By Shereen El Domeiri
On July 1, 2024, the Texas Data Privacy and Security Act comes into effect. This is Texas’ Comprehensive data privacy law and while it shares similarities with other states’ laws, there are some key differences.
This Act will require many businesses to implement new data privacy and protection measures. It is likely that this law will take many businesses by surprise because notably, there is no minimum number of consumers or uniform revenue amount that triggers the law. Instead, the Texas law exempts small businesses as defined by the Small Business Administration, which has different revenue and employee thresholds based on industry as described by the National American Industry Classification System (NAICS). The law also exempts government agencies and political subdivisions, nonprofit organizations, higher education institutions, and notably electric utility and power generation companies.
This Texas law applies to personal data of Texas Resident consumers acting in their individual or household capacity. This Texas law does not consider employee data and business contact data as consumer data. The definition of a child is similar to the children's online privacy and protection, and compliance with COPPA satisfies the requirements under TDPSA. This law applies to non-exempt businesses that conduct business in Texas or produce a product or service consumed by Texas residents. Thus, if your business is covered by this law and if you have personal data of at least one (1) Texas consumer resident, this law applies to you and you must comply.
While small businesses are exempt, it may be worth considering implementing some of the data practices prescribed by this law to ensure a smooth transition as you grow or upon acquisition by a larger company subject to this law.
Under this law, many businesses will now have to implement certain measures such as having a privacy notice on your website, responding to consumer data requests, implementing and documenting data security measures, including data protection clauses or addendums to contracts that involve sharing of consumer data with your service providers, and conducting data assessments. Below we break down each of these requirements:
Privacy Notice on Website
o Categories of personal data processed & the purpose of processing;
o Categories of third parties each category of personal data that is shared with third parties;
o Data protection measures the company has in place to protect personal data;
o How consumers can exercise their data rights; and
o Specific notice language is required for any sale of sensitive or biometric personal data.
Consumer Data Rights Requests and Responses
o Consumer Data Rights
Right to Access/Right to Know
Right to correct inaccuracies
Right to delete
Right to obtain portable digital copy of data
Right to opt-out of targeted advertising, sale of personal data, or profiling.
o Consumer Data Requests & Responses
Two (2) request methods must be provided for consumers to make a data rights request in a way that a consumer normally interacts with company and is secure and reliable, i.e. online form, email, and phone.
Companies must respond to Consumer Data Requests within 45 days of receipt, which may be extended with notice to consumer for an additional 45 days.
Provide consumers with an appeal mechanism for any requests that is not acted upon or responded to in a timely manner.
Data Security Measures & Assessments
o Implement reasonable administrative, technical, and physical data security measures to protect personal data.
o Must document all processing activities & the direct and indirect benefits and risks associated with the data processing.
Contract Requirements
o Include data protection provisions in contracts with vendors that process consumer personal data.
o Implement procedures to document and review vendor data security measures and consider how to assess vendors on a regular basis.
The purpose of this law is to ensure that consumers are aware of what data companies are collecting about them and provide consumers rights to their data and how it is used and to ensure that companies are protecting consumer data entrusted to them appropriately. Again, this law may impact many more businesses than previously enacted state laws and companies that have held off on implementing these data practices may be caught by surprise because collecting and processing the data of just one (1) Texas resident consumer will trigger this law for covered businesses. Thus, now is a great time to review your data practices and make any necessary updates to comply with this new law.
Please feel free to reach out to Shereen El Domeiri at seldomeiri@fultonjeang.com if you have any questions.
Comentarios