As a result of acknowledging the rising importance of data privacy and consumers’ rights, in 2023, the state of Texas took a significant step forward with the enactment of the Texas Data Privacy and Security Act (TDPSA). Scheduled to come into effect in July 2024, with certain provisions set for January 2025, the TDPSA is a response to growing concerns over data misuse and breaches. This act is significant as it represents Texas's commitment to enhancing data protection for its residents.

The TDPSA outlines clear guidelines for businesses regarding the collection, handling, and sharing of personal data. It not only aims to provide Texans with greater control over their personal information but also sets out the responsibilities businesses have in safeguarding such data. For businesses, this means adapting to new compliance requirements, implementing stronger data security measures, and ensuring transparency in data practices.

Overview

“The Texas Data Privacy and Security Act, or TDPSA, aims to regulate how businesses collect, use, and process the personal data of Texas consumers.” This legislation addresses a multitude of concerns, ranging from data breaches to consumer rights, shaping the landscape of data privacy within the state. Texas is one of eight states that have signed dedicated data privacy laws, set to join the five states that have already passed a privacy law of some sort.

Before the TDPSA, Texas, like many other states, struggled with a patchwork of regulations and standards governing data privacy and security. The absence of comprehensive legislation left gaps in protection, exposing businesses and individuals to various risks associated with data breaches, identity theft, and unauthorized use of personal information, to name a few. In response to recent years incidents, like the 2017 Equifax breach that affected thousands of people, influence from other states, and lack of Federal regulation, Texas decided to sign and pass a privacy law to try and amend past issues, and avoid future ones.

It's important to note that while only a limited number of U.S. states have enacted comprehensive data privacy laws, every state has implemented a data breach notification law. These laws vary in specifics but generally mandate that businesses notify affected individuals or a relevant state agency within a specified timeframe after a breach is discovered. For example, in Texas, the requirement is to notify affected parties "as quickly as possible" and no later than 30 days after identifying a breach impacting over 250 people. This demonstrates that while all states have reactive measures in place—requiring action after a data breach has occurred—fewer states have proactive measures, which would involve data privacy laws aimed at protecting individuals' data before any breach happens. This proactive approach would help establish routine practices for businesses to safeguard consumer data consistently.

Scope of protection under the TDPSA:

While the act offers robust protections that were non-existent before the passing of the act, it is designed to protect natural persons who are residents of Texas, acting under a personal context. This means that the protection under this act focuses on individual related data processing activities, and not on information related to commercial or employment activities. Hence the law is aimed at protecting Texas in their everyday lives, excluding professional or business related activities. This distinction is important, because it means that personal information used in professional settings, such as data processed by employers, or data collected in business to business transactions, does not fall under the requirements of this act.

How will TDPSA affect consumers?

• Then.. how will the TDPSA affect consumers? The Texas Data Privacy and Security Act (TDPSA) represents a significant shift in how consumers' personal data is treated within the state. Primarily, it will empower Texans by granting them unprecedented rights over their personal information, thereby enhancing their control and protection in an increasingly digital world. Additionally, the act will afford consumers:

• The right to request deletion of their personal data, in the scenario in which their data is no longer relevant in instances where it is not necessary for the purposes for which it was initially collected.

• Right to request a copy of their data in a digital format, allowing them to transfer information more easily in between servicers. Opt-out rights from certain data processing activities such as targeted advertising, the sale of their data, or profiling, giving them more control on how their personal data is used and processed.

• It gives consumers a timely response to their requests, because businesses are required to respond to consumers requests with undue delay and within a specific time frame- which means no longer than 45 days, with the possibility of a 45-day extension in some cases It gives them right to access and view the exact data collected about them, and to correct it.

• It also gives consumers the right to ask businesses whether their personal data is being processed, which will allow them to have a better understanding on who is using their information and for what exact purposes, giving them enhanced transparency.

How will TDPSA affect businesses?

On the other hand, businesses will be affected with the transition period of adapting to new regulations and processes that most likely were not in place before the act is enforced. Businesses will have to align their data collection, processing and security practices with the new regulations. This means that some businesses will have to recur to companies like Crimson Vista to get first hand knowledge and guidance for a smoother transition. Also, they will need to comply with:

• Adopting data management practices that allow consumers to access, correct, and delete their personal information, leading to significant changes to their IT systems and data handling procedures.

• There are legal and financial implications in non-compliance, it is safe to note that non-compliance with the TDPSA can result in legal penalties and fines, so businesses must ensure they fully comply with the law to avoid financial consequences and consumers break of trust.

Overall, the TDPSA act introduces additional responsibilities and regulations for businesses, which might initially feel daunting. However, support is available to ease this transition. For instance, firms such as Crimson Vista specialize in updating and guiding you through your compliance processes to meet these new standards. Adhering to the TDPSA regulations will not only enhance consumer protection but also improve the business landscape in our state. It's crucial for us to embrace innovative approaches to data management and security, ensuring our clients are protected across all fronts.

SOURCE

• Texas Data Privacy and Security Act: First Look & Summary
• Data Breach Reporting