With the Texas Data Privacy and Security Act (TDPSA) on the verge of taking effect on July 1, 2024, the State’s Attorney General, Ken Paxton, recently launched an initiative for “aggressive enforcement of Texas privacy laws.” As part of the initiative, Paxton has established a team that will focus on the enforcement of Texas’ privacy protection laws, including the TDPSA, along with federal laws like the Children’s Online Privacy Protection Act (COPPA). 

Unlike most of the 15 plus states with comprehensive privacy laws that exclude from their scope organizations that do not meet significant data volume thresholds (e.g., processing data related to at least 100,000 state residents), the TDPSA, with limited exceptions, applies to any organization that conducts business in the state of Texas or produces a product or service consumed by Texas residents. In contrast to the California Consumer Privacy Act (CCPA), the TDPSA excludes Human Resources and Business to Business data. But aside from this exclusion, if an organization processes the personal data of consumers residing in Texas, there is a good chance it will be in scope.

Organizations that have programs in place to comply with the CCPA will have a head start toward compliance with the TDPSA. That said, there are aspects of the TDPSA that differ from or go beyond the CCPA. For instance, the TDPSA requires:

• the inclusion of specific privacy policy disclosures related to the sale of biometric or sensitive personal data;
• the collection of consent before processing personal data for previously undisclosed purposes or processing sensitive personal data;
• data protection assessments in connection with processing sensitive personal data, selling personal data, or using it for targeted advertising;
• the inclusion of specific provisions in vendor agreements; and
• a mechanism for consumers to appeal the denial of their requests to exercise their TDPSA rights.