After passing the Texas Senate on May 10, 2023, the Texas Data Privacy and Security Act (the “TDPSA”) was reconciled by the conference committee between the Texas Senate and House and awaits final approval from Governor Greg Abbott. The TDPSA is intended to be a comprehensive regime for how consumers and companies interact with personal data, maximizing “both the utility of the rights provided to consumers and interoperability with other states to minimize compliance costs for businesses.” However, as we have seen with many other state consumer privacy statutes to date, the law is not consistent and defines terms in a different manner than other state comprehensive privacy regimes.
The Texas Attorney General must notify an individual or entity of an alleged violation of the TDPSA at least 30 days before bringing an enforcement action. Upon receiving notice, the person has a 30-day cure period to resolve the violation and provide a written statement attesting that the privacy violation was cured, the consumer was notified that the privacy violation was addressed (if contact information was available), documentation to show the violation was cured, and changes to internal policies as necessary to prevent future violations.
If a violation is not cured within 30 days or the written statement to the Texas Attorney General is violated, the offending individual or entity may face penalties including: civil penalties of up to $7,500 for each violation and/or injunctive relief to restrain or enjoin the person’s operations. Additionally, the person will be liable for reasonable attorney’s fees and other expenses incurred from investigating and bringing an action under the TDPSA.
The TDPSA does not provide a private right of action.
Recommended Compliance Steps
Individuals and entities subject to the TDPSA, should take the following measures to ensure compliance:
 As of the date of publication, the TDPSA is awaiting final signature by the governor.
 The TSPSA defines “controller” as include “an individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data.” H.B. 4 Sec. 541.001(8)
 The TDPSA exempts: (i) nonprofits organized under Chapters 20 and 22, Texas Business Organizations Code, and the provisions of Title 1, Texas Business Organizations Code; (ii) 501(c)(3), 501(c)(6), 501(c)(12) and 501(c)(19) entities; (iii) 501(c)(4) entity that is also described by Section 701.052(a) of the Texas Insurance Code; and (iv) political organizations.
 See Section 31.002, Utilities Code, for definitions of an electric utility, a power generation company, or a retail electric provider.
 Texas law defines “transacting business” in the negative, stipulating that transacting business does not include: 1) maintaining, defending, or settling any proceeding; 2) holding meetings of officials or members or carrying on the internal affairs of the entity; 3) maintaining bank accounts; 4) maintaining an office or agency for the transfer, exchange, or registration of interests of the entity; 5) voting the interest of an entity the foreign entity has acquired; 6) making sales through independent contractors; 7) creating, as borrower or lender, or acquiring an indebtedness or security interest in real or personal property; 8) securing or collecting debts; 9) transacting business in interstate commerce; 10) conducting an isolated transaction; 11) exercising a power of executor of a will of a non-resident, as administrator of a will of a non-resident decedent, or as trustee of a trust created by non-residents or foreign entity; 12) acquiring a debt on property inside the state by a transaction outside of the state; 13) investing or acquiring a royalty or non-operating mineral interest in a transaction outside of the state; 14) executing a division order, contract of sale, or other instrument incidental to ownership of a non-operational mineral interest; 15) owing, without more, property in the state; or 16) acting as a governing person of a domestic or foreign entity registered to transact business in the state. Tex. Business Organizations Code § 9.251
 While Section 541.003 describing information exempt from the TDPSA does not mention data subject to the Title V, Gramm-Leach-Bliley Act (“GLBA”), the exemptions under Section 541.002(b) describing entities not subject to the TDPSA includes a reference to “or data” under (b)(2) with respect to the GLBA.
 “Dark pattern" means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making or choice, and includes, but is not limited to, any practice the Federal Trade Commission refers to as a "dark pattern". H.B. 4 Sec. 541.002 (10).
 "Trade secret" means all forms and types of information, including business, scientific, technical, economic, or engineering information, and any formula, design, prototype, pattern, plan, compilation, program device, program, code, device, method, technique, process, procedure, financial data, or list of actual or potential customers or suppliers, whether tangible or intangible and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if: (A) the owner of the trade secret has taken reasonable measures under the circumstances to keep the information secret; and (B) the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, another person who can obtain economic value from the disclosure or use of the information H.B. 4 Sec. 541.002 (33).
 Types of data that must be assessed are: (1) the processing of personal data for purposes of targeted advertising; (2) the sale of personal data; (3) the processing of personal data for purposes of profiling, if the profiling presents a reasonably foreseeable risk of: (A) unfair or deceptive treatment of or unlawful disparate impact on consumers; (B) financial, physical, or reputational injury to consumers; (C) a physical or other intrusion on the solitude or seclusion, or the private affairs or concerns, of consumers, if the intrusion would be offensive to a reasonable person; or (D) other substantial injury to consumers; (4) the processing of sensitive data; and (5) any processing activities involving personal data that present a heightened risk of harm to consumers.
 As applicable to the data, the notice should include one or both of the following: (i) “NOTICE: We may sell your sensitive personal data.”; and (ii) “NOTICE: We may sell your biometric personal data.”
Sign up for our newsletter and get the latest to your inbox.