Soon, Texas will be the newest state with a comprehensive consumer data privacy law. The Texas Data Privacy and Security Act will take effect on July 1 and will require many compliance steps.
1. How will This Apply to Businesses, Employment, and B2B?
The law applies to an individual or entity that conducts business in Texas or produces a product or service consumed by Texas residents, processes or engages in the sale of personal data, and is not a small business as defined by the United States Small Business Administration.
Furthermore, the Texas Data Privacy and Security Act will not apply to employment or B2B situations, as the Act excludes individuals acting in a commercial or employment context.
2. Will Other Organizations be Excluded From Coverage?
Yes, the law also excludes several organizations from its coverage. For example, state agencies, political subdivisions, and nonprofit organizations are excluded. These institutions are subjects covered by the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act of 1996, and the Health Information Technology for Economic and Clinical Health Act.
3. How is “Personal Data” Defined?
“Personal data” is any information linked to an identifiable individual. This includes pseudonymous data that is used in conjunction with additional information that reasonably links the data to an identified or identifiable individual; however, it does not include publicly available information.
4. Can People Sue the Law for Violations?
Unfortunately, no. The Texas Data Privacy and Security Act has exclusive enforcement authority with the Texas Attorney General, Ken Paxton, who has announced that he plans to fully enforce the law.
And although people can’t sue, individuals are allowed to submit complaints directly to the Texas Attorney General. This could cause an issue of civil investigative demand.
5. What Consumer Rights Are Granted?
Consumers have a few rights regarding their personal data.
For instance, consumers are allowed to access their personal data and correct any inaccuracies. They are also granted the right to delete personal data provided by or obtained about them. Additionally, if the data is digital, they are allowed to obtain a copy in a portable format. Consumers are also granted the right to opt out of personal data processing for advertisement or sales.
6. What Are the Obligations of Covered Entities?
Controllers must establish at least two secure and reliable methods for consumers to exercise their rights. However, the Texas Data Privacy and Security Act does not allow a controller to require that a consumer create a new account. Instead, they can require them to use their existing account.
Additionally, the controller must respond to any request within 45 calendar days from the date of receipt. If needed, the controller can extend the time for response by an extra period if it is reasonable, as long as the consumer is informed of this extension and the reason.
However, if a controller cannot authenticate a request with commercially reasonable effort, it is not required by law to respond. Instead, the controller may ask the consumer to provide any additional information that would be reasonably necessary for the consumer’s authentication and request. The controller must provide a way for the consumer to appeal the controller’s refusal if denied.
7. What Privacy Notice Must be Provided?
A clear privacy notice must be provided; this includes all categories of personal information processed, the purpose of processing the personal information, information that is shared with third parties, the categories of third parties involved, and details of the methods required under the Act through which consumers can submit requests to exercise their consumer rights.
8. Will Businesses Need to Conduct a Data Protection Assessment?
Data protection assessments (DPAs) must be conducted and documented by controllers for each data processing activity involving personal data.
The DPA should describe how personal data is used for targeted advertising, data sale, profiling (if there’s a risk that profiling could lead to unfair treatment or disparate impacts on consumers), financial, physical or reputational harm, and physical or other intrusions on consumers’ privacy or solitude.
9. Any Additional Duties for Processors?
The Texas Data Privacy and Security Act obliges processors to follow the instructions and duties of controllers. The contract between a controller and a processor must clearly state the instructions to be followed for data processing. It should also specify the purpose and nature, as well as the types of data that will be processed and the duration of the processing.
The Act also requires that contracts ensure that all persons processing personal data are subject to confidentiality concerning consumer data. The processor must also agree that after service provision is complete, they must delete or return any personal data the controller requests.
10. What Should Be Done in the Meantime?
Businesses should take immediate action towards compliance. Compliance will take time and resources, so it’s important to plan accordingly. After this, the next step will likely be completing a data inventory. This will help draft privacy notices and data protection assessments.