The Lone Star State joined nine other states with comprehensive data privacy laws last week when Governor Greg Abbot signed the Texas Data Privacy and Security Act (TDPSA).
The TDPSA largely follows the Virginia model where requirements for controllers, and consumer privacy rights are concerned, though it differs with regards to who it does not apply to. Under the TDPSA, state agencies or political subdivisions of the state are exempt, as are non-profit organizations, institutions of higher learning, power generation companies, and retail electric providers.
There is also no applicability for the data collected, processed, or maintained in the context of employment, this includes data "processed or maintained and is necessary to retain or administer benefits for another individual that relates to an individual (in employment context) and used for the purposes of administering those benefits."
The TDPSA defines personal data as "any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual", however, the scope of what is considered sensitive data is limited to information that may reveal: ethnic origin or race, mental or physical health diagnoses, sexuality, citizenship or immigration status, religious beliefs, genetic or biometric data that is processed for the purpose of uniquely identifying an individual, personal data of a known child and precise geolocation.
Many of the same provisions that exist in other data privacy laws apply in the TDPSA as well, such as limiting controllers' data collection "to what is adequate, relevant, and reasonably necessary in relation to the purpose for which that personal data is processed;” and “shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices." Consumers have the right to confirm, correct, and delete data, and obtain a copy of their data. The opt-out rights include targeted advertising, the sale of personal data, and "profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer."
The law will take effect July 1, 2024, with an additional deadline for universal opt-out signal support of January 1, 2025.
Sources: