Texas Data Privacy And Security Act

 (“Act”) (effective July 1, 2024)[1] The Act grants Texas residents several key rights over their personal data. It also establishes privacy protection safeguards which apply to companies that “conduct business in [Texas] or produce a product or service consumed by residents of [Texas]” and that collect, use, store, sell, share, analyze, or process consumers’ personal data. “Personal data” generally means any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual.  

Small businesses (as defined by the federal Small Business Administration) are generally exempt from the Act, except that if a small business sells the sensitive data of a consumer, it must first obtain the consumer’s consent.  “Sensitive data” includes precise geolocation data and also the personal data of a child under the age of 13.

Read the full text of the Act

Overview Of The Texas Data Privacy And Security Act

This overview is for informational purposes only and is not legal advice. Please consult your attorney if you have specific legal questions. Texas law prohibits the Office of the Attorney General from providing legal advice, opinions, or representation to private individuals.

Consumer Rights Under The Act Include:

  • Right to know whether a company is processing the consumer’s personal data and to obtain the personal data in a readable format;
  • Right to correct inaccuracies in the consumer’s personal data, taking into account the nature of the data and the purposes for processing the data;
  • Right to delete personal data provided by or obtained about the consumer;
  • Right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision made by the company concerning the consumer that results in the provision or denial by the company of the following:
    • financial and lending services;
    • housing, insurance, or health care services;
    • education enrollment;
    • employment opportunities;
    • criminal justice; or
    • access to basic necessities, such as food and water.
  • Right to not face retaliation or discrimination for exercising these rights. 

CONTROLLERS (AS DEFINED BY THE ACT) ARE RESPONSIBLE FOR RESPONDING TO CONSUMER REQUESTS TO EXERCISE THEIR RIGHTS AND MUST COMPLY WITH THE REQUIREMENTS AND PROHIBITIONS OF THE ACT.  THESE INCLUDE: 

  • Providing consumers with a reasonably accessible and clear Privacy Notice with all required disclosures including: 
    • the categories of personal data processed by the controller (including any sensitive data) and the purpose of processing such data; 
    • the categories of personal data that the controller shares with third parties (if any);
    • the categories of third parties with whom the controller shares personal data (if any);       
    • how consumers may exercise their rights under the Act including a description of the methods through which consumers can submit requests to exercise their rights under the Act and how to appeal a controller’s decisions; and
      • If the company sells Sensitive Personal Data or Biometric Data, the Privacy Notice must include specific disclosures mandated by the Act:
        • NOTICE:  We may sell your sensitive personal data.
        • NOTICE:  We may sell your biometric data.
      • Companies that sell personal data to third parties or process such data for targeted advertising must also clearly and conspicuously disclose that, as well as the manner in which a consumer may exercise their right to opt out of that process.
  • Limiting their collection of personal data to “what is adequate, relevant, and reasonably necessary in relation to” the disclosed purposes for which the personal data is processed, as was disclosed to the consumer.
  • Establishing two or more secure and reliable methods to enable consumers to submit requests to exercise their rights under the Act. 

Companies that operate exclusively online and have a direct relationship with a consumer are required only to provide an email address for the submission of requests.

  • Responding to an authenticated consumer’s request to exercise any right without undue delay but no later than 45 days after receiving the request. 

The time period to substantively respond to a request may be extended by an additional 45 days when reasonably necessary – provided the company responds within the initial 45 days and provides a reason for the extension.

A company’s response to a consumer request must be free of charge, up to twice annually per consumer – unless the request is unfounded, excessive, or repetitive, in which case the consumer may be charged a reasonable administrative cost. 

A company that declines a consumer’s request must provide the consumer with notice of that decision, including a justification for the declination and instructions on how to appeal the decision.

  • Establishing a process for consumers to appeal the company’s decisions. If the company denies an appeal, the company must provide the consumer with information regarding how to submit a complaint regarding the matter to the Texas Attorney General. 
  • Establishing, implementing, and maintaining reasonable data security practices to protect the confidentiality, integrity, and accessibility of personal data.
  • Implementing reasonable measures to ensure deidentified data cannot be associated with an individual; publicly committing to maintain and use the data without attempting to reidentify the data; and contractually obligating recipients of the data to comply with the Act.
  • Entering into data processing contracts with data processors which include all elements required by the Act, including requiring the processor to impose on its sub-processors the rights and obligations of the controller’s data processing contract. 
  • Conducting data protection assessments for certain processing activities, including processing for purposes of targeted advertising; the sale of personal data; processing for purposes of profiling when profiling presents certain “reasonably foreseeable risk[s]”; processing of sensitive data; and any processing that “present[s] a heightened risk of harm to consumers.” 

Data protection assessments must be made available to the Texas Attorney General and are exempt from disclosure under the Texas Public Information Act.  Disclosure of an assessment to the Texas Attorney General does not constitute a waiver of the attorney client or work product privilege.

Prohibitions

  • Requiring a consumer to create a new account in order to submit requests to exercise  rights; 
  • Discriminating against a consumer for exercising rights under the Act, including by charging different prices, denying goods or services, or providing a different level of quality of goods or services;
  • Processing sensitive data without first obtaining a consumer’s consent; 
  • Processing the data of a known child without first obtaining parental consent; 
  • Processing data in violation of state and federal laws which prohibit unlawful discrimination; or 
  • Processing personal data for a purpose that is neither reasonably necessary to nor compatible with the disclosed purpose for which the personal data is processed, as disclosed to the consumer, without first obtaining the consumer’s consent.

PROCESSORS (PERSONS THAT PROCESS DATA ON BEHALF OF AND UNDER THE DIRECTION OF A CONTROLLER) MUST COMPLY WITH THE REQUIREMENTS AND PROHIBITIONS OF THE ACT INCLUDING: 

  • Adhering to a controller’s instructions; and 
  • Assisting the controller in complying with the controller’s duties under the Act – including by assisting the controller in responding to consumer rights requests, assisting with the requirement relating to the security of processing personal data, and providing the controller with information necessary to conduct Data Protection Assessments. 

Enforcement

  • The Texas Attorney General has exclusive authority to enforce the Act, and may issue civil investigative demands, and file enforcement actions to obtain civil penalties, injunctive relief, attorney’s fees, and costs.
  • Prior to filing an enforcement action, the Texas Attorney General must provide a written notice of violation and allow a company 30 days in which to cure the noticed violations. The company must provide a written statement and supporting documentation evidencing that the violations were cured. The written documentation must include whether changes to internal policies were necessary to ensure that no future violations occur.
  • A company that violates the Act following the cure period or that breaches a written statement provided to the Attorney General is liable for a civil penalty of up to $ 7,500 per violation. 
  • The Act does not provide a private right of action. 
  • File a consumer complaint regarding the Texas Data Privacy and Security Act with the Texas Attorney General.

Exemptions

  • The Act exempts six types of entities: state agencies and political subdivisions of the state, financial institutions governed by the Gramm-Leach-Bliley Act (“GLB”), entities governed by the Health Insurance Portability and Accountability Act (“HIPAA”), nonprofit organizations, and institutions of higher education. 
  • The Act also exempts certain types of information, including information governed by GLB, HIPAA, the Fair Credit Reporting Act (“FCRA”), the Family Educational Rights and Privacy Act (“FERPA”), Driver’s Privacy Protection Act, Farm Credit Act, and certain other types of personal data and employment-related information. The Act also does not apply to the processing of personal data by an individual for personal or household activities. 

Key Definitions Include:

  • “PERSONAL DATA” means any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. This term includes pseudonymous data when the data is used in conjunction with additional information that reasonably links the data to an identified or identifiable individual. Publicly available information and deidentified data are not “personal data.”
  • “SENSITIVE DATA” is a subset of personal data that includes: 
    • Any data revealing racial or ethnic origins, religious beliefs, mental or physical health conditions or diagnoses, sexuality, citizenship, or immigration status;
    • Genetic or biometric data processed to uniquely identify an individual;
    • Personal data of a child under the age of 13; and
    • Precise geolocation data (information that identifies an individual’s specific location with a defined degree of precision and accuracy). 
  • “BIOMETRIC DATA” means data generated by automatic measurements of an individual's biological characteristics. It does not include a physical or digital photograph, a video or audio recording or data generated from such a recording, or information collected, used, or stored for health care treatment, payment, or operations under HIPAA.
  • “DEIDENTIFIED DATA” means data that cannot reasonably be linked to an identified or identifiable individual, or a device linked to that individual. 
  • “CHILD” means an individual younger than 13 years of age and "known child" means a child under circumstances where a controller has actual knowledge of, or willfully disregards, the child's age.
  • “CONSENT” - A consumer’s consent must be freely given, informed, and unambiguous, and does not include agreements obtained through the use of dark patterns or by acceptance of broad, general terms or hovering over, pausing, or closing a given piece of content. 
  • “SALE” of data means sharing, disclosing, or transferring data for monetary or other valuable consideration. Certain types of disclosures or transfers which are not deemed a sale include: disclosing the data to a third party in order to provide a product or service requested by the consumer; the disclosure of information that the consumer intentionally made available through a mass media channel and did not restrict to a specific audience; and disclosure to a third party as an asset that is part of a merger or acquisition. 

Effective Date:  July 1, 2024 

[1] Tex. Bus. & Com. Code Ann. § 541.001 et seq.