2024 Q2 Compliance Update
Texas is one of the latest states to enact their own data protection law. Signed into law in 2023, the law will take effect July 1, 2024, with an additional grace period for applicable businesses to ensure compliance with the new regulations by January 1, 2025. Much of Texas’ Data Privacy and Security Act (”TDPSA”) follows many of the same key elements we’ve already seen from other states that have enacted data privacy laws. However, there are some differences to note as well. Below is an overview, highlighting the key points to be aware of.
Applicability
One of the biggest alterations seen in the TDPSA that stands out among the other data privacy laws is the business threshold. While other states have outlined thresholds based on revenue or volume of data processing, the TDPSA has an entirely new set of guidelines for businesses to determine whether the TDPSA act will apply to them or not.
If a business meets any of the following criteria, the TDPSA may apply to them:
- Conducts business in the state of Texas and/or creates products or services consumed by Texas residents.
- Engages in the sale of personal consumer data.
- Is NOT defined as a small business under the guidelines of the United States Small Business Administration (SBA).
There are the usual exceptions, such as financial institutions and healthcare organizations, but the small business provision is the first among data privacy bills and will impact many companies doing business in Texas.
Key Definitions
There are several terms in the TDPSA to note. While many of them come from previous data privacy bills, it’s important to understand Texas’ own interpretations of these terms.
- Personal data means: “any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by the controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. This does not include deidentified data or publicly available information.”
- Sensitive data means: “a category of personal data. The term includes:
- Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status;
- Genetic or biometric data that is processed for the purpose of uniquely identifying an individual;
- Personal data collected from a known child or;
- Precise geolocation data.”
- Controller means: “an individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data.”
- Processor means: “a person that processes personal data on behalf of a controller.”
- Consumer means: “an individual who is a resident of this state acting only in an individual or household context. The term does not include an individual acting in a commercial or employment context.”
Texas has included pseudonymous data in its definition of personal data, unlike other states with data privacy bills.
Requirements under the TDPSA
Data controllers cannot do the following under the TDPSA:
- Collect personal data from a consumer for undisclosed reasons without consent.
- Discriminate against consumers for exercising their rights.
- Process data without consent.
- Process the personal data of a known child.
Data controllers must adhere to the following requirements as well:
- Provide a clear and accessible privacy notice.
- Provide notice if they sell sensitive or biometric data.
- Gain consent before processing sensitive personal data.
- Disclose if they sell sensitive personal data for targeted advertising.
- Provide an opt-out mechanism for consumers for targeted advertising.
One area where the TDPSA differs from other privacy laws to note is businesses that engage in the sale of sensitive data or biometric information will be required to put the following disclosure in the same place as their privacy notice, or in their privacy notice: “NOTICE: We may sell your sensitive (or biometric) personal data.”
Please note that all Entrata clients will need to create and display their own privacy notice, if they have not done so already. For assistance in getting this started, you can find our privacy notice guide in the Entrata Help Center: “Setting Up Contact Methods and Privacy Policies”.
Consumer Rights.
Like other states with data privacy laws, Texas has granted its residents similar consumer rights regarding their personal information, including:
- Right to access what personal data a controller has obtained.
- Right to know if a controller is processing their personal data.
- Right to correction of any inaccuracies of personal data.
- Right to deletion of their personal data.
- Right to opt-out of processing for targeted advertising, sale of personal data, or profiling.
- Right to appeal on a consumer request.
Controllers will have 45 days to respond to a consumer request (also called a data subject access request, or DSAR), with an additional 45 days to extend when reasonably necessary.
If you have any questions on the DSAR process, you can find our DSAR guide in the Entrata Help Center: Creating and Managing Data Privacy Requests.
How Entrata Can Help with TDSPA
Although the TDPSA is very similar to what we’ve seen in existing data privacy legislation, the key differences are notable enough to require a review of current data privacy compliance practices. Entrata’s compliance team is committed to staying up to date with the ever-changing landscape of data privacy and we encourage our clients to visit our Compliance page in the Entrata Help Center for additional resources surrounding data privacy.
For any remaining questions or concerns, please contact your Entrata representative.
Important Note: Entrata recommends that our clients consult their own legal counsel to assess the handling and applicability of this data privacy bill.