Texas is the fifth U.S. state that signed a data privacy bill into law this year. The Texas Data Privacy and Security Act (TDPSA) will go into effect on July 1, 2024. Read this blog post to learn how Ethyca can help you comply with privacy in the Lone Star State.
The next U.S. state privacy law we’re covering is the Texas Data Privacy and Security Act (TDPSA).
The governor of Texas signed HB 4 on June 15, 2023. TDPSA is scheduled to go into effect on July 1, 2024, giving businesses about a year to prepare for compliance in the Lone Star State.
If your business has already been preparing for the other state privacy laws that are going into effect this year, or have just been passed or signed into law, you already have a great head start setting your business up for Texas’ privacy law.
Still, TDPSA has its own unique provisions that businesses must consider before lawfully collecting and processing the personal data of Texans.
Let’s go over what your business needs to know and do to comply with Texas’ new privacy law.
Texas’s privacy law applies to businesses (controllers) that follow these three points of criteria:
These conditions are different from those found in Iowa, Indiana, Montana, and Tennessee’s privacy law. Instead of basing applicability on the amount of personal data processed by a company or a revenue threshold, TDPSA uses these broad conditions to determine who’s subject to the law.
If your business fulfills all of the criteria above, you can use the steps in this article to prepare for TDPSA compliance.
If your business is subject to Texas’s privacy law, you’ll need to enable Texan consumers to exercise their data subject and consent rights. You’ll also need to know how the law is enforced and the consequences of privacy violations. This section will cover these things in more detail.
TDPSA grants Texas consumers data subject rights, or the ability to control how companies process their personal data. These include:
Like in Iowa, Indiana, Montana, and Tennessee, Texans do not have a private right of action, so consumers cannot directly sue a company for privacy violations. Texas residents do have the ability to correct their data like in Indiana, Montana, and Tennessee, whereas Iowans do not.
Texas residents also have specific opt-out and opt-in consent rights that businesses must enable.
For opt-out consent, consumers are allowed to opt out of the processing of personal data for:
Like in Indiana and Montana, Texas’ privacy law explicitly allows consumers to opt out of targeted advertising and profiling. These rights are either unclear or unmentioned in Iowa and Tennessee’s privacy law.
Businesses also must be able to recognize universal opt-out signals on their websites by January 1, 2025 , which is half a year after TDPSA goes into effect.
In terms of opt-in rights, Texas consumers have the right to opt into the processing of “sensitive data,” which includes personal data revealing:
Companies must respond to consumers’ data subject and consent requests within 45 days and can extend for an additional 45 days. The Attorney General has exclusive authority to enforce TDPSA and can issue notices of privacy violations or start civil investigations.
Once notified, businesses have a 30-day cure period to correct violations. If violations are not corrected on time, businesses may face a civil penalty of up to $7,500 per violation.
Now that you know what data subject and consent rights Texans have, as well as the consequences of privacy violations, let’s go over the additional business obligations required under TDPSA.
Businesses subject to Texas’ privacy law must submit a clear and accessible Privacy Notice on their website. Privacy Notices should include:
Additionally under TDPSA, if your business sells sensitive or biometric data, it must publish explicit notices. Examples from the bill include “NOTICE: This website may sell your sensitive personal data” or “NOTICE: This website may sell your biometric personal data.”
Work with your legal team to ensure that all of the above necessary information is included in your business’ privacy notice.
Texas’ privacy law also requires that businesses enter into data processing contracts between processors or entities that “process personal data on behalf of a controller.” Examples of this include third-party SaaS vendors that process and store data for your business.
These contracts should legally obligate the processor to follow the controller’s instructions and help the controller comply and demonstrate compliance with regulators. Data processing contracts should include the purpose of processing, the type of data being processed, the duration of processing, and the rights and obligations of both controllers and processors.
If your business works with processors or subcontractors that process data on your behalf, be sure to enter into a legally binding data processing contract with each of them.
As in most state privacy laws, TDPSA requires businesses to perform data protection assessments (DPAs). DPAs are meant to help businesses carefully assess the risks of processing data on the consumer and on the business itself.
These assessments should weigh the business benefits against the potential risks of the following activities:
The Attorney General can request a DPA under a civil investigative demand to determine whether a company is compliant or not. To make sure your business is ready for Texas regulators, conduct and document DPIAs for the above processing activities.
Businesses that process de-identified and pseudonymous data must:
If your business processes de-identified and pseudonymous data, make sure the required controls and safeguards are put in place by July 1, 2024.
Although all of TDPSA’s provisions don’t apply to small businesses Texas’ privacy law still mandates that small businesses defined under the United States Small Business Administration may not sell sensitive data without first obtaining a consumer’s consent.
Making sure your business complies with all U.S. state privacy laws can feel overwhelming. Luckily, Ethyca makes it easy with the Fides privacy intelligence platform. With Fides, your business will be able to automate privacy obligations for all U.S. state privacy laws.
Read on to learn how.
Different U.S. state privacy laws have different consent requirements your business needs to meet. With the Fides privacy intelligence platform, your business can easily manage users’ consent preferences for any privacy law.
Your business will be able to set multiple opt-out links on your website footer, customize a Privacy Center for easy consent intake, and set single or multiple opt-in or opt-out consent preferences to comply with different state privacy laws at the same time.
Users can submit requests through a Privacy Center on your website and verify their identity via a code sent through SMS or email. With a simple and intuitive Admin UI. your business will be able to quickly process and record users’ consent preferences as proof of compliance.
All privacy regulations require businesses to fulfill user subject requests, or data subject requests (DSRs). Unfortunately, this process is often manual, costly, labor-intensive, and causes lots of friction for legal, compliance, and engineering teams.
The Fides privacy intelligence platform streamlines these workflows. Your business will be able to automate DSR processing end-to-end with Fides. Users can submit DSR requests via the same Privacy Center they would use to submit their consent preferences.
After DSR requests are submitted, you can approve or deny them with the same Admin UI. Users will then receive an email containing a link to the data they requested in a machine-readable format or a confirmation that their data has been corrected or deleted.
Fides will also maintain a log of the requests your business has received and processed. That way, if regulators come knocking, you can prove that your business’ privacy practices are compliant.
What makes the Fides privacy intelligence platform so powerful is its ability to connect to all of your business’ internal and third-party databases and systems. Once connected, Fides will be able to produce a data map, or a real-time visualization of your organization’s data flows.
Unlike tracking data through manual spreadsheets that are immediately out of date, Fides’ automated data map will give you an accurate inventory of all the data in your systems, i.e. what the data is, where it goes, and where it’s stored.
In fact, connecting to all of your systems is how Fides can automate consent management and data subject requests in the first place. Using the Fides privacy intelligence platform will integrate privacy across your entire business. That’s the true power of privacy intelligence.
Texas follows Iowa, Indiana, Montana, and Tennessee as the fifth U.S. state privacy law to be signed in 2023. U.S. privacy is a patchwork of state-by-state laws and more are constantly on the way. Your business needs to keep an eye out for all the privacy regulations emerging at the state level.
Thankfully, you don’t have to do it alone. Ethyca is here to help your business fulfill its privacy obligations every step of the way. If you have any questions about new or existing privacy laws, schedule a free 15-minute consultation today to get privacy intelligence and expertise.
Ethyca’s VP of Engineering Neville Samuell recently spoke at the University of Texas at Austin’s Texas McCombs School of Business about privacy engineering and its role in today’s digital landscape. Read a summary of the discussion by Neville himself here.
Learn more about all of the updates in the Fides 2.24 release here.
Ethyca’s Senior Software Engineer Adam Sachs goes through the thought process of creating Fideslang, the privacy engineering taxonomy that standardizes privacy compliance in software development.
Learn more about all of the updates in the Fides 2.23 release here.
Our Senior Software Engineer Dawn Pattison walks you through implementing data minimization into your business.
Learn more about all of the updates in the Fides 2.22 release here.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!Request a Demo