Texas became the eleventh state in the United States to enact a consumer privacy bill on June 18, 2023 with the passing of HB4, the Texas Data Privacy and Security Act (TDPSA). The law goes into effect on July 1, 2024, with the global opt-out technology provisions going into effect on January 1, 2025.
We look at the Texas data privacy law, how it protects consumers, and what it means for businesses that must comply with its provisions.
What is the Texas Data Privacy and Security Act?
The Texas Data Privacy and Security Act is a state-level law to protect the privacy and personal data of Texas residents by regulating its collection, processing, and use. The law sets data privacy responsibilities for businesses operating in the state or providing products or services consumed by Texas residents.
As with other state-level data privacy laws, these protections extend only to residents acting in personal or household matters, not in commercial or employment activities. They are known as “consumers” under the TDSPA.
Texas follows a similar approach to other US states with its opt-out consent model, meaning in most cases it is not necessary to obtain consent before collecting or processing personal data. Businesses must clearly explain to consumers what personal information they collect and why, third parties that might have access to it, and how consumers can opt out of its collection and processing.
Who must comply with the Texas Data Privacy and Security Act?
Businesses must comply with the TDPSA if they meet the following requirements:
- they conduct business in Texas or produce products or services consumed by Texas residents
- they process or engage in the sale of personal data, and
- they are not identified as a small business as defined by the U.S. Small Business Administration (generally identified as an independent, for-profit business with fewer than 500 employees)
Unlike many other US state-level privacy laws, there are no thresholds under the TDPSA based on a business’s gross annual revenue, revenue earned from sale of personal data, or volume of personal data belonging to the state’s residents that is controlled or processed.
Exemptions to Texas Data Privacy and Security Act compliance
The TDPSA exempts certain entities from complying, including:
- state government agencies
- financial institutions or data covered under the Gramm-Leach-Bliley Act
- covered entities or businesses governed by the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act
- nonprofit organizations
- higher education institutions
- electric utilities
Data that is exempt from the law includes: healthcare-related information; research data; and information created for or collected in pursuance to several federal laws, including HIPAA, Health Care Quality Improvement Act, Fair Credit Reporting Act (FCRA), Driver’s Privacy Protection Act, Family Educational Rights and Privacy Act (FERPA), and Farm Credit Act (FCA) among others.
Definitions in the Texas Data Privacy and Security Act
The TDPSA defines certain key terms related to who the law protects, what data is protected, and data processing activities.
What is personal data under the TDPSA?
The law defines personal data, also called personal information in some other laws, as “any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.”
Publicly available information or de-identified data are not considered personal data under the law.
Unlike some other US state-level data privacy laws, the TDPSA does not give examples of what constitutes personal data. Common types that businesses collect include name, phone number, email address, Social Security number, or driver’s license number.
What is sensitive data under the TDPSA?
Sensitive personal data is data that could cause harm to consumers if exploited. It includes personal data that reveals:
- racial or ethnic origin
- religious beliefs
- mental or physical health diagnosis
- sexuality
- citizenship or immigration status
- genetic or biometric data processed for the purpose of uniquely identifying an individual
- personal data collected from a known child (under 13 years of age)
- precise geolocation data
What is consent under the TDPSA?
The TDPSA defines consent as a “clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. The term includes a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.”
This definition is heavily influenced by the European Union’s General Data Protection Regulation (GDPR).
The TDPSA’s definition of consent excludes:
- accepting general or broad terms of use or similar documents that contain descriptions of personal data processing along with other, unrelated information
- hovering over, muting, pausing, or closing a given piece of content
- an agreement obtained using dark patterns
Unlike some other data privacy laws, the TDPSA does not require that consumers must have a way to withdraw or revoke consent once given.
Who is a controller under the TDPSA?
A controller under the law is “an individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data.” A controller has the primary responsibility for ensuring compliance with applicable privacy laws, including the obligations to protect the data and to respect the rights of consumers. Also known as a “data controller” under some other privacy laws.
Who is a processor under the TDPSA?
In some cases, the controller may collect the personal data and share it with an outside entity for the purpose of processing. The law defines this outside entity as a processor or “a person that processes personal data on behalf of a controller.”The processor’s role is to process personal data following the controller’s instructions and the requirements set forth by the TDPSA, both of which need to be included in a contractual agreement.
Ultimately, the controller is responsible for processors’ actions with regards to personal data, so vigilance is important when entering into contractual processing agreements.
What is the sale of personal data under the TDPSA?
The TDPSA defines sale as the “the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.” Sale excludes disclosure of personal data:
- to a processor that processes the personal data on the controller’s behalf
- to a third party for the purposes of providing a product or service the consumer has requested
- to an affiliate of the controller
- that the consumer intentionally made available to the public through a mass media channel and did not restrict to a specific audience
- to a third party as an asset that is part of a merger or acquisition, including transfer of personal data
What is targeted advertising under the TDPSA?
Targeted advertising means “displaying to a consumer an advertisement that is selected based on personal data obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s preferences or interests.”
Personal data is used to better predict what consumers might like in order to personalize advertising efforts based on each individual’s preferences.
Targeted advertising under the TDPSA does not include:
- ads that are based on activities within a controller’s own internet websites or apps
- ads that are based on the context of a consumer’s current search query or visit to a website or app
- ads that are directed to a consumer in response to the consumer’s request for information or feedback
- processing of personal data solely for measuring or reporting advertising performance, reach, or frequency
What are consumers’ rights under the Texas Data Privacy and Security Act?
The TDPSA aims to protect the personal data of Texas residents, and it grants them several critical rights to enable this.
- Right to access: consumers can confirm whether a controller is processing their personal data and gain access to this data, with some exceptions.
- Right to correction: consumers have the right to correct inaccurate or outdated personal data that they provided to the controller.
- Right to deletion: consumers can request the deletion of their personal data held by the controller, with certain exceptions.
- Right to data portability: consumers can obtain a copy of personal data they have provided to a controller, in a format that is easy to use and transfer.
- Right to opt out: consumers can opt out of the processing of their personal data for the purposes of its sale, targeted advertising, or profiling that has legal or similarly significant effects on them.
Parents or legal guardians can exercise these rights on behalf of children regarding the processing of personal data. Unlike the California Consumer Privacy Act (CCPA), the TDPSA does not include a private right of action, meaning consumers cannot sue controllers directly for violations of the law.
What are the controllers’ obligations under the Texas Data Privacy and Security Act?
The Texas data privacy law imposes several obligations on controllers for the safeguarding of consumers’ personal data.
Consumer rights requests under the TDPSA
Controllers must notify consumers of:
- what their rights are
- how to exercise rights by making a request
- how to appeal against the controller’s decision
This information is usually contained in a privacy policy or privacy notice under the law. These kinds of requests are commonly referred to as data subject requests (DSR) or data subject access requests (DSAR).
Controllers must establish two or more easily accessible and commonly used methods by which consumers can exercise their rights under the TDPSA. Consumers can be required to login to an existing account to provide identity verification, but must not be required to create a new account to exercise their rights. If the controller maintains a website, it must provide a method for exercising consumer rights directly through the website. Controllers who operate exclusively online and collect personal data directly from consumers can provide an email address where consumer rights requests can be submitted.
The controller has 45 days to respond to a consumer request and can extend that period by another 45 days if reasonably necessary to comply. If the controller needs to extend the response period, they must notify the consumer before the end of the first 45 days. If the controller is unable to reasonably verify the consumer’s identity, it can make additional verification requests, or decline the consumer’s request.
Controllers must provide information to the consumer up to twice a year for free.
Consumers have the right to appeal if the collector denies their request, and the collector must inform them of the appeal procedure, which should be similar to the procedure for making a request. The controller must respond to an appeal within 60 days.
Purpose limitation under the TDPSA
Controllers must disclose the purpose(s) for which they are collecting personal data, and they must limit the personal data they collect to what is “adequate, relevant, and reasonably necessary” for those purposes.
Data security under the TDPSA
Controllers have a responsibility to safeguard consumers’ personal data and they must establish, implement, and maintain reasonable administrative, technical, and physical security measures to do so. These security measures must be suited to the volume and nature of personal data processed.
Data protection assessment (DPA) under the TDPSA
The law requires controllers to conduct and document data protection assessments when they process data:
- for the purposes of targeted advertising
- for sale
- for the purposes of profiling, if there is a reasonably foreseeable risk of unfair or deceptive treatment; financial, physical or reputational injury; offensive intrusion into private affairs or other substantial injury to consumers
- that is categorized as sensitive personal data
- that presents heightened risk of harm to consumers
The Attorney General can request the controller to provide a DPA in the course of investigating an alleged violation.
Consent requirements under the TDPSA
Like many states with privacy laws, Texas also adopts an opt-out model, meaning that in many cases, businesses can collect and process personal data without initially needing consumers’ consent.
However, there are exceptions, and businesses must obtain consent before handling sensitive personal data. They must also provide clear information about data processing and enable consumers to opt out of the sale of data, targeted advertising, or profiling.
The TDPSA aligns with the Children’s Online Privacy Protection Act (COPPA) in matters concerning personal data that belongs to children. Businesses must get prior consent from a parent or guardian before processing any personal data from children under 13 years old, as all personal data of children under this age is classified as sensitive personal data in Texas.
Nondiscrimination under the TDPSA
The TDPSA prohibits controllers from discriminating against consumers for exercising any of their rights under the law. Examples of discrimination include denying goods or services, charging different prices for goods or services, or providing a different level of quality of goods or services to consumers who exercise their rights. For instance, a business can’t deny consumers access to their website simply because they chose not to allow their personal data to be collected, processed, or sold.
In some cases, some website features might not work as intended if a consumer decides not to enable specific cookies or trackers required by the features to operate (commonly called essential or necessary cookies). This is not considered discrimination under the law.
It is also not discriminatory for controllers to provide incentives, such as discounts, to consumers who voluntarily participate in activities that involve processing personal data. These could include loyalty programs or early access to sales or new products. These incentives must be reasonable and proportionate to avoid being seen as coercive or as a payment for consent.
Privacy notice under the TDPSA
Controllers must publish a privacy notice that includes information on:
- categories of personal data processed, including sensitive personal data, if any
- purposes for processing personal data
- methods to exercise consumer rights, as well as to appeal the controller’s decision regarding a request
- categories of personal data shared with third parties, if any
- categories of third parties who receive personal data, if any
- method by which consumers may opt out of the sale of personal data to third parties or processing of personal data for targeted advertising or profiling
This information must be clearly accessible to consumers and generally appears in the form of a privacy policy on the business’s website.
If a controller sells consumers’ sensitive personal data or biometric data, they must publish, along with the privacy policy, a notice with the specific words “NOTICE: We may sell your sensitive personal data” or “NOTICE: We may sell your biometric personal data” respectively.
Universal opt-out signal under the TDPSA
The TDPSA aligns with several other state-level data privacy laws by incorporating provisions for the Global Privacy Control (GPC), a universal opt-out mechanism. Controllers must recognize a universal opt-out signal from consumers by January 1, 2025 under the law.
GPC aims to standardize user consent online by enabling consumers to set their privacy preferences once, typically through browser settings or an extension, and have those preferences automatically applied across all websites and online services they access. This system helps ensure users’ privacy settings are consistent and respected, simplifying compliance with applicable privacy laws for both consumers and businesses.
Data processing agreements under the TDPSA
The TDPSA requires controllers to enter into a contract with processors that contain provisions governing data processing procedures. Although the law doesn’t use the specific term “data processing agreement”, this contract is akin to a data processing agreement required by many other data privacy laws including the GDPR and Virginia Consumer Data Protection Act (VCDPA).
Such an agreement is particularly important as the controller remains ultimately legally responsible for the processing activities — or any privacy breaches or violations — resulting from processors’ activities.
The contract or data processing agreement must clearly outline:
- instructions for processing data
- nature and purpose of processing
- type of data subject to processing
- duration of processing
- rights and obligations of both parties
- requirements that the processor shall maintain confidentiality
- requirement for deletion or return of data after processing completion
Texas Data Privacy and Security Act enforcement and compliance
The Texas Attorney General has the exclusive authority to enforce the TDSPA. While the law does not grant consumers a private right of action, they can still bring complaints about potential violations or denials of their privacy rights directly to the Attorney General’s office. Before bringing an enforcement action, the Attorney General must issue a written notice to the implicated party, detailing the alleged violations.
The TDPSA includes a 30-day cure period for organizations to address and resolve any alleged violations after receiving notification. This cure period enables companies to rectify issues and implement measures to prevent future violations. Unlike some other laws, the right to cure under the TDPSA does not have a sunset date, making it a permanent aspect of the law.
Additionally, organizations found in violation of the TDPSA must inform the Attorney General of their corrective actions in writing and confirm that future breaches will not occur. This requirement for providing evidence of remediation is a distinctive aspect of the Texas law, setting it apart from similar regulations in other states.
Fines and penalties under the TDPSA
A controller or data processor that remains in violation after the 30-day period or violates the written statement made to the Attorney General outlining corrective action faces civil penalties under the TDPSA. These fines can be up to USD 7,500 per violation as well as recovery of reasonable expenses incurred to investigate the violation.
Consent management and the Texas Data Privacy and Security Act
The TDPSA adopts an opt-out model for data privacy, which is common across the US states. This model allows businesses to collect and process personal data without requiring prior consent of the individual, except in cases involving sensitive personal data and personal data from children.
Consumers must, however, be able to opt out of the collection and processing of their personal data for sale, targeted advertising or profiling. Businesses are required to clearly present this option on their websites, typically located within the privacy policy or privacy notice, so consumers can easily access and exercise their rights regarding their personal data at any time.
To help users easily choose not to have their data collected, or to stop collection and processing, websites often include a clear link or button on a cookie consent banner. A tool like Cookiebot CMP automates this process by managing cookies and tracking technologies and blocking their use until consent is obtained.
A CMP makes it easy to provide users with transparent information about the types of data collected (and ability to consent or decline at a granular level), for what purposes, and third parties the data is shared with, as required by the TDPSA and other data privacy laws globally.
No single federal data privacy law has been passed in the US yet, so businesses operating across the country and/or internationally must adhere to multiple consumer privacy laws to protect user data. CMPs enable businesses to customize cookie banners and target them according to the user’s location. This enables businesses to achieve compliance with state-level laws like the TDPSA and with international regulations like the GDPR, which has stricter rules about consent.
Preparing for the Texas Data Privacy and Security Act
Businesses operating in Texas have until mid-2024 to prepare for compliance with the TDPSA, when it goes into effect. Those already meeting data privacy standards in other US states will have completed much of the foundational work for TDPSA compliance. Businesses must confirm whether they meet the law’s compliance threshold, and, if so, be ready to provide users with opt-out options and accessible privacy notices.
Solutions like Cookiebot CMP can be instrumental in managing cookies on websites to help achieve compliance. Cookiebot CMP enables website owners to scan their websites to identify and categorize cookies in use, block them until consent is obtained, if needed, automatically populate the CMP and privacy notice, and to collect and record compliant consent from website visitors. These consent records are also ready to be provided to authorities in the event of an audit or data subject access request.
Scan your website for free with Cookiebot CMP to see what cookies and trackers it uses.
As with any legal framework, and given the rapid changes in technology and consumer expectations, we can expect updates to the TDPSA over time. Businesses must consult with a qualified legal professional or data privacy expert, such as a Data Protection Officer, to ensure they fully understand and implement the necessary compliance measures and stay compliant as the law evolves.
Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.