Mastering TDPSA: Your definitive guide to the Texas Data Privacy and Security Act

In an era defined by the rapid digitization of information, data privacy and security have become paramount concerns for individuals, businesses, and governments alike. The ever-growing volume of personal and sensitive data circulating in the digital realm has necessitated the establishment of robust legal frameworks to protect this invaluable asset. In this e-book, we'll explore the Texas Data Privacy and Security Act (TDPSA) and the pivotal role it plays in safeguarding personal data within the state of Texas.

Brief overview of data privacy and security laws

Data privacy and security laws are legislative measures designed to safeguard the confidentiality, integrity, and availability of personal and sensitive information. These laws exist at various levels, including international, national, and state, and they provide a framework for how organizations collect, store, process, and share data. They dictate how businesses and institutions must handle data, ensuring that it is used responsibly and securely.

At the international level, regulations like the European Union's General Data Protection Regulation (GDPR) have set a global standard for data protection. On the national front, the United States has laws such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA), which address data privacy and security concerns in specific sectors and regions.

What is the TDPSA?

The TDPSA, also known as H.B. 4, is a data privacy law that was passed by Texas legislature on May 28, 2023. This makes Texas the 11th state to enact a comprehensive consumer data privacy law, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, and Florida. The TDPSA is said to take effect on July 1st, 2024, however, the provisions on universal opt-out mechanisms come into effect six months later, on January 1st, 2025.

Importance of the TDPSA in the context of Texas

Texas, as one of the largest and most economically vibrant states in the United States, is a hub of digital activity. With countless businesses, government agencies, and individuals relying on digital systems to conduct their daily affairs, the need for robust data protection laws within the state is more pressing than ever. This is where the TDPSA steps in.

The TDPSA is a crucial piece of legislation aimed at ensuring that the personal and sensitive data of Texans is handled with the utmost care and security. It is a response to the growing threats of data breaches, identity theft, and cybercrimes that can have devastating consequences for individuals and organizations. By enforcing stringent data protection standards, the TDPSA seeks to maintain trust in digital transactions and enhance the competitiveness of Texas-based businesses in the global market.

The TDPSA has a significant reach, affecting various businesses and organizations that process personal data. Understanding whether your organization falls under the scope of the TDPSA is the first step towards being compliant. This chapter provides a comprehensive explanation of the entities and scenarios that necessitate compliance with the TDPSA.

Understanding the scope

To understand whether your business needs to comply with the TDPSA, it is essential to consider the following:

• The types of personal data you collect and process.
• The volume of data and the extent of processing activities.
• Your geographical location and the location of data subjects.
• Your annual revenue derived from data processing activities on Texas residents.

Keep in mind that the TDPSA is designed to protect the privacy rights of Texas residents, so any business or entity that handles the personal data of these residents must comply with its provisions. Compliance often involves implementing robust data protection measures, appointing a data protection officer (DPO), and ensuring transparency and accountability in data processing practices.

Who should comply with the TDPSA?

The TDPSA specifically pertains to individuals or entities who:

• Operate within Texas or provide products or services used by Texas residents.
• Engage in personal data processing or its sale.
• Do not fall within the small business category as defined by the United States Small Business Administration (SBA), which means they are not independent businesses with fewer than 500 employees.

Businesses affected by the TDPSA

The TDPSA applies to a broad spectrum of entities, including but not limited to:

Texas-based businesses:

Any business or organization based in Texas that collects, processes, or stores personal data must comply with the TDPSA. This includes small businesses, large corporations, nonprofits, and government agencies.

Out-of-state businesses:

Even if your business is not physically located in Texas, you may still need to comply with the TDPSA if you collect or process the personal data of Texas residents. This extraterritorial reach ensures that businesses outside Texas cannot evade compliance simply by being located elsewhere.

Service providers:

Businesses that provide services to other organizations that deal with Texas' residents and have access to their personal data may also need to comply with certain provisions of the TDPSA.

While the TDPSA imposes strict data protection requirements on businesses and organizations, it also includes certain exemptions and exceptions. These exemptions may apply to specific situations, types of data, or businesses of a certain size. Understanding these exemptions is essential for organizations seeking to determine their compliance obligations under the TDPSA.

What are the notable exemptions?

Exemption assessment

To determine whether your organization qualifies for exemptions under the TDPSA, you should conduct a thorough assessment of your business operations, data processing activities, and compliance obligations. This assessment may involve:

The TDPSA has significant implications for businesses operating in Texas. Compliance with the TDPSA is not just a legal requirement; it also has far-reaching business consequences. This chapter explores the practical implications that the TDPSA brings for organizations, including both challenges and opportunities.

1. Compliance costs

Complying with the TDPSA requires a financial commitment. Businesses must allocate resources for activities like data mapping, implementing security measures, conducting data protection impact assessments (DPIAs), and potentially hiring or designating a DPO. It's important to budget for compliance costs, which can vary depending on the size and complexity of the organization.

2. Data mapping and inventory

The TDPSA mandates that businesses understand what personal data they collect, process, and store. This requires thorough data mapping and inventory processes. While this can be a significant undertaking, it also provides organizations with a clearer picture of their data assets, which can lead to improved data management and efficiency.

3. Data security enhancement

To comply with the TDPSA, businesses must enhance their data security measures. This may involve implementing encryption, access controls, regular security audits, and employee training on data security practices. Strengthening data security not only helps with compliance but also reduces the risk of data breaches.

4. Reputation and trust

Demonstrating commitment to data privacy and security can enhance an organization's reputation and build trust with customers. Businesses that prioritize data protection are more likely to retain customer trust and loyalty, which can have a direct impact on brand reputation and customer retention rates.

5. Competitive advantage

Being TDPSA-compliant can provide a competitive advantage. Organizations that can assure customers of their commitment to data privacy may attract more customers concerned about their personal information's security. Compliance can also be a selling point when competing for contracts or partnerships.

6. Operational changes

To comply with the TDPSA, businesses may need to make operational changes. This could involve revising internal policies, updating contracts with third-party service providers, and implementing new data handling processes. Organizations should be prepared for these changes and allocate resources accordingly.

7. Data subject trust

The TDPSA grants certain rights to data subjects, such as the right to access their data and request its deletion. Meeting these rights effectively can foster trust with data subjects. However, it also requires businesses to establish processes for handling data subject requests promptly and efficiently.

8. International considerations

If your business operates globally or handles data from international customers, TDPSA compliance may align with or complement other privacy regulations like the GDPR. Understanding how the TDPSA relates to international regulations is crucial for organizations with a global footprint.

9. Legal consequences

Non-compliance with the TDPSA can lead to legal consequences, including fines and penalties. Businesses must be aware of the potential costs of non-compliance and the importance of maintaining a strong compliance posture.

Penalties for non-compliance

The TDPSA is not just a set of guidelines; it comes with enforceable penalties for organizations that fail to comply with its provisions. This chapter outlines the potential penalties and consequences that businesses may face in the event of non-compliance with the TDPSA.

The TDPSA is not just a set of guidelines; it comes with enforceable penalties for organizations that fail to comply with its provisions. This chapter outlines the potential penalties and consequences that businesses may face in the event of non-compliance with the TDPSA.

TDPSA compliance is not just a legal obligation but also a strategic business imperative. While it presents challenges, it also offers opportunities for businesses to enhance their data management practices, build trust with customers, and gain a competitive edge in the marketplace. Successful compliance requires a holistic approach that combines legal, technological, and operational efforts.

The TDPSA places significant emphasis on safeguarding the rights of data subjects, who are the individuals to whom personal data relates. This chapter explores the rights granted to data subjects under the TDPSA, detailing what these rights entail and how businesses and organizations must address them.

1. Right to access personal data

Data subjects have the right to request access to their personal data held by a data controller. This means they can inquire about what data is being processed, for what purposes, and obtain a copy of their data.

2. Right to rectify inaccurate data

Data subjects have the right to rectify any inaccuracies or errors in their personal data. If they believe that the information held by a data controller is incorrect, they can request corrections or updates.

3. Right to be forgotten

Also known as the right to erasure, this right allows data subjects to request the deletion of their personal data under certain circumstances. Data controllers must comply with such requests, particularly when the data is no longer necessary for its original purposes.

4. Right to data portability

The TDPSA grants data subjects the right to receive their personal data in a structured, commonly used, and machine-readable format. They can also request the transfer of their data to another data controller if technically feasible.

5. Right to object to processing

Data subjects have the right to object to the processing of their personal data for specific purposes, such as direct marketing. Data controllers must cease processing the data unless they can demonstrate legitimate grounds that override the data subject's interests.

How can consumers exercise their rights?

Consumers are entitled to exercise their rights by submitting a request to a data controller, specifying the particular consumer rights they wish to exercise. In the case of a child, a parent or legal guardian may act on behalf of the child to exercise their consumer rights related to the processing of the child's personal data.

Controller’s response to data subject rights

The data controller is obliged to fulfill a consumer's request to exercise their rights unless there are valid exemptions. The controller must respond promptly to the consumer's request, ensuring a response is provided within 45 days from the date of receiving the request. In cases where the complexity or volume of requests warrants it, the controller may extend the response period by an additional 45 days. However, this extension and the reason behind it must be communicated to the consumer within the initial 45-day period.

The controller is obligated to provide information to consumers at least twice a year without any charges. However, if a request is considered unjustified, excessive, or recurrent, the controller may impose a reasonable fee to cover administrative costs, or it may choose not to respond to the request at all. Nevertheless, it is incumbent upon the controller to demonstrate that a request is evidently unfounded, excessive, or repetitive.

If the controller is unable to verify a consumer's request using reasonable commercial efforts, it may request additional information from the consumer for authentication.

Lastly, when a controller has acquired a consumer's personal data from a source other than the consumer, compliance with the consumer's request for personal data deletion is achieved by retaining a record of the deletion request and retaining only the minimum data necessary to ensure the consumer's personal data is deleted from the controller's records, with no use of the retained data for any other purpose except for those exempted under TDPSA provisions.

You are now equipped with the information you need to get your business ready for compliance with the TDPSA.

Prior to July 2024, organizations subject to this recently enacted state legislation should consider taking the following steps:

• Revise their privacy policy.
• Incorporate opt-out choices into their cookie consent notifications.
• Execute data protection assessments as required.
• Adhere to contractual commitments with third-party data processors.
• Establish a system for respecting universal opt-out requests from consumers (prior to January 1, 2025).

ManageEngine's compliance solutions

ManageEngine Log360, a comprehensive security information and event management (SIEM) solution, helps enterprises to thwart attacks, monitor security events, and comply with regulatory mandates.

The solution bundles a log management component for better visibility into network activity and an incident management module that helps quickly detect, analyze, prioritize, and resolve security incidents. Log360 features an innovative ML-driven user and entity behavior analytics (UEBA) add-on that baselines normal user behaviors and detects anomalous user activities along with a threat intelligence platform that brings in dynamic threat feeds for security monitoring.

Log360 helps ensure organizations combat and proactively mitigate internal and external security attacks with effective log management and in-depth AD auditing.

About the author

Harshni is a compliance expert, deeply fascinated by the intricacies of this rapidly evolving field. With a passion for learning and writing about new regulatory mandates that shape the cybersecurity landscape, Harshni brings fresh perspectives and valuable insights. When not delving into the world of cybersecurity, she likes singing and learning new melodies on the ukulele.