Shielding Privacy in Texas: Understanding TDPSA
In the Lone Star State, it’s often said that “Everything is Bigger in Texas”, well that now applies to the Texas Data Privacy and Security Act (TDPSA). In an era of increasing concern over data privacy, Texas has taken a proactive step toward protecting its residents’ personal information. Enacted to enhance data privacy and bolster cybersecurity measures, the TDPSA brings Texas in line with other states’ efforts to safeguard personal information.
What is Texas’s TDPSA?
The TDPSA is a comprehensive data privacy law enacted by the state of Texas. It aims to protect the personal information of Texas residents and ensure businesses adopt robust data protection measures to safeguard sensitive data. By setting clear guidelines and requirements, the TDPSA seeks to enhance transparency, accountability, and consumer rights.
TDPSA Key Areas of Focus
The TDPSA places significant importance on protecting the privacy of Texas residents. The law empowers individuals by granting them rights over their personal information and requiring businesses to be transparent about data collection and usage. With enhanced privacy measures in place, consumers can have more control over their personal data.
The TDPSA introduces several important provisions that strengthen data privacy and security within Texas. Here are some key aspects of the law:
Who Must Comply with TDPSA
Texas’s TDPSA applies to businesses that collect, use, or share the personal information of Texas residents. Specifically, a business is subject to the TDPSA if it:
- Conducts business in Texas
- Targets its products or services to residents of Texas
- Collects personal information of Texas residents
The law does exclude “small businesses” based on the criteria defined by the US Small Business Administration (SBA), with the exception the small business does not engage in the sale of sensitive data without explicit consent.
The TDPSA identifies specific categories of sensitive personal information, such as name, address, Social Security numbers, financial account details, and biometric data. It imposes additional obligations and safeguards for the handling of this sensitive information.
It is vital for businesses to understand whether they are subject to the TDPSA and to take the necessary steps to comply with the law. Failure to comply with the TDPSA can result in significant legal and financial consequences, including fines and legal action by the Texas Attorney General’s Office.
Preparations for TDPSA Compliance
Texas Data Privacy and Security Act was passed on On May 28, 2023, which makes it the sixth state to pass a comprehensive data privacy law this year. If signed into law, the Act would take effect on July 1, 2024.
Compliance with the TDPSA is crucial for businesses operating in Texas. Failing to meet the requirements of the law can lead to significant penalties and reputational damage. Here are some essential considerations to achieve compliance:
- Build a data inventory: Businesses must identify all the personal information of Texas residents collected, stored, and used, and determine the purpose of the data.
- Provide privacy policies and notices: Businesses should develop clear and concise privacy policies that outline data collection, use, and sharing practices. They must also provide individuals with clear notices regarding their rights and how their personal information is handled.
- Conduct risk assessments: Businesses must conduct regular risk assessments to identify vulnerabilities and address them promptly.
Apply Data Minimization Principles: Businesses should limit data collection to what is “adequate, relevant, and reasonably necessary” to achieve the purposes of collection disclosed to a consumer. - Enable consumer rights: Businesses must provide consumers with the rights outlined under the TDPSA, including the right to access, correct, and delete their personal information.
- Implement security requirements: The TDPSA emphasizes the importance of implementing reasonable security measures to protect personal information from unauthorized access, acquisition, or disclosure. It requires businesses to assess and mitigate cybersecurity risks, implement safeguards, and conduct regular vulnerability testing. This may involve implementing encryption, access controls, employee training programs, and incident response plans.
- Data breach response: In the event of a data breach, businesses must act swiftly to investigate, mitigate, and notify affected individuals and the Texas Attorney General. The TDPSA outlines the content and timing of breach notifications, ensuring that individuals are informed about potential risks and can take appropriate actions. Having a well-defined incident response plan is essential to minimize the impact of a breach.
TDPSA Consumer Rights:
The TDPSA grants Texas residents specific rights over their personal information, including:
- The right to know what personal information businesses are collecting
- The right to access and obtain a copy of their personal information
- The right to request for their personal information to be deleted
- The right to opt-out of the sale of their personal information, profile, and targeted advertising
- The right to have their personal information corrected, changed, or updated.
- The right to receive notification of data breaches that expose their personal information.
- The right to appeal a business’s refusal to respond to a request
- The right to file a complaint with the Texas Attorney General’s Office if they believe their data privacy rights have been violated.
Businesses are required to respond to consumer data requests within 45 days, there is a possibility of a 45-day extension when reasonably necessary.
The legislation also requires controllers to implement opt-out preference signals by January 1, 2025.
TDPSA Enforcement
The Texas Attorney General’s Office has exclusive rights to enforce Texas’s TDPSA. The office has the authority to investigate complaints and violations of the law and to bring legal action against businesses that fail to comply with the law. The Attorney General can impose a fine of up to $7,500 for each violation.
The TDPSA provides a 30-day right to cure violations when a written notice is received from the Attorney General. But unlike other state laws, the right to cure will not be sunsetted and will remain a part of the law indefinitely. Additionally, the law doesn’t include a private right of action.
BigID’s Approach to Achieving TDPSA Compliance
BigID helps organizations proactively prepare for the Texas Data Privacy and Security Act (TDPSA) to achieve compliance with its automated privacy management platform.
- Discover your data: BigID provides deep data discovery and classification, mapping data flows, and data lineage tracking to gain full visibility on personal information that is subject to TDPSA regulations.
- Automate DSARs: BigID manages data subject requests, such as access, deletion, and correction requests, by automating the fulfillment process and providing a centralized dashboard for tracking and reporting.
- Data Minimization and Retention: BigID’s Data Retention App applies data minimization principles by identifying and categorizing unnecessary or excessive personal data. It assists in defining appropriate data retention periods and implementing policies to manage data retention and disposal.
- Implement Automated Data Protection Controls: BigID provides automated data protection controls to enforce data access controls, data encryption, and other security measures. It helps organizations implement technical and organizational safeguards to protect personal data, which is crucial for TDPSA compliance.
- Assess Risk with PIA Assessments: BigID offers automated privacy impact assessments, data inventory reports, and remediation plans to identify risks to help organizations ensure compliance with TDPSA.
- Data Breach Readiness and Response: BigID’s Breach Data Investigation App assists organizations in data breach readiness and response. It helps detect and investigate data breaches, facilitating prompt incident response and notification to relevant authorities and affected data subjects. This capability supports TDPSA’s requirements for timely breach detection and notification.
Schedule a 1:1 demo to see how BigID can accelerate your TDPSA compliance today.