Texas Enacts Comprehensive Consumer Data Privacy Law

Texas has recently joined a growing number of states by enacting a comprehensive consumer data privacy law known as the Texas Data Privacy and Security Act. The Act, which will come into effect on July 1, 2024, places obligations on businesses operating in Texas and processing personal data of Texas residents. With similarities to laws in other states like Virginia, California, and Colorado, this legislation aims to enhance consumer privacy rights and data protection.

Under the Texas Data Privacy and Security Act, the term "personal data" encompasses any information reasonably linkable to an identified or identifiable individual, including pseudonymous data used in conjunction with additional identifying information.

Certain entities are exempt from compliance with the Act, including financial institutions subject to the Gramm-Leach-Bliley Act, entities governed by HIPAA and HITECH Act rules, government entities, electric utility or power generation companies, higher education institutions, and non-profit organizations. Additionally, protected health information under HIPAA is exempt.

Key Implications for Compliance Officers and Data Security Professionals

• Scope and Compliance: Compliance officers and data security professionals should carefully assess their organization's activities to determine whether they fall within the Act's scope. Entities conducting business in Texas or providing products/services consumed by Texas residents, processing or selling personal data, and not qualifying as a small business under the specified definition must comply with the Act.
• Consumer Rights and Requests: The Act grants Texas consumers specific rights regarding their personal data. Compliance officers should establish procedures to promptly handle consumer requests for confirmation of data processing, access to personal data, correction of inaccuracies, deletion of data, and obtaining portable copies of their information. Additionally, compliance officers should facilitate opt-out mechanisms for targeted advertising, sale of personal data, and certain types of profiling.
• Response Timelines and Appeals: Compliance officers should ensure their organization adheres to the Act's response timelines for consumer requests. Controllers must respond within 45 days of receipt, with a possible extension of 45 days, if necessary. Proper authentication of consumer requests is crucial, and controllers must provide explanations if no action is taken, along with instructions for the appeal process.
• Privacy Notices and Data Protection Assessments: Compliance officers must ensure the organization provides comprehensive privacy notices to consumers, including information on personal data processing, sharing with third parties, and consumer rights under the Act. Additionally, controllers are required to conduct and document data protection assessments as part of their compliance obligations.

The Texas Data Privacy and Security Act signifies a significant step toward protecting consumer privacy and data security within the state. Compliance officers and data security professionals must proactively adapt their policies, practices, and procedures to align with the Act's requirements. By doing so, organizations can enhance consumer trust, mitigate legal and reputational risks, and foster a privacy-conscious culture.