.svg){kind=icon}
.svg)
register now
The Texas Data Privacy and Security Act (TDPSA), what you need to know
Date:
Hosted By:
On June 18, 2023, Texas Gov. Abbott signed the Texas Data Privacy and Security Act into law, joining states with strong consumer data protection.
Collection, use, processing, and handling of consumer personal data is governed under the Texas Data Privacy and Security Act. Law-abiding businesses who break its rules face civil penalties.
Taking cues from current legislation, the Virginia Consumer Data Protection Act is the cornerstone of the TDPSA. The purpose of the law was to hold companies responsible for how they utilize Texans' data while simultaneously safeguarding the privacy and personal data rights of the people living in the state.
Like other state privacy statutes, the Texas privacy act grants citizens a variety of well-known rights, including the ability to:
The applicability of the TDPSA is one of the main differences from other data privacy legislation. The law lays down new standards rather than applying to companies according to their yearly income, amount of data processed, or amount of money the company makes from the selling of such data.
Entities meeting the subsequent requirements are covered under TDPSA:
The TDPSA lists controllers' responsibilities for gathering personal data, including establishing data security procedures and restricting collection to what is reasonable, relevant, and adequate.
Controllers are unable to:
A controller must react "without undue delay," but no later than 45 days after receiving a data subject access request (DSAR; such as the rights requests mentioned above). Furthermore, a controller may, if deemed logical, extend the response time by 45 days provided they tell the customer within the first 45-day window.
According to the legislation, consumers must receive free information at least twice a year, unless their request is obviously baseless, exorbitant, or repetitious. Should the controller fail to respond within a reasonable amount of time, it must set up a procedure by which a consumer may appeal.
While other states (such as Connecticut, Virginia, and California) have privacy laws that are seen to be more business-friendly than the TDPSA, there are several other noteworthy linguistic alterations in the statute.
For instance, the law mandates that businesses or organizations that sell sensitive or biometric data make further disclosures; it even goes so far as to mandate the notification, "notification: We may sell your sensitive (or biometric) personal data. ”Posting of the notice in the same manner and place as the privacy notice is required.
Companies which sell customer data for targeted advertising also have to offer more disclosures and give customers a means to stop having their data sold.
Although the measure more closely resembles Virginia's privacy statute, the Texas statute's definition of "sale of personal data" is more like the California Privacy Rights measure than Virginia's. It is defined in the act as "sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party."
Every non-exempt company operating in the state and processing or selling personal data is covered by the definition of "controller."
Furthermore, the 30-day cure period—that is, a grace period during which offenders have the chance to "cure" a violation after notification—varies somewhat from those of other legislation. Should a violation be resolved after the attorney general issues a written notification, no further action will be taken against the offender. What is different is that the organization has to also submit a written declaration to the attorney general stating:
For every infraction, the attorney general has the authority to fine an organization $7,500.
Ultimately, there is no private right of action, hence private citizens are powerless to take legal action against those who break the law.
We can help by automating a number of the processes required to comply with the new legislation, including:
Please contact us for a consultation and demonstration at info@data-sentinel.com
.svg)
Collection, use, processing, and handling of consumer personal data is governed under the Texas Data Privacy and Security Act. Law-abiding businesses who break its rules face civil penalties.
Taking cues from current legislation, the Virginia Consumer Data Protection Act is the cornerstone of the TDPSA. The purpose of the law was to hold companies responsible for how they utilize Texans' data while simultaneously safeguarding the privacy and personal data rights of the people living in the state.
Like other state privacy statutes, the Texas privacy act grants citizens a variety of well-known rights, including the ability to:
The applicability of the TDPSA is one of the main differences from other data privacy legislation. The law lays down new standards rather than applying to companies according to their yearly income, amount of data processed, or amount of money the company makes from the selling of such data.
Entities meeting the subsequent requirements are covered under TDPSA:
The TDPSA lists controllers' responsibilities for gathering personal data, including establishing data security procedures and restricting collection to what is reasonable, relevant, and adequate.
Controllers are unable to:
A controller must react "without undue delay," but no later than 45 days after receiving a data subject access request (DSAR; such as the rights requests mentioned above). Furthermore, a controller may, if deemed logical, extend the response time by 45 days provided they tell the customer within the first 45-day window.
According to the legislation, consumers must receive free information at least twice a year, unless their request is obviously baseless, exorbitant, or repetitious. Should the controller fail to respond within a reasonable amount of time, it must set up a procedure by which a consumer may appeal.
While other states (such as Connecticut, Virginia, and California) have privacy laws that are seen to be more business-friendly than the TDPSA, there are several other noteworthy linguistic alterations in the statute.
For instance, the law mandates that businesses or organizations that sell sensitive or biometric data make further disclosures; it even goes so far as to mandate the notification, "notification: We may sell your sensitive (or biometric) personal data. ”Posting of the notice in the same manner and place as the privacy notice is required.
Companies which sell customer data for targeted advertising also have to offer more disclosures and give customers a means to stop having their data sold.
Although the measure more closely resembles Virginia's privacy statute, the Texas statute's definition of "sale of personal data" is more like the California Privacy Rights measure than Virginia's. It is defined in the act as "sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party."
Every non-exempt company operating in the state and processing or selling personal data is covered by the definition of "controller."
Furthermore, the 30-day cure period—that is, a grace period during which offenders have the chance to "cure" a violation after notification—varies somewhat from those of other legislation. Should a violation be resolved after the attorney general issues a written notification, no further action will be taken against the offender. What is different is that the organization has to also submit a written declaration to the attorney general stating:
For every infraction, the attorney general has the authority to fine an organization $7,500.
Ultimately, there is no private right of action, hence private citizens are powerless to take legal action against those who break the law.
We can help by automating a number of the processes required to comply with the new legislation, including:
Please contact us for a consultation and demonstration at info@data-sentinel.com
.svg)
