Move over, GDPR!  (That’s the European Union’s set of data privacy regulations.)  Texas is ready to dance.

1. Texas now has data privacy regulations!

It’s no wonder that, in the absence of federal-level legislation, Texas took proactive steps to protect their residents’ privacy rights.  On July 1, the Texas Data Privacy and Security Act (TDPSA) came into full force and effect.

2. The TDPSA breaks no new ground.

Globally, the EU’s GDPR is considered the gold standard, influencing legislation worldwide to prioritize consumer privacy and data protection. Other nations followed suit:  consider, e.g., China’s Personal Information Protection Law.

Texas designed the TDPSA to align with the GDPR.  It was not, however, the first US state to regulate data privacy.  Instead, California was at the vanguard, promulgating the California Consumer Privacy Act and California Privacy Rights Act. In fact, California may have incented many other states to enact their own privacy measures.

3. Texas residents now have state-level privacy rights.

The TDPSA grants residents right to (i) know what data is being collected about them, (ii) correct inaccuracies in that data, and (iii) request its deletion.  Starting in January 2025, they’ll also need to have the option to opt-out of having their data used for targeted advertising, sales, or profiling – a move aimed at giving consumers more control over how their personal information is used.

4. Texas businesses now have more stringent obligations…unless they don’t.

Businesses that determine how and why data is processed are defined as “controllers.”  Controllers must (i) minimize data collection to only what is necessary, (ii) ensure robust data security measures are in place and remain effective, and (iii) refrain from illegal discriminatory practices based on consumer data.  Additionally, they may not process “sensitive data” without prior explicit consent. 

“Necessary” data collection is often only the limited data required to complete a business transaction.   Adequate security measures will depend on the character of that data considered “necessary.”

Unless they sell sensitive consumer data, the TDPSA allows for an exemption from these requirements for small businesses.  A TDPSA exemption, however, will not protect a business from FTC and civil liability for unauthorized practices.

5. Key elements of compliance include privacy notices and risk assessments.

Echoing other existing data privacy laws, privacy notices are a key TDPSA requirement; they are designed to ensure transparency of data practices. Businesses will need to outline (i) what personal data they collect, (ii) how it will be used, and (iii) where it will be shared.

And, at this point we paraphrase Ben Franklin, who apparently was paraphrasing 13^th century jurist Henry de Bracton:  “an ounce of prevention is worth a pound of cure.”   There is nothing better than a gap analysis to…assess program gaps.  Consistent with other state laws (such as California and Colorado), the TDPSA mandates data protection assessments for higher risk processing. These assessments help businesses evaluate and document risks associated with certain activities, meaning that they can focus on eliminating or minimizing greater risks.   Left unsaid, but perhaps even more important: risk assessments promote efficiency and cost-effectiveness:  instead of “boiling the ocean,” a business can focus its resources on its most serious and likely risks.

The absence of federal legislation makes multistate compliance exponentially more difficult.  Companies with multistate operations will need to assess relative risks and adapt to state-specific requirements to avoid varying state penalties and to maintain consumer trust. 

Of course, we’re here to help you stay ahead of these changes and ensure compliance across your operations.  Our firm has the expertise on staff to, among other things, (a) assess gaps and risks and (b) help you process, store and protect sensitive data.  Call us today!