Texas Data Privacy and Security Act (TDPSA): A Strategic Guide for State and Global Compliance

Texas, renowned for its business-friendly environment, is now at the forefront of consumer data regulation with the introduction of the Texas Data Privacy and Security Act (TDPSA). Effective from 1st July 2024, the TDPSA stands as a landmark development in U.S. data privacy laws, echoing the European Union’s General Data Protection Regulation (GDPR) in its scope and depth.

Understanding the TDPSA: A Closer Look at Its Features

The TDPSA is modeled on Virginia’s Consumer Data Protection Act (VCDPA) but carves its niche with unique provisions and definitions. Its scope is broad, encompassing any business interacting with Texas residents or handling their personal data. Notably, the TDPSA introduces novel concepts in U.S. privacy law, such as the inclusion of pseudonymous data under personal data and a specific focus on children’s data protection.

Exclusions at the Entity Level Under the TDPSA

Under the Texas Data Privacy and Security Act (TDPSA), specific types of entities are granted exemptions. These include:

• State-run agencies and local governmental divisions.
• Financial entities regulated by the Gramm-Leach-Bliley Act (GLBA).
• Entities and their business associates that are regulated by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
• Nonprofit organisations.
• Academic institutions at the higher education level.
• Companies involved in electrical utilities, including power generation businesses and retail electricity providers.

Preparing for Compliance: A Roadmap for Organisations

Organisations, especially those with a global presence, must proactively integrate the TDPSA into their data privacy frameworks. Here’s a strategic approach:

1. Applicability Assessment: Determine if your organisation falls under the TDPSA’s purview. Remember, it’s broader than many state laws, so a comprehensive review is critical.
2. Data Inventory Management: Undertake a thorough data audit. Understand what personal data you collect, process, and share, including customer, employee, and third-party data.
3. Privacy Notice Update: Revise your privacy notices to comply with the TDPSA. Ensure clarity and accessibility, aligning them with existing notices under other privacy laws.
4. Consumer Rights Protocol: Develop or update processes for consumer rights compliance, including access, correction, deletion, portability, and opt-out requests.
5. Consent and Opt-Out Systems: Implement procedures for obtaining consent, especially for sensitive data, and develop robust opt-out mechanisms.
6. Vendor Management: Review third-party relationships to ensure compliance with the TDPSA, focusing on data protection and privacy practices.
7. Employee Education: Conduct comprehensive training on TDPSA requirements, fostering a privacy-aware culture within your organisation.
8. Data Minimisation Practice: Adopt a data minimisation approach, collecting only necessary data and limiting third-party sharing.
9. Data Protection Assessments: Regularly assess data protection practices to stay aligned with evolving privacy laws and mitigate potential risks.
10. Ongoing Compliance Monitoring: Establish processes for continuous review and updates to your privacy practices, adapting to changing legal landscapes.

Key Differences and Challenges

Organisations must note key divergences from other privacy laws, such as the broader definition of ‘sale’ and specific requirements for processing children’s data. The TDPSA’s emphasis on pseudonymous data and sensitive data, particularly biometric data, requires a nuanced understanding and strategic adjustments in data handling policies.

Handling Data from an Identified Minor under the TDPSA

The Texas Data Privacy and Security Act (TDPSA) categorises information gathered from an identified child as sensitive. It explicitly mandates that the handling of such sensitive data from a known child adheres to the Children’s Online Privacy Protection Act (COPPA) guidelines. COPPA’s primary focus is safeguarding the privacy of children below 13 years of age. In line with this, the TDPSA acknowledges adherence to COPPA, especially its stipulation for verifiable parental consent, as a criterion for compliance when processing a known child’s data.

Global Strategy Integration

Integrating the TDPSA into a global data privacy strategy demands an understanding of its interoperability with other privacy laws. While it shares similarities with laws like GDPR, unique provisions necessitate specific compliance efforts. Global businesses must harmonise their practices, ensuring that they address the nuances of each jurisdiction, including Texas.

The Texas Challenge: An Opportunity for Global Compliance Excellence

The TDPSA, by expanding the definition of personal data and focusing on children’s data, sets a new benchmark in data privacy. Organisations should view this as an opportunity to elevate their global data privacy standards, leveraging the TDPSA as a catalyst for comprehensive privacy practices that resonate across jurisdictions.

Conclusion: Embracing the TDPSA as a Keystone in Global Data Privacy

As we edge closer to the TDPSA’s enactment, it’s clear that this law is not just a regional concern but a pivotal point in the global data privacy landscape. Businesses must see this as an impetus to refine their data privacy strategies, ensuring they are not only compliant but also leaders in the realm of consumer data protection.

With the TDPSA, Texas is not just setting a standard within its borders but is influencing the global dialogue on data privacy. For organisations, this is a crucial time to reassess and strengthen their data privacy strategies, ensuring they are not just compliant with the TDPSA but are also setting a precedent in consumer data protection worldwide.