Written by Ana Carolina Teles, AI & GRC Specialist at Palqee Technologies
Until now, the U.S. approach to regulating data privacy has been predominantly through state-level laws. The first comprehensive state law addressing all aspects of personal data processing was the California Consumer Privacy Act (CCPA), enacted in 2018. The law empowers consumers with greater control over their personal information and provides businesses with guidelines on compliance.
Since the enactment of the CCPA, the trend of state-level data privacy regulations has been spreading rapidly across the country.
Over the past two years, data privacy laws have been approved in 18 states, covering over half of the American population. The most recent states to enact such laws include New Jersey, New Hampshire, Kentucky, Nebraska, and Texas.
The Texas Data Privacy and Security Act (TDPSA) is particularly noteworthy. Set to take effect in July 2024, the TDPSA builds upon the foundational principles established by the CCPA but introduces several unique provisions that distinguish it from other state laws.
To assist businesses in understanding and complying with the TDPSA, we present a detailed overview of what the Texas Data Privacy Law entails, who it applies to, and the steps your organisation should take to ensure compliance.
Create a culture of privacy in your business with ease The #1 platform for creating and measuring the Culture of Privacy in organisations. |
Understanding the Texas Data Privacy Law
The Texas Data Privacy Law or TDPSA is a comprehensive regulation designed to govern the collection, use, storage, and sharing of personal data. It outlines the rights of consumers regarding their information and the responsibilities of entities that handle this data.
This regulation aims to ensure that businesses maintain a high standard of data protection, promoting transparency and accountability.
Who needs to comply with the TDPSA?
One of the key features of the Texas Privacy Law is its broad applicability.
Unlike other data privacy laws that set thresholds based on annual revenue or the volume of personal data processed, the Texas law applies to:
Conduct Business in Texas: The entity either operates within Texas or produces a product or service that is consumed by residents of Texas.
Process or Sell Personal Data: The entity processes or engages in the sale of personal data.
There are exceptions to applicability based on the size and type of business:
Small Business: Entities classified as small businesses under the United States Small Business Administration (SBA) definition are generally exempt from the law. However, there are particular circumstances where even small businesses must comply, such as obtaining prior consent before the sale of sensitive consumer data.
In essence, if your business has any interaction with the personal data of Texas residents, compliance with the Texas Privacy Law is mandatory.
Key Definitions under the TDPSA
To comply with the law, it is essential for businesses to understand the meanings of the various definitions as outlined in the regulation. Here are some important terms defined in the Texas Privacy Law:
Consent | A clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process their personal data. This can include a written statement or any other unambiguous affirmative action. Note that consent does not include acceptance of general terms of use, hovering over content, or agreement obtained through dark patterns. |
Consumer | A resident of Texas acting in an individual or household context. This does not include individuals acting in a commercial or employment context. |
Processing | Any operation performed on personal data, whether manually or automated, including collection, use, storage, disclosure, analysis, deletion, or modification. |
Personal Data | Information, including sensitive data, linked or reasonably linkable to an identified or identifiable individual. This includes pseudonymous data when it can be linked to an individual using additional information. It does not include deidentified data or publicly available information. |
Sensitive Data | Specific personal data categories including racial or ethnic origin, religious beliefs, health diagnoses, sexual orientation, citizenship status, genetic or biometric data used for identification, data from children, and precise geolocation details. |
Deidentified Data | Data that cannot reasonably be linked to an identified or identifiable individual or a device linked to that individual. |
Controller | An individual or entity that determines the purpose and means of processing personal data, alone or jointly with others. |
Processor | A person or entity that processes personal data on behalf of a controller. |
Profiling | Automated processing of personal data to evaluate, analyse, or predict aspects related to an individual's economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements. |
Publicly Available Information | Information lawfully made available through government records or widely distributed media. This includes information a consumer has intentionally made public, unless restricted to a specific audience. |
Sale of Personal Data | The sharing, disclosing, or transferring of personal data for monetary or valuable consideration by the controller to a third party. Exceptions include disclosures to processors, disclosures for requested services, transfers to affiliates, public information disclosures, and transfers as part of mergers or acquisitions. |
To better understand the intricacies of the definitions above, let's dive into a practical case:
Imagine a company called HealthTech Solutions, a healthcare technology firm that manages an online platform for patient health records, appointments, and provider communications. To provide their services, they need to collect regular personal data, which includes names, email addresses, and phone numbers. They also need to collect sensitive data, which includes health diagnoses, genetic data, and biometric data (e.g., fingerprints). Additionally, if they are treating children and processing their data, it is also considered sensitive personal data. When they are collecting, storing, using, sharing, or deleting data, they are processing personal data, which encompasses all operations on this type of information. In this case, HealthTech Solutions is the controller because they determine the purposes and means of processing the personal data, making them responsible for compliance and data protection. If they hire CloudSafe Inc., a third-party cloud service provider, this company will assume the role of processor, as it processes personal data on behalf of HealthTech Solutions. Finally, to collect health data or sensitive data in general, it is necessary to obtain consent from the consumer. This means they must provide a clear, affirmative opt-in for data collection and processing.Consumer Privacy Rights
Following the CCPA’s approach and aligning with international data protection laws like the GDPR (General Data Protection Regulation) from the European Union, the Texas Data Privacy Law outlines rights for consumers:
Right to Access | Consumers can confirm whether a controller is processing their personal data and can access that information. |
Right to Correction | Consumers can correct inaccuracies in their personal data, considering the nature of the data and the purposes of the processing. |
Right to Deletion | Consumers have the right to delete personal data that they have provided or that has been collected about them. |
Right to Portability | When data is available in a digital format, consumers can obtain a copy of their personal data in a portable and easily usable format. |
Right to Opt-Out | Consumers can opt out of the processing of their personal data for targeted advertising, the sale of personal data, or profiling those results in legal or significantly important decisions. |
Response Timeframes and Charges
Response Time: Controller must respond to consumer requests within 45 days, extendable by another 45 days if necessary.
Charges: Consumers can access their information free of charge up to twice a year. However, excessive, or repetitive requests may incur a fee.
Implement your DSAR processes today with ease Custom request forms, deadline management, reporting and much more. |
Responsibilities when acting as a Controller
When acting as a Controller, the entity has the following additional responsibilities:
Limiting Data Collection: Ensure that only data, which is adequate, relevant, and necessary for the disclosed purposes is collected. This means being precise about what is gathered and why.
Maintaining Data Security: Implement robust administrative, technical, and physical security measures proportionate to the sensitivity and volume of the data handled.
Conducting Data Protection Assessments: Annually assess processes like targeted advertising and sensitive data processing to identify and mitigate potential risks.
Managing Consumer Privacy Rights Requests: Provide a clear Privacy Notice that details the types of personal data processed, the purpose of processing, and how consumers can exercise their rights.
Consequences of Non-Compliance
Failing to comply with the TDPSA can have significant repercussions for businesses.
Upon identifying a violation, the Texas Attorney General’s office will issue a formal notice, providing the entity with a 30-day cure period to address and rectify the issues. This grace period is an opportunity for companies to avoid penalties by taking swift and effective corrective actions.
During this 30-day window, the entity must:
Cure the Violation: Rectify all identified issues.
Notify Affected Consumers: Inform consumers about the data privacy violation and the steps taken to address it if their contact information is available.
Update Internal Policies: Implement necessary changes to internal policies to prevent future violations.
If the entity fails to remediate the violation within the cure period, the Texas Attorney General can impose a penalty of $7,500 per violation.
This can accumulate quickly, especially for businesses handling large volumes of personal data, leading to substantial financial burdens and potential damage to the company's reputation.
Start your TDPSA Compliance journey today with Palqee The #1 platform to operationalise Privacy and Data Governance |
Comments