- financial and lending services;
- housing, insurance, or health care services;
- education enrollment;
- employment opportunities;
- criminal justice; or
- access to basic necessities, such as food and water.
CONTROLLERS (AS DEFINED BY THE ACT) ARE RESPONSIBLE FOR RESPONDING TO CONSUMER REQUESTS TO EXERCISE THEIR RIGHTS AND MUST COMPLY WITH THE REQUIREMENTS AND PROHIBITIONS OF THE ACT. THESE INCLUDE:
- Providing consumers with a reasonably accessible and clear Privacy Notice with all required disclosures including:
- the categories of personal data processed by the controller (including any sensitive data) and the purpose of processing such data;
- the categories of personal data that the controller shares with third parties (if any);
- the categories of third parties with whom the controller shares personal data (if any);
- how consumers may exercise their rights under the Act including a description of the methods through which consumers can submit requests to exercise their rights under the Act and how to appeal a controller’s decisions; and
- If the company sells Sensitive Personal Data or Biometric Data, the Privacy Notice must include specific disclosures mandated by the Act:
- NOTICE: We may sell your sensitive personal data.
- NOTICE: We may sell your biometric data.
Companies that operate exclusively online and have a direct relationship with a consumer are required only to provide an email address for the submission of requests.
- Responding to an authenticated consumer’s request to exercise any right without undue delay but no later than 45 days after receiving the request.
The time period to substantively respond to a request may be extended by an additional 45 days when reasonably necessary – provided the company responds within the initial 45 days and provides a reason for the extension.
A company’s response to a consumer request must be free of charge, up to twice annually per consumer – unless the request is unfounded, excessive, or repetitive, in which case the consumer may be charged a reasonable administrative cost.
A company that declines a consumer’s request must provide the consumer with notice of that decision, including a justification for the declination and instructions on how to appeal the decision.
- Establishing a process for consumers to appeal the company’s decisions. If the company denies an appeal, the company must provide the consumer with information regarding how to submit a complaint regarding the matter to the Texas Attorney General.
- Establishing, implementing, and maintaining reasonable data security practices to protect the confidentiality, integrity, and accessibility of personal data.
- Implementing reasonable measures to ensure deidentified data cannot be associated with an individual; publicly committing to maintain and use the data without attempting to reidentify the data; and contractually obligating recipients of the data to comply with the Act.
- Entering into data processing contracts with data processors which include all elements required by the Act, including requiring the processor to impose on its sub-processors the rights and obligations of the controller’s data processing contract.
- Conducting data protection assessments for certain processing activities, including processing for purposes of targeted advertising; the sale of personal data; processing for purposes of profiling when profiling presents certain “reasonably foreseeable risk[s]”; processing of sensitive data; and any processing that “present[s] a heightened risk of harm to consumers.”
Data protection assessments must be made available to the Texas Attorney General and are exempt from disclosure under the Texas Public Information Act. Disclosure of an assessment to the Texas Attorney General does not constitute a waiver of the attorney client or work product privilege.
Prohibitions
- Requiring a consumer to create a new account in order to submit requests to exercise rights;
- Discriminating against a consumer for exercising rights under the Act, including by charging different prices, denying goods or services, or providing a different level of quality of goods or services;
- Processing sensitive data without first obtaining a consumer’s consent;
- Processing the data of a known child without first obtaining parental consent;
- Processing data in violation of state and federal laws which prohibit unlawful discrimination; or
- Processing personal data for a purpose that is neither reasonably necessary to nor compatible with the disclosed purpose for which the personal data is processed, as disclosed to the consumer, without first obtaining the consumer’s consent.
PROCESSORS (PERSONS THAT PROCESS DATA ON BEHALF OF AND UNDER THE DIRECTION OF A CONTROLLER) MUST COMPLY WITH THE REQUIREMENTS AND PROHIBITIONS OF THE ACT INCLUDING:
- Adhering to a controller’s instructions; and
- Assisting the controller in complying with the controller’s duties under the Act – including by assisting the controller in responding to consumer rights requests, assisting with the requirement relating to the security of processing personal data, and providing the controller with information necessary to conduct Data Protection Assessments.
Enforcement
- The Texas Attorney General has exclusive authority to enforce the Act, and may issue civil investigative demands, and file enforcement actions to obtain civil penalties, injunctive relief, attorney’s fees, and costs.
- Prior to filing an enforcement action, the Texas Attorney General must provide a written notice of violation and allow a company 30 days in which to cure the noticed violations. The company must provide a written statement and supporting documentation evidencing that the violations were cured. The written documentation must include whether changes to internal policies were necessary to ensure that no future violations occur.
- A company that violates the Act following the cure period or that breaches a written statement provided to the Attorney General is liable for a civil penalty of up to $ 7,500 per violation.
- The Act does not provide a private right of action.
- File a consumer complaint regarding the Texas Data Privacy and Security Act with the Texas Attorney General.
Exemptions
- The Act exempts six types of entities: state agencies and political subdivisions of the state, financial institutions governed by the Gramm-Leach-Bliley Act (“GLB”), entities governed by the Health Insurance Portability and Accountability Act (“HIPAA”), nonprofit organizations, and institutions of higher education.
- The Act also exempts certain types of information, including information governed by GLB, HIPAA, the Fair Credit Reporting Act (“FCRA”), the Family Educational Rights and Privacy Act (“FERPA”), Driver’s Privacy Protection Act, Farm Credit Act, and certain other types of personal data and employment-related information. The Act also does not apply to the processing of personal data by an individual for personal or household activities.
Key Definitions Include:
- “PERSONAL DATA” means any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. This term includes pseudonymous data when the data is used in conjunction with additional information that reasonably links the data to an identified or identifiable individual. Publicly available information and deidentified data are not “personal data.”
- “SENSITIVE DATA” is a subset of personal data that includes:
- Any data revealing racial or ethnic origins, religious beliefs, mental or physical health conditions or diagnoses, sexuality, citizenship, or immigration status;
- Genetic or biometric data processed to uniquely identify an individual;
- Personal data of a child under the age of 13; and
- Precise geolocation data (information that identifies an individual’s specific location with a defined degree of precision and accuracy).
Effective Date: July 1, 2024
[1] Tex. Bus. & Com. Code Ann. § 541.001 et seq.
- If the company sells Sensitive Personal Data or Biometric Data, the Privacy Notice must include specific disclosures mandated by the Act: