Texas is joining a growing number of states in passing comprehensive privacy legislation intended to safeguard consumer personal data.[1] Specifically, the Texas Data Privacy and Security Act (the “Act”) adds protections for consumers[2] and their personal data, which includes any information that is linked or reasonably linkable to an identified or identifiable individual.[3]


The Act operationalizes its core goals by empowering consumers with certain rights while also imposing a number of significant duties on parties controlling or otherwise processing consumer personal data, including persons and entities which:

  1. Conduct business in the State of Texas or produce a product or service that is consumed by residents of Texas;
  2. Process or sell personal data; and
  3. Do not qualify as a “small business” as defined by the U.S. Small Business Administration.[4]

It is important to note that although the Act expressly exempts covered entities and business associates which are governed by HIPAA,[5] the Act may still be pertinent to players within the healthcare space which are not subject to HIPAA.

Duties of Controllers and Processors

The Act imposes a number of specific duties on qualifying controllers[6] of personal data, including by way of example that they:

  1. Limit collection of personal data to data which is adequate, relevant, and reasonably necessary for the purposes for which such personal data is being processed;[7]
  2. Implement and maintain reasonable administrative, technical, and physical data security practices as appropriate in light of the volume and nature of the personal data at issue;[8]
  3. Establish two (2) or more “secure and reliable” methods for consumers to submit requests regarding their personal data;[9]
  4. Provide consumers with notices regarding how their data is being processed as well as of their rights, as more particularly detailed below;[10]
  5. Disclose to consumers the fact that the controller sells personal data to third parties (to the extent applicable) and explain how a consumer can opt out;[11]
  6. Disclose to consumers processing of personal data for targeted advertising (to the extent applicable) and explain how a consumer can opt out;[12] and
  7. Take certain steps to protect and preserve deidentified data to the extent the controller maintains such data.[13]

The Act also requires that each controller complete a data protection assessment[14] which, in many respects, mimics a security risks analysis required by HIPAA with a more consumer-oriented focus. In particular, an assessment must address the sale of personal data, processing of personal data for targeted advertising purposes, processing of sensitive data, or processing which presents a reasonably foreseeable risk of harm to consumers, among other items.[15]

In addition, the Act also imposes a number of duties on processors.[16]

Consumer Rights

The Act further empowers consumers by allowing them to request certain actions or information from controllers and by requiring that controllers comply with such requests.[17] For example, controllers must:

  1. Confirm whether the controller is processing the consumer’s personal data;
  2. Provide access to the personal data pertinent to the requesting consumer being processed by such controller;
  3. Correct inaccuracies in the consumer’s personal data;
  4. Delete personal data provided by or otherwise obtained from the consumer;
  5. Provide a copy of certain of the consumer’s personal data if such personal data is in a digital format and it is technically feasible to provide a copy; and
  6. Allow the consumer to opt out of the processing of the consumer’s personal data for purposes of targeted advertising, sale of personal data, or certain profiling-related activities.[18]

Additional Considerations

The Act includes a number of additional provisions that are worthy of note, including:

  • Contractual provisions seeking to waive or otherwise limit a consumer’s rights under the Act are considered to be void as against public policy.[19]
  • The Act provides the Texas Attorney General with exclusive jurisdiction to enforce the Act as there is currently no private cause of action for consumers.[20]
  • The Act authorizes civil penalties not to exceed $7,500 per violation.[21]

Putting it Into Practice

Businesses operating in Texas should assess whether the Act will apply to their activities. If the Act is applicable, businesses should begin assessing whether their current (or intended) operations are compatible with the Act’s limitations and should begin conducting a data protection assessment to identify any vulnerabilities. In addition, businesses should begin preparing policies, procedures, and other systems to ensure they are ready to respond to consumer requests.