On June 18, a new star emerged in the American data privacy constellation: Texas proudly took its place as the eleventh state to champion consumer privacy rights by enacting the Texas Data Privacy and Security Act (TDPSA), with the ink drying on HB 4.
ountdown has begun, with the TDPSA set to come into effect on July 1, 2024—the very same day as its Floridian counterpart, the Florida Digital Bill of Rights.
An Introduction to the Texas Data Privacy and Security Act
The TDPSA safeguards the privacy and personal data rights of over 31 million Texans. But what sets it apart from other state-level data privacy legislations in the US is its unique language and application.
While most laws of its kind focus on goods or services “targeting” state residents, the TDPSA’s term “consumed” might be its most distinguishing feature. This peculiar choice of verbiage could potentially expand its purview to out-of-state businesses that deal with Texans, ensuring they adhere to TDPSA or otherwise exclude Texas residents from their clientele if they don’t comply with equivalent regulations.
Organizations under the TDPSA Umbrella
Any business that processes the personal information of consumers is impacted by the Act. Texas defines a consumer not just as any resident, but specifically as one acting in an individual or household capacity—excluding commercial or employment contexts.
As such, it’s critical for these organizations to inform their consumers about the various data collection and processing activities they perfect, which includes clarity about the nature of the data collected, its intended use, and potential third-party sharing.
The Opt-Out Model
The TDPSA uses an opt-out model, similar to several other states that have introduced comprehensive data privacy regulations. This mandates businesses to offer consumers a clear path to decline data collection and processing.
Alongside this, both the businesses and their third-party affiliates need to enforce reasonable data security measures and safeguards.
Core Definitions under the TDPSA
Personal Data: TDPSA follows a conventional approach to defining personal data. It encompasses any information, sensitive or otherwise, that can be linked (or is linkable) to an identifiable individual.
While the Act doesn’t list any specific examples, traditional details like names, phone numbers, IP addresses, and Social Security numbers fall under this category.
Consent: Drawing inspiration from the European Union’s GDPR, the TDPSA defines consent as a clear and unmistakable act indicating a consumer’s voluntary agreement to process their personal data.
This could be in the form of written statements or other evident affirmative actions. However, the Act differs from many others by excluding certain specific cases—like the acceptance of broad terms of use—from qualifying as valid consent.
Sensitive Data: This category is reserved for personal information that, if mishandled, could result in significant harm. This includes data revealing racial or ethnic origins, religious beliefs, health diagnoses, sexuality, citizenship status, genetic or biometric data, information from children under 13, and precise geolocation data.
Controller and Processor: Businesses that dictate the manner and purpose of personal data processing are termed ‘controllers’. Meanwhile, third-party entities handling data on behalf of these businesses are termed ‘processors’.
Sale: This is defined as the transfer or disclosure of personal data for tangible or other valuable gains. There are several exclusions, however: like sharing data for requested product/service delivery or as part of mergers.
Targeted Advertising: This refers to advertisements curated based on a consumer’s data (collected over time across different platforms), which aim to predict consumer preferences.
Exemptions to the TDPSA
Texas aligns with existing US data privacy laws by providing certain exemptions, mainly recognizing federal laws like HIPAA, COPPA, and FCRA, to name a few.
The Act also excludes data pertaining to human research subjects, HR, health records, and employment purposes. Additionally, entities like state government agencies, higher education institutions, insurance companies, financial institutions, electric utilities, and nonprofit organizations are among those exempted.
Consumer Rights under the TDPSA
Texan consumers can exercise several rights under this law:
Right to Access
This allows consumers to verify if a controller is processing their data and gain access to it.
Right to Correction
Consumers can rectify any inaccurate or outdated information.
Right to Delete
Consumers can instruct the controller to erase their personal data, aside from certain exceptions.
Right to Portability
This ensures that consumers can retrieve their data in a usable format.
Right to Non-Discrimination
Controllers cannot unduly discriminate against consumers for asserting their rights.
Right to Opt-Out
This encompasses declining the sale of personal data, targeted ads, or significant decision-making based on profiling.
Parents or legal guardians can also represent children under 13. Notably, unlike California’s law, the TDPSA does not grant consumers the right to initiate legal proceedings against data processing violators.
Conclusion
The Texas Data Privacy and Security Act showcases Texas’s commitment to balancing the technological and economic advances of the digital age with the privacy rights of its citizens.
With its unique language and broad implications, the TDPSA is a testament to the evolving landscape of data privacy laws in the US. As the digital world continues to expand, so will the importance of these regulations in offering a blueprint for other states considering similar measures.