BitRaser >
Article >
Understanding the Texas Data Privacy and Security Act

BITRASER^®

Understanding the Texas Data Privacy and Security Act

Written By

Kanika Verma linkdin

Published On

Sept 27, 2024

Category

Data Privacy

Min Reading

3 Min

Summary: The Texas Data Privacy and Security Act, effective July 1st, 2024, aims at protecting the consumer data of residents of Texas, giving them greater control over their personal data while setting guidelines for businesses that collect, use, store, share, or analyze consumer personal data. Chapter 541, Subtitle C - Consumer Data Protection, of this Act, defines personal data, how businesses must regulate its processing, and mentions the penalty to be imposed for non-compliance. This article will elucidate the duties of the businesses in the position of data controller & processor, the rights of the consumers (Texas residents), the penalties for violation, and recommendations to comply with this Act.

Effective July 1st, 2024, and enacted by the Legislature of the State of Texas, the Texas Data Privacy and Security Act establishes measures to safeguard the personal data of consumers and grants several rights to them, such as the right to access, right to delete, right to opt-out, right to correct inaccuracies, etc. Chapter 541 under Subtitle C. Consumer Data Protection has been introduced to Title 11, Personal Identity Information of Business and Commerce Code. An online portal was created by the Department of Information Resources on their website, which will remain active for 90 days starting Sep 1st, 2024, to receive suggestions and feedback on the Act from the public, after which no suggestions will be taken.

This Act applies to any business entity that processes the personal data of residents of Texas, is involved in the sale of their personal data, conducts business in Texas, produces a product or service that residents of Texas consume, and is not a small business (as defined by the United States Small Business Administration). Such entities are defined as “Controller” in this Act. Controller refers to an individual that independently or in union with others, decides the purposes and methods of processing personal data of Texas residents.

This Act DOES NOT apply to:

Political subdivisions or state agencies of Texas, business associates, or covered entities governed by the Health Information Technology for Economic and Clinical Health Act (HITECH Act) & the Health Insurance Portability and Accountability Act (HIPAA).
Nonprofit organizations.
Financial institutions governed by the Gramm Leach Bliley Act (GLBA).
Higher education institutions.
An electric utility, a retail electric provider, or a power generation company.

Certain types of information have been exempt from the Texas Data Privacy and Security Act under Sec. 541.003. This information includes health records, employment-related information, identifiable private information, personal and protected data:

Created for purposes of the Health Care Quality Improvement Act and the Patient Safety and Quality Improvement Act.
Governed or regulated by HIPAA, Fair Credit Reporting Act (FCRA), Driver's Privacy Protection Act, Family Educational Rights and Privacy Act (FERPA), and Farm Credit Act.

Duties of Data Controllers under Sec. 541.101

Sec. 541.101, Controller Duties; Transparency of Subchapter C. (Controller and Processor Data-Related Duties and Prohibitions) elaborates on the principles of data protection that the controller and processor need to be mindful of when handling the personal data of consumers. A controller’s duties include and are not limited to:

Collected personal data of a consumer should be necessary, relevant, and adequate to the purpose for which the processing needs to be carried out and as revealed to the consumer.
Administrative, physical, and technical data security measures should be established. implemented, & maintained appropriate to the nature & volume of personal data to protect the confidentiality, integrity, and accessibility of personal data.
Unless consent is obtained from the consumer, the controller cannot process their personal data for purposes unnecessary, incompatible, and dissimilar to the ones revealed to the consumer.
Processing personal data cannot be done in a manner that violates the federal and state laws.
The consumers cannot be discriminated against for exercising their rights. Denial of goods or services, getting different levels of goods or services, or different prices for goods or services being charged are all examples of discriminatory behavior by the controller and processor against consumers.
The controller must not process sensitive information of a consumer without their consent. If the sensitive information belongs to a known child, then the processing must be carried out in correspondence with the Children's Online Privacy Protection Act of 1998 (COPPA). (The Texas Data Privacy and Security Act refers to an individual under the age of 13 as a child.)

Purpose for Collection, Use, or Retention of Data - Sec. 541.202

Sec. 541.202, Collection, Use, or Retention of Data for Certain Purposes of Subchapter E (Construction of Chapter; Exemptions for Certain Uses of Consumer Personal Data), explains the purposes for which the collection, use, or retention of consumer personal data is not restricted (i.e. the consumer’s request to deletion is ignored), which are as follows:

Conducting internal research to improve, repair, or develop products, services, or technology.
Effecting a product recall.
Detecting and fixing technical errors that weaken existing or intended functionality.
Carrying out internal operations that are aligned with the consumer’s expectations, anticipated based on the consumer’s current relationship with the controller, or are compatible with processing data in continuance of the provision of a product or service.

Consumers’ Personal Rights - Sec. 541.051

Sec. 541.051 of Subchapter B. Consumer’s Rights explains the rights that the consumers (data subjects) can exercise in order to protect their personal information. In case the personal data belongs to a child, the parent or the legal guardian can exercise the consumer rights on their behalf. This Act grants the following rights to the consumers:

The consumer has the right to access their personal data and get a confirmation if it is being processed by the controller.
The consumer can exercise their right to get their inaccurate data corrected while taking into consideration the purpose of processing the personal data and the nature of the personal data.
The right to get their personal information deleted. The consumers can check whether the personal data was provided to the controller by them or the controller obtained the personal data from other sources.
In case the personal data of a consumer is available in a digital format, then the consumer has the right to:
- Obtain its copy in a portable and, to a technical extent, feasible and usable format so as to transmit this data to another controller without any hindrance.
- ‘Opt-out’ of processing their personal data, whether the purpose of processing is advertising, selling, or profiling in continuance of a decision that can result in a significant legal or non-legal effect on the consumer.

Civil Penalty in Case of Non-Compliance with Texas Data Privacy Law

The Attorney General of Texas has the authority to enforce the Texas Data Privacy and Security Act. In case of a violation committed, they may issue a civil investigative demand. They can also recover a civil penalty, seek an injunctive action, recover attorney's fees, and other reasonable expenses.

Upon violating this Act post-cure period or breaching a written statement provided to the Texas attorney general, a civil penalty of not more than $7,500 per violation is imposed as per Sec. 541.155.

Further, Sec. 541.154 of Subchapter D (Enforcement) defines the ways to cure a violation and the period within which the violation can be cured. Before imposing a penalty, the Texas Attorney General may inform the person via written communication within 30 days of the specific provisions that the person has allegedly violated. The action may not be brought against the person if:

The violation is cured by the person within a period of 30 days.
A written statement is provided to the Texas attorney general by the person detailing that they have cured the violation, informed the consumer about addressing the privacy violation with documentation as evidence of curing the violation, and changed internal policies to demonstrate that no further violations will take place.

Recommendations to Safeguard Consumer Personal Data

Businesses governed by the Texas Data Privacy and Security Act must ensure that they limit the processing of personal data of residents of Texas to purposes disclosed to the consumers. Processing personal data without the consent of the consumers and for purposes that are unnecessary, excessive, and incompatible with the purposes that the data was collected for can jeopardize the safety of consumer data.

Sec. 521.052 of Subtitle B. Identity Theft under Title 11, Business and Commerce Code proposes some solutions that businesses should implement and maintain in order to prevent consumer personal data from unlawful use and unintended disclosure of sensitive personal information. Personal data that is not supposed to be retained by businesses (including non-profit sports or athletic associations) and is under their control or custody must be destroyed by erasure, shredding, or modification to make the sensitive information indecipherable or unreadable.

Data wiping software that guarantees erasure beyond recovery while generating proof of data destruction that can serve as evidence in front of the supervisory authorities can ensure the protection of consumer personal data. BitRaser is certified by Common Criteria, NIST, and other bodies for its data-wiping efficacy and produces detailed real-time proof of erasure in the form of reports and certificates. The software helps data controllers/businesses comply with the Texas Data Privacy and Security Act and other regulations like CCPA, GLBA, EU-GDPR, HIPAA, and the Virginia Consumer Data Protection Act that aim to safeguard personal data.

Was this article helpful?

FAQs

Has the Texas Data Privacy and Security Act come into effect?

Yes, the Texas Data Privacy and Security Act came into effect on July 1st, 2024. The Department of Information Resources has created an online portal on its website, which will remain active for 90 days starting Sep 1st, 2024, to receive suggestions and feedback on the Act from the public. The status of implementation of requirements of Sec. 541.055, Methods for Submitting Consumer Requests publicly, will be reported by the department by Jan 1st, 2025.

What does the Act say about the personal data belonging to a child?

If the sensitive information belongs to a known child, then the processing must be carried out in correspondence with the Children's Online Privacy Protection Act of 1998. The Texas Data Privacy and Security Act refers to an individual under the age of 13 as a child. Also, the parent or the legal guardian of the child can exercise the consumer rights on their behalf.

What is the amount of penalty imposed by the Texas Data Privacy and Security Act?

Upon violating this Act post-cure period or breaching a written statement provided to the Texas attorney general, a civil penalty of not more than $7,500 per violation is imposed.

Does this Act grant consumers the right to get their data deleted?

Under Section 541.051 of Subchapter B. Consumer’s Rights, the consumer is granted the right to get their personal data deleted, whether the personal data was provided to the controller by them or the controller obtained the personal data from other sources.