Texas enacts Data Privacy and Security Act

Texas Governor Greg Abbott officially enacted the Texas Data Privacy and Security Act (TDPSA), making it the tenth US state to do so. On 1 July 2024, the restrictions will go into effect, and by that time, corporations will have to abide by them.

The TDPSA is a privacy legislation that applies to companies in Texas that process or sell personal information and excludes specific categories of data, including protected health information, medical records, patient identifying information, clinical trial data, consumer report data, and employment data.

The law grants Texas residents extensive consumer rights, including the right to delete personal data, data portability, opt-out options for data sale and targeted advertising, and the right to access and correct personal information. Data minimization, security of data, equal treatment, usage limitation, and permission to process sensitive data are among the requirements that controllers must comply with. They must also provide clear and comprehensive privacy notices and conduct data protection assessments for specific processing activities.

Enforcement of the TDPSA lies with the Texas Attorney General, who can bring an enforcement action after a 30-day cure period. The law does not provide for a private right of action. Violations can incur statutory fines of up to US$7,500 per offense, and alleged offenders must provide tangible evidence of remediation to prevent further violations. Businesses operating in Texas should be aware of the TDPSA’s expansive applicability and stringent requirements to avoid penalties and ensure compliance with this comprehensive privacy law.