Texas has joined the nine[1] other states that have comprehensive data privacy laws after Governor Greg Abbott signed the Texas Data Privacy and Security Act (the “TDPSA”). Subject to exemptions,[2] the TDPSA applies to any entity (labeled controller under the Act) that (1) conducts business in Texas or produces a product or service consumed by residents of Texas; (2) processes or engages in the sale of personal data; and (3) is not a small business as defined by the US Small Business Administration.[3] The SBA defines a small business as a business with fewer than 500 employees. The law goes into effect on July 1, 2024.
For those familiar with data privacy laws, the TDPSA by and large follows the model of Virginia with respect to the rights granted to consumers and the obligations placed on controllers. The applicability provision is unique, as are several other provisions: (a) a requirement to post prescribed notices regarding the sale of sensitive personal data and biometric personal data; (b) a thirty day cure period that requires more from the alleged violator than a statement that the alleged violation has been cured; and (c) a prohibition on sales of personal data by small businesses without the prior consent of the consumers. Also note the additional deadline of January 1, 2025, by which controllers must be able to support universal opt-out signals.
To view the full story, visit https://www.natlawreview.com/article/now-there-are-10-texas-data-privacy-and-security-act