the TDPSA casts a wider net by exempting “small businesses” as defined by the U.S. Small Business Administration.[3] Also exempt are financial ‎institutions subject to Title V, Gramm-Leach-‎Bliley ‎Act; HIPAA covered entities and businesses ‎associates; and state agencies and political subdivisions, certain nonprofit organizations[4], and higher ‎education institutions. 
    • Compliance Note: An individual or entity is conducting business in Texas if the organization maintains intentional, long-term activities in the state including, but not limited to, developing property in Texas, authorizing a franchisee, or maintaining a general purpose office and employees in Texas.[5]
  • What individual rights exist under the TDPSA? Much like prior legislation such as California’s CCPA or Virginia’s VCPA,[6] the TDPSA establishes five basic consumer rights over their personal data, including the right to (1) confirm whether a controller is processing the consumer’s personal data; (2) opt out of data processing for targeted advertising, sales of personal data, or profiling to inform certain decisions that will affect the consumer; (3) and access, correct, delete, and obtain a copy of the consumer’s data.
    • Compliance Note: the TDPSA defines “consumer” as an individual who is a resident of Texas state acting only in an ‎individual or household context. The term does not include an ‎individual acting in a commercial or employment context. This definition simply defines “consumer” as any natural resident of Texas.   ‎
  • What data is exempt from the TDPSA? The TDPSA creates carve outs for the following categories of data: (1) health records, patient identifying information, and other protected health information under HIPAA; (2) information derived from any of the health care-related information  that is deidentified in accordance with the ‎requirements for deidentification under HIPAA; (3) ‎ identifiable private information for purposes of the federal policy for the protection of human research ‎subjects; (4) information and documents created for purposes of the Health Care ‎Quality Improvement Act‎ ; (5) patient safety work product collected for purposes of the Patient Safety and ‎Quality Improvement Act; (6) personal information collected in furtherance of activities that are regulated by and authorized under the Fair ‎Credit Reporting Act; (7) personal data collected, processed, sold, or disclosed in ‎compliance with the Driver's Privacy Protection Act; (8) ‎ personal data regulated by the Family Educational Rights and ‎Privacy Act‎; (9) personal data collected, processed, sold, or disclosed in ‎compliance with the Farm Credit Act‎; (10) data processed or maintained in the course of an individual applying ‎to, employed by, or acting as an agent or independent contractor of ‎a controller, processor, or third party, ‎if that data is collected and used within the context of that role‎; and (11) data processed or maintained as emergency contact information‎.
  • What’s different from other state comprehensive privacy laws? The TDPSA is intended to build on standards promulgated by the VCPA to heighten accountability for businesses that utilize consumer data, clarify ambiguities that arose under the VCPA, and enhance “best practices” for businesses regarding data processing, sharing, and protection. Here are some of the key provisions to note:
    • Definition of Personal Data: the TDPSA distinguishes between “de-identified data” (which cannot be attributed to an individual) and “pseudonymous data” (which cannot be attributed to an individual without additional information). The statute includes “pseudonymous data” under its definition of “personal data” only when used by a controller or a processor in conjunction with additional information that reasonably links the data to an identified or an identifiable individual. Additionally, the statute establishes handling requirements for both types of data to prevent re-identification.
    • Definition of Consent: the TDPSA narrows its definition of consent to exclude (1) acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information; (2) hovering over, muting, pausing or closing a given piece of content; or (3) agreement obtained through the use of dark patterns.[7] This narrowed definition of consent is designed to deter businesses from steering consumers toward conceding personal information by obscuring key privacy policy information by nesting it in other unrelated information.
    • Definition of “Sale” of Personal Data: The TDPSA adopts a broader definition of “sale” of data to encompass “sharing, disclosing, or transferring of personal data.” The definition also expands the types of transactions that would qualify as a sale of data to include both monetary transactions and quid pro quo agreements.
    • Consumer Requests: The TDPSA merges the VCPA and the CCPA’s mandated procedures for making consumer requests by requiring covered businesses to provide two secure and accessible means for consumers to submit requests for data. The TDPSA also clarifies the consumer’s right to access their data to ensure all digitally available information may be accessed by the consumer, regardless of the method a business uses to process the consumer’s data.
    • Privacy Policy Disclosure of Collection of Sensitive Data (including Biometric Data): The TDPSA requires businesses to disclose any collection of sensitive data, which includes biometric data (data generated by automatic measurements of an individual’s biological characteristics, such as fingerprint, voiceprint, eye retina or iris, or other unique biological patterns or characteristics), in their privacy policies.
    • Exemptions for Information Collected for Public Health Activities and Trade Secrets: The TDPSA expands its exemption for public health activities conducted by agencies such as the FDA to include “information collected or used only for public health activities.” This change confirms that FDA-regulated entities may comply with federal requirements when handling public health data. The statutes also defines “trade secrets” to align with the definition set forth in the Texas Uniform Trade Secrets Protection Act[8] and creates an exemption for such information from the requirements of the act.

Recommended Compliance Steps

Individuals and entities subject to the TDPSA, should take the following measures to ensure compliance:

  1. Data Protection Assessment. Conduct a data protection assessment of the types of data[9] your organization collects and evaluate how that data is used across your organization to determine if the data qualifies as “personal data” as defined by the TDPSA. The assessment must identify and weigh the direct or indirect benefits that the organization may gain from use of personal data against the potential risks to the ‎rights of the consumer associated with that processing, as ‎mitigated by safeguards that can be employed to ‎reduce the risks. The assessment must also consider: the use of deidentified data; ‎ the reasonable expectations of consumers; ‎ the context of the processing; and the relationship between the controller and the ‎consumer whose personal data will be processed.‎ The results of this assessment must be made available to the Texas Attorney General.
  2. Limit and Protect Personal Data. Ensure your organization both (1) limits the collection of personal data to what is adequate, ‎relevant, and reasonably necessary in relation to the purposes for ‎which that personal data is processed, as disclosed to the ‎consumer; and (2) utilizes reasonable administrative, technical, and ‎physical data security practices that are appropriate to the volume ‎and nature of the personal data your organization handles.‎
  3. Establish and Assess Disclosure and Consent Requirements. Evaluate your organization’s processes for obtaining consent to collect, utilize and share data to ensure they comply with the TDPSA’s requirements for consent. Revise/draft privacy policies to comply with the TDPSA’s consent definition, avoiding ‎obscuring privacy disclosures with other generalized information, hover-over content or other ‎UI/UX designs that could obscure information, and other “dark patterns” that could otherwise ‎impair consumers’ understanding of your privacy practices. ‎
    1. Revise or draft a consumer-facing privacy policy that describes any collection of biometric and other sensitive data and that clearly articulates the TDPSA’s five consumer rights. For businesses subject to other state privacy laws, existing policies may be able to be leveraged.

  4. Organize for Receiving and Processing Consumer Requests. Assess and update IT governance practices to ensure your organization offers adequate and accessible means for consumers to submit requests for data. Most organizations must provide at least two secure and reliable methods to enable consumers to ‎submit a request to exercise their consumer rights‎, and these methods must consider: (1) the ways in which consumers normally interact with the controller; (2) the necessity for secure and reliable communications of those requests; and (3) the ability of the controller to authenticate the identity of the consumer making the request. Additionally, if your organization operates a website, you must make the website available to consumers to submit requests for ‎information‎. If your organization operates exclusively online and has a collects personal information directly from consumers, then you are ‎only required to provide an e-mail address for the submission of ‎requests. ‎
  5. Establish Response Protocols for Response to Consumer Requests. Update or adopt procedures to ensure your organization can respond to consumer requests for data within 45 days of receipt of the ‎request.  The controller may extend the response period once by an ‎additional 45 days when reasonably necessary, but ‎the controller must inform the consumer of the extension‎ within the initial 45 day period.
  6. Confirm Retention and Deletion Process. Assess IT governance practices to ensure your organization meets the TDPSA’s requirements to adequately delete consumer information as necessary.
  7. Assess, Manage and Disclose “Sales.” Review contracts with third parties that involve the “sale” of personal information as defined under the TDPSA to ensure all sales meet the statute’s requirements. If your organization sells personal data to third parties or processes ‎personal data for targeted advertising, you must clearly and conspicuously disclose such processing and the manner ‎in which a consumer may exercise the right to opt out of such ‎processing‎.


[4] The TDPSA exempts: (i) nonprofits organized under Chapters 20 and 22, Texas Business Organizations Code, and the provisions of Title 1, Texas Business Organizations Code; (ii) 501(c)(3), 501(c)(6), and 501(c)(12) entities; (iii) 501(c)(4) entity that is also described by Section 701.052(a) of the Texas Insurance Code; (iv) political organizations; (v) a subsidiary or affiliate of an entity organized under Chapter 11, Texas Utilities Code.

[5] Texas law defines “transacting business” in the negative, stipulating that transacting business does not include: 1) maintaining, defending, or settling any proceeding; 2) holding meetings of officials or members or carrying on the internal affairs of the entity; 3) maintaining bank accounts; 4) maintaining an office or agency for the transfer, exchange, or registration of interests of the entity; 5) voting the interest of an entity the foreign entity has acquired; 6) making sales through independent contractors; 7) creating, as borrower or lender, or acquiring an indebtedness or security interest in real or personal property; 8) securing or collecting debts; 9) transacting business in interstate commerce; 10) conducting an isolated transaction; 11) exercising a power of executor of a will of a non-resident, as administrator of a will of a non-resident decedent, or as trustee of a trust created by non-residents or foreign entity; 12) acquiring a debt on property inside the state by a transaction outside of the state; 13) investing or acquiring a royalty or non-operating mineral interest in a transaction outside of the state; 14) executing a division order, contract of sale, or other instrument incidental to ownership of a non-operational mineral interest; 15) owing, without more, property in the state; or 16) acting as a governing person of a domestic or foreign entity registered to transact business in the state. Tex. Business Organizations Code § 9.251

[7] “Dark pattern" means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making or choice, and includes, but is not limited to, any practice the Federal Trade Commission refers to as a "dark pattern". H.B. 4 Sec. 541.002 (10).

[8] "Trade secret" means all forms and types of information, including business, scientific, technical, economic, or engineering information, and any formula, design, prototype, pattern, plan, compilation, program device, program, code, device, method, technique, process, procedure, financial data, or list of actual or potential customers or suppliers, whether tangible or intangible and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if: (A) the owner of the trade secret has taken reasonable measures under the circumstances to keep the information secret; and (B) the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, another person who can obtain economic value from the disclosure or use of the information H.B. 4 Sec. 541.002 (33).

[9] Types of data that must be assessed are: ‎(1)  the processing of personal data for purposes of targeted ‎advertising;‎ (2)  the sale of personal data;‎ (3)  the processing of personal data for purposes of ‎profiling, if the profiling presents a reasonably foreseeable risk ‎of:‎ (A)  unfair or deceptive treatment of or unlawful ‎disparate impact on consumers;‎ (B)  financial, physical, or reputational injury to ‎consumers;‎ (C)  a physical or other intrusion on the solitude ‎or seclusion, or the private affairs or concerns, of consumers, if ‎the intrusion would be offensive to a reasonable person; or (D)  other substantial injury to consumers;‎ ‎(4)  the processing of sensitive data; and (5) any processing activities involving personal data ‎that present a heightened risk of harm to consumers.‎