Update applicable to:
All employers in Texas who meet the requirements
What happened?
On June 18, 2023, Governor Greg Abbott signed into law the Texas Data Privacy & Security Act (TDPSA), which will take effect on July 1, 2024. It will become the tenth state and the second-largest (after California) to pass consumer data privacy legislation. Certain provisions regarding submitting requests via authorized agents will take effect on January 1, 2025.
What are the details?
The TDPSA is considered one of the most stringent state privacy laws and draws inspiration from the Virginia Consumer Data Protection Act (VCDPA) while incorporating consumer-friendly components from recently enacted laws.
What businesses are affected? Unlike other states, the TDPSA determines applicability based on whether a business conducts business in Texas, produces products or services consumed by Texas residents, processes consumer personal data, and is not classified as a “small business” according to the US Small Business Administration (SBA). The law’s unique approach to applicability may expand its reach, as it applies to companies whose products or services are consumed by Texas residents, even if not specifically targeted to the Texas market. Small businesses exempt from the TDPSA must still obtain consent before selling sensitive data.
The TDPSA includes novel obligations and definitions. For example, it explicitly includes pseudonymous data in the definition of “personal data” and broadens the definition of “sensitive data” by including “sexuality.” The law grants individuals rights such as access, correction, deletion, and obtaining a copy of their personal data, as well as the ability to opt out of data sales, targeted advertising, and profiling. Businesses must establish multiple methods for individuals to submit requests and provide clear privacy notices. Consent requirements prohibit processing sensitive data without consent and processing personal data for incompatible purposes.
Notice Requirements
The TDPSA requires businesses to provide individuals with a reasonably accessible and clear privacy notice that includes the same disclosures as required in Virginia — i.e., the categories of personal data processed, the purpose for processing, how individuals may exercise their rights and appeal decisions, the categories of personal data the business shares with third parties, and the categories of such third parties.
Additionally, the TDPSA requires businesses that sell sensitive or biometric data to post the following disclosure: “NOTICE: We may sell your [sensitive/biometric] personal data.” This notice must be posted “in the same location and in the same manner as the privacy notice,” which suggests that businesses must post this language alongside the link to the privacy notice, rather than including it as a disclosure within the privacy notice.
The TDPSA aligns with the VCDPA and other state laws in terms of response times for requests, duties imposed on processors, and data protection assessments. It will be enforced by the state attorney general, with penalties of up to $7,500 per violation. The law introduces a 30-day cure period but requires businesses to provide a written statement to the state attorney general, confirming that violations have been cured, notifying affected individuals (if possible), and providing supportive documentation.
For more information, please see the links below:
Texas Data Privacy and Security Act (HB 4)
Law Firm Complete Breakdown/Summaries: Article 1, Article 2, Article 3, Article 4, Article 5
Detailed Comparison of all Data Privacy Laws by State
What do employers need to do?
The true impact of the TDPSA will depend on its enforcement. Businesses that are complying with the privacy laws of other states will need to reassess components of their privacy compliance programs to ensure compliance with the TDPSA. Businesses that are not yet subject to the privacy laws of other states should carefully consider the scope of the TDPSA and exercise caution when determining applicability.
Need help understanding how changes to employment laws will affect your business?
Learn more about how Vensure's Texas PEO services can help you navigate complex employment laws and keep your business compliant.
This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.
