The Texas Data Privacy and Security Act (TDPSA) safeguards the personal data of Texas residents, affecting businesses that collect and process sensitive information. The TDPSA applies to entities that annually earn $25 million or more in gross revenue.
The TDPSA took effect on September 1, 2023, with a threshold of 100,000 or more Texas residents’ data being collected.
TDPSA Structure
The TDPSA is codified under Texas Business and Commerce Code, Chapter 611, which outlines the rights of Texas residents regarding their personal data, including the right to opt-out of data collection and the right to access their data. The statute defines “personal data” as information that identifies or could be used to identify an individual, with a specific focus on data that is collected for $50 or more per transaction. In plain terms, this means that businesses must provide clear notice to consumers about the data being collected and how it will be used, within 30 days of collection.
This is where the law gets teeth, as the TDPSA requires businesses to implement reasonable security practices to protect personal data, including encryption and secure storage, with a 60-day time limit for implementing these measures after a data breach. The TDPSA also provides for a private right of action, allowing individuals to sue for $1,000 or more in damages if their rights are violated.
In practice, this means that businesses must conduct regular security audits and risk assessments, at a cost of $5,000 or more per audit, to ensure compliance with the TDPSA, and maintain records of these audits for at least 2 years.
Opt-Out Rules
Consumer Rights
Under the TDPSA, consumers have the right to opt-out of the sale of their personal data, with a specific focus on data that is sold for $100 or more per transaction. Businesses must provide a clear and conspicuous opt-out notice, which must include a “do not sell my personal data” link, within 10 days of the initial data collection.
The opt-out notice must be provided in a format that is easy to read and understand, with a font size of at least 12 points, and must include a statement indicating that the consumer has the right to opt-out of the sale of their personal data, with a deadline of 30 days for the business to respond to the opt-out request.
Business Obligations
Businesses that collect and sell personal data must comply with the opt-out requests, with a time limit of 15 days to cease selling the consumer’s data, and must provide notice to third parties to whom the data was sold, within 45 days of the opt-out request. In plain terms, this means that businesses must have a process in place to handle opt-out requests, including a system for tracking and verifying requests, with a cost of $10,000 or more to implement.
This is where the law gets teeth, as businesses that fail to comply with opt-out requests may be liable for $5,000 or more in damages per violation, with a statute of limitations of 2 years for bringing a claim.
Enforcement
The Texas Attorney General’s office is responsible for enforcing the TDPSA, with the authority to impose civil penalties of up to $2,500 per violation, and to bring actions for injunctive relief, with a filing fee of $500 or more. The Attorney General’s office may also investigate complaints and conduct audits to ensure compliance, with a time limit of 60 days to complete the investigation.
In practice, this means that businesses must cooperate with investigations and provide requested information, including documents and records, within 30 days of the request, and must maintain records of their compliance with the TDPSA, including opt-out requests and responses, for at least 3 years.
Legal Process
Individuals who believe their rights under the TDPSA have been violated may file a complaint with the Texas Attorney General’s office, with a filing fee of $100 or more, and must provide documentation to support their claim, including records of opt-out requests and responses, within 60 days of filing the complaint. The Attorney General’s office will investigate the complaint and may bring an action on behalf of the individual, with a time limit of 120 days to resolve the complaint.
The TDPSA also provides for a private right of action, allowing individuals to sue for $1,000 or more in damages if their rights are violated, with a statute of limitations of 2 years for bringing a claim, and must provide notice to the Attorney General’s office, within 30 days of filing the lawsuit.
Penalties and Consequences
Businesses that violate the TDPSA may be subject to civil penalties of up to $2,500 per violation, with a maximum penalty of $7,500 per year, and may also be liable for damages, including $1,000 or more per violation, with a statute of limitations of 2 years for bringing a claim. In plain terms, this means that businesses must take the TDPSA seriously and ensure compliance to avoid significant financial penalties, with a cost of $50,000 or more to implement compliance measures.
This is where the law gets teeth, as the TDPSA also provides for injunctive relief, which may include a court order requiring the business to cease selling personal data or to implement specific security measures, with a time limit of 60 days to comply with the order, and may also result in reputational damage and loss of customer trust, with a potential loss of $100,000 or more in revenue.
Comparison to Other States
The TDPSA is similar to other state data privacy laws, such as the California Consumer Privacy Act (CCPA), which also provides for a private right of action and imposes civil penalties for non-compliance, with a maximum penalty of $7,500 per year. The TDPSA is also similar to the Virginia Consumer Data Protection Act (VCDPA), which requires businesses to implement reasonable security practices and provides for a private right of action, with a statute of limitations of 2 years for bringing a claim.
In practice, this means that businesses that operate in multiple states must comply with multiple data privacy laws, including the TDPSA, CCPA, and VCDPA, with a cost of $20,000 or more to implement compliance measures, and must ensure that their data collection and security practices meet the requirements of each state, with a time limit of 60 days to implement changes.
Practical Steps
Businesses that collect and sell personal data must take practical steps to comply with the TDPSA, including implementing reasonable security practices, providing clear notice to consumers, and honoring opt-out requests, with a cost of $10,000 or more to implement. In plain terms, this means that businesses must have a process in place to handle opt-out requests, including a system for tracking and verifying requests, with a deadline of 30 days to respond to opt-out requests.
This is where the law gets teeth, as businesses that fail to comply with the TDPSA may be subject to significant financial penalties, including $5,000 or more in damages per violation, with a statute of limitations of 2 years for bringing a claim, and must also cooperate with investigations and provide requested information, including documents and records, within 60 days of the request.
Recent Changes and Legislative Status
The TDPSA has undergone recent changes, including amendments to the opt-out notice requirements and the addition of new exemptions for certain types of data, with a effective date of January 1, 2024. The Texas Legislature has also introduced new bills to further regulate data privacy, including HB 1111, which would impose stricter security requirements on businesses, with a filing fee of $500 or more, and would also provide for a private right of action, with a statute of limitations of 2 years for bringing a claim.
In plain terms, this means that businesses must stay up-to-date on the latest developments and ensure compliance with the TDPSA and any new regulations, with a cost of $20,000 or more to implement compliance measures, and must also be prepared to adapt to changing regulatory requirements, with a time limit of 60 days to implement changes, and must also maintain records of their compliance with the TDPSA, including opt-out requests and responses, for at least 3 years.
- Office of the Law Revision Counsel. relevant federal statute
- U.S. Courts. federal court procedures
- USA.gov. relevant government resource
