Texas Data Privacy and Security Act (TDPSA)
The statute was designed to protect the privacy and personal data rights of the state’s residents while holding businesses accountable for how they use the data of Texans.
Is Complying with TDPSA Mandatory?
TDPSA applies to entities that meet the following criteria:
Conduct business in Texas or generate products or services “consumed” by Texas residents. Consumed is a new word in this type of legislation, and it has not gone without notice, as it replaces the word “targeted” that most similar laws include.
Process or engage in the sale of personal data.
Do not identify as a small business as defined by the U.S. Small Business Administration (SBA), which varies by industry “usually stated in number of employees or average annual receipts,” the SBA outlines.
What are the penalties for not complying with TDPSA?
After the attorney general notifies a person in writing, no action will be brought against the violator if the violation has been cured. What differs is that the entity must also provide the attorney general with a written statement that they have:
Cured the violation.
Notified the consumer their privacy violation was addressed (if their contact information was made available).
Made changes to internal policies, if necessary, to ensure the violation won’t be repeated.
Furthermore, the cure period does not sunset, as is the case with other laws—businesses subject to the TDPSA will enjoy a 30-day cure period in perpetuity.
If an entity does not remediate the violation, the attorney general can issue a $7,500 penalty for each violation.
Finally, there is no private right of action, which means private citizens cannot bring action against those who violate the law.