Texas Gov. Greg Abbott signed the Texas Data Privacy and Security Act (TDPSA) law (HB-4) on June 18, 2023, and it went into effect on July 1, 2024.
A specific portion of the law titled Chapter 541, Business and Commerce Code, won’t go into effect until 2025.
The TDPSA gives consumers a way to exercise limited control over their data in terms of how it can be accessed, processed, sold or utilized. The law applies to individuals and businesses who meet the following criteria: Companies that provide products or services aimed at Texas residents; businesses that control or process the personal data of at least 50,000 consumers, households or devices annually and businesses that derive more than 50% of their gross revenue from the sale of personal data.
TDPSA sets forth several key requirements to ensure the protection and privacy of consumer data. Here are the main points:
Consumer rights
Right to access. Consumers have the right to know what personal data is being collected about them.
Right to correction. Consumers can request corrections to any inaccuracies in their personal data.
Right to deletion. Consumers can request the deletion of their personal information.
Right to data portability. Consumers can request a copy of their private data in a portable format.
Business obligations
Transparency. Businesses must inform consumers about data collection practices, including the types of data collected and the purposes for which it is used.
Consent. Explicit consumer consent is required for the collection and processing of sensitive personal data.
Data security. Businesses must implement reasonable security measures to protect personal data from unauthorized access, destruction, use, modification or disclosure.
Third-party sharing. Businesses must inform consumers if their data is shared with third parties and ensure that third parties uphold similar privacy standards.
Data minimization
Only data necessary for the specific purpose should be collected and retained no longer than necessary.
Enforcement and penalties
The Texas attorney general has the authority to enforce the act and impose penalties for non-compliance, including fines of up to $7,500 per violation. Repeated offenses would result in higher penalties depending upon the number and severity of the violations. The attorney general can also pursue injunctive relief to stop any prohibited practices and to ensure future compliance.
Requirements
Texas requires businesses that meet the law’s data collector requirements to:
• Gain clear, unambiguous consent from the consumer regarding the collection and use of their personal data.
• Provide a website with a mechanism for consumers to submit requests to exercise their rights.
• Recognize any request to opt out starting on January 1, 2025.
• Provide precise language for notices like, "Notice: We may sell your sensitive or biometric personal data."
• Businesses are required to carry out and document a confidential data protection assessment regarding the sale and processing activities relating to all consumer data.
Exemptions
If the business doesn’t meet the above requirements, then it is categorized as a small business and is exempt along with nonprofit organizations and governmental entities. Also exempt from this act are financial institutions subject to the Gramm-Leach-Bliley Act and health care providers or entities subject to the Health Insurance Portability and Accountability Act.
Overall, the TDPSA requirements aim to enhance consumer privacy and data security, ensuring that businesses handle personal data responsibly.
If you would like to discuss your cyber security readiness or have a no-cost cyber security overview completed, reach out to OMNIPOTECH.
For more information, visit omnipotech.com or call Robert Kyslinger at (281) 768-4308.
