May 10, 2024

New Data Privacy Law in Texas: A New State Law Takes Effect on July 1, 2024

Government Affairs Update

By Kenneth Besserman, TXCPA’s Director of Government Affairs and Special Counsel

The Texas Data Privacy and Security Act (TDPSA) was signed into law in June 2023 and will take effect on July 1, 2024. Texas became the sixth state to pass a major data privacy law in 2023.

This comprehensive legislation aims to regulate how businesses collect, use and protect the personal data of Texas residents. CPAs should be aware of the new legislation for their own business purposes and advising clients.

Key Provisions of the TDPSA

Scope

The TDPSA applies to entities that:

  • Conduct business in Texas or produce a product or service consumed by residents of the state;
  • Process or sell any volume of personal data; and
  • Are not a small business, as defined by the U.S. Small Business Administration.

The TDPSA does not apply to:

  • Nonprofits;
  • State agencies and political subdivisions;
  • Financial institutions subject to the Gramm-Leach-Bliley Act;
  • Covered entities and business associates governed by HIPAA; and
  • Institutions of higher education.

The TDPSA also specifically exempts electric utilities, power generation companies and retail electric providers.

Consumer Rights

Consumers have the right to:

  • Confirm whether a controller is processing their personal data and access such personal data;
  • Correct inaccuracies in the consumer’s personal data;
  • Delete personal data provided by or obtained about the consumer;
  • Obtain a portable copy of the consumer’s personal data; and
  • Opt-out of processing for purposes of targeted advertising, sale of personal data or profiling.

Consumers also have the right to appeal a controller’s refusal to take action on a consumer request to exercise their rights.

Sensitive Data Focus. The TDPSA uniquely requires consumer consent before processing "sensitive personal data," which includes data such as Social Security numbers, passport numbers and precise geolocation data. If a controller sells sensitive data or biometric data, it must post a specific notice (i.e., “NOTICE: We may sell your [sensitive/biometric] personal data.”) in its privacy notice.

Assessments. Businesses are required to conduct a data protection impact assessment on the processing of personal data for targeted advertising, the sale of personal data, profiling, sensitive data, and any processing activities that involve personal data that present a heightened risk of harm to consumers.

Enforcement. The TDPSA authorizes the Texas Attorney General to enforce the Act. The AG provides a 30-day cure period, which does not sunset. For violations that are not cured, the AG may seek up to $7,500 in civil penalties per violation. The law also mandates that the AG provide controllers, processors and consumers with information on their rights and responsibilities on the AG’s website, along with an online portal for submitting complaints.

The TDPSA may have a significant impact on businesses that operate in Texas or handle data of Texas residents. Some potential impacts include the following.

  • Increased compliance costs to comply with the various requirements of the TDPSA, such as:
  • Developing and maintaining a clear and comprehensive privacy notice;
  • Implementing processes to handle consumer data requests (access, correction, deletion, etc.);
  • Conducting data protection assessments for high-risk processing activities; and
  • Updating data security measures to meet the "reasonable security" standard.

Operational Adjustments. Businesses may need to adjust their data collection practices to ensure they only collect data that's "reasonably necessary and proportionate" to their purpose. They may also need to modify their data usage and sharing practices to comply with consumer opt-out rights.

Impact on Marketing and Advertising. Businesses relying on targeted advertising or data-driven marketing strategies may need to adapt their approach to comply with the TDPSA's restrictions on the sale of personal data and opt-out rights for targeted advertising.

Potential Benefits

Improved Customer Trust and Brand Reputation. Implementing strong data privacy practices can enhance customer trust and loyalty, potentially leading to positive brand reputation.

Enhanced Data Security Posture. The focus on reasonable data security measures can lead to improved protection of consumer data, potentially reducing the risk of data breaches and associated costs.

Alignment with Evolving Data Privacy Landscape. As data privacy regulations continue to evolve, complying with the TDPSA can help businesses prepare for and adapt to future regulations in other states or at the federal level.

Overall, the impact of the TDPSA on businesses will depend on several factors, including the size and nature of the business, its data practices and its existing data security posture. While compliance will require effort and resources, it can also present opportunities to improve data management practices, build trust with customers and prepare for the evolving data privacy landscape.

You can read more about the new law on our website here.

About the Author: Kenneth Besserman, JD, is TXCPA’s Director of Government Affairs and Special Counsel.

 

CHAIR
Tim Pike, CPA

PRESIDENT/CEO
Jodi Ann Ray, CAE, CCE, IOM

CHIEF OPERATING OFFICER
Melinda Bentley, CAE

EDITORIAL BOARD CHAIR
Jennifer Johnson, CPA

Staff

MANAGING EDITOR
DeLynn Deakins
ddeakins@tx.cpa

COLUMN EDITOR
Don Carpenter, MSAcc/CPA

WEB EDITOR
Wayne Hardin

CLASSIFIEDS
DeLynn Deakins

Texas Society of CPAs
14131 Midway Rd., Suite 850
Addison, TX 75001
972-687-8550
ddeakins@tx.cpa

 

 

 

Editorial Board
Arthur Agulnek, CPA-Dallas;
Shivam Arora, CPA-Dallas;
Derrick Bonyuet-Lee, CPA-Austin;
Aaron Borden, CPA-Dallas;
Don Carpenter, CPA-Central Texas;
Melissa Frazier, CPA-Houston;
Rhonda Fronk, CPA-Houston;
Aaron Harris, CPA-Dallas;
Baria Jaroudi, CPA-Houston;
Elle Kathryn Johnson, CPA-Houston;
Jennifer Johnson, CPA-Dallas;
Joseph Krupka, CPA-Dallas;
Lucas LaChance, CPA-Dallas, CIA;
Nicholas Larson, CPA-Fort Worth;
Anne-Marie Lelkes, CPA-Corpus Christi;
Bryan Morgan, Jr, CPA-Austin;
Stephanie Morgan, CPA-East Texas;
Kamala Raghavan, CPA-Houston;
Amber Louise Rourke, CPA-Brazos Valley;
Barbara Scofield, CPA-Permian Basin;
Nikki Lee Shoemaker, CPA-East Texas, CGMA;
Natasha Winn, CPAHouston.

Design/Production/Advertising
Media By Design, LLC
mediabydesign@gmail.com

CONTRIBUTORS
Melinda Bentley; Kenneth Besserman; Kristie Estrada; Holly McCauley; Craig Nauta; Kari Owen; John Ross; April Twaddle

 

 

Your TXCPA membership has not been renewed for 2024 -2025. Renew now.