Texas Data Privacy Act: Application, Definitions, Rights, and Notice

TDPSA Application

The TDPSA applies to a person that does the following.

• Conducts business in Texas or produces a product or service consumed by Texas residents; and
• Processes or engages in the sale of personal data; and
• Is not a small business as defined by the US Small Business Administration, except to the extent that Texas Bus. & Comm. Code § 541.107 applies to such small business. ¹

Under Texas Bus. & Comm. Code § 541.107, a small business may not engage in the sale of personal data that is sensitive data without receiving prior consent from the consumer.

TDPSA Definitions

"Consumer" means an individual who is a Texas resident acting only in an individual or household context and does not include an individual acting in a commercial or employment context.

"Controller" means an individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data.

A determination of whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends on the context in which personal data is to be processed.

"Processor" means a person that processes personal data on behalf of a controller.

A determination of whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends on the context in which personal data is to be processed. A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data remains in the role of a processor.

"Process" or "processing" means an operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.

"Personal data" means any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual, includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual, and does not include deidentified data or publicly available information.

"Identified or identifiable individual" means a consumer who can be readily identified, directly or indirectly.

"Pseudonymous data" means any information that cannot be attributed to a specific individual without the use of additional information, provided that the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual.

"Deidentified data" means data that cannot reasonably be linked to an identified or identifiable individual or a device linked to that individual.

"Sale of personal data" means the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party and does not include the following disclosures.

• Of personal data to a processor that processes the personal data on the controller's behalf;
• Of personal data to a third party for purposes of providing a product or service requested by the consumer;
• Or transfer of personal data to an affiliate of the controller;
• Of information that the consumer:
  • Intentionally made available to the general public through a mass media channel; and
  • Did not restrict to a specific audience; or
• Or transfer of personal data to a third party as an asset that is part of a merger or acquisition.

"Third party" means a person, other than a consumer, the controller, the processor, or an affiliate of the processor or the controller.

"Affiliate" means a legal entity that controls, is controlled by, or is under common control with another legal entity or shares common branding with another legal entity. "Control" or "controlled" means the following.

• Ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a company;
• Control in any manner over the election of a majority of the directors or of individuals exercising similar functions; or
• Power to exercise controlling influence over the management of a company.

"Targeted advertising" means displaying to a consumer an advertisement that is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict the consumer's preferences or interests and does not include the following.

• An advertisement that is the following.
  • Based on activities within a controller's own websites or online applications;
  • Based on the context of a consumer's current search query, visit to a website, or online application; or
  • Directed to a consumer in response to the consumer's request for information or feedback; or
• The processing of personal data solely for measuring or reporting advertising performance, reach, or frequency.

"Profiling" means any form of solely automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

"Decision that produces a legal or similarly significant effect concerning a consumer" means a decision made by the controller that results in the provision or denial by the controller of financial and lending services; housing, insurance, or healthcare services; education enrollment; employment opportunities; criminal justice; or access to basic necessities, such as food and water.

"Consent," when referring to a consumer, means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer, includes a written statement, such as a statement written by electronic means, or any other unambiguous affirmative action, and does not include the following.

• Acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information; or
• Hovering over, muting, pausing, or closing a given piece of content or
• Agreement obtained through the use of dark patterns.

"Dark pattern" means a user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision-making, or choice and includes any practice the Federal Trade Commission refers to as a dark pattern.

"Sensitive data" means a category of personal data and includes the following.

• Personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexuality, or citizenship or immigration status; or
• Genetic or biometric data that is processed for the purpose of uniquely identifying an individual; or
• Personal data collected from a known child; or
• Precise geolocation data.

"Child" means an individual younger than 13 years of age.

"Known child" means a child under circumstances where a controller has actual knowledge of, or willfully disregards, the child's age.

"Biometric data" means data generated by automatic measurements of an individual's biological characteristics, includes a fingerprint, voiceprint, eye retina or iris, or other unique biological pattern or characteristic that is used to identify a specific individual and does not include a physical or digital photograph or data generated from a physical or digital photograph, video, or audio recording or information collected, used, or stored for healthcare treatment, payment, or operations under the Health Insurance Portability and Accountability Act of 1996.

"Precise geolocation data" means information derived from technology, including global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet and does not include the content of communications or any data generated by or connected to an advanced utility metering infrastructure system or to equipment for use by a utility.

TDPSA Consumer Rights

A consumer is entitled to exercise consumer rights by submitting a request to a controller specifying the consumer rights the consumer wishes to exercise, including the following.

• Right of access. A consumer has the right to confirm whether a controller is processing the consumer's personal data and to access the personal data.
• Right to correction. A consumer has the right to correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data.
• Right to deletion. A consumer has the right to delete personal data provided by or obtained about the consumer.
• Right to data portability. If the data is available in a digital format, a consumer has the right to obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance.
• Right to opt out. A consumer has the right to opt out of the processing of the personal data for purposes of the following.
  • Targeted advertising;
  • The sale of personal data; or
  • Profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose that process and the manner in which a consumer may exercise the right to opt out of that process.

TDPSA Notice Requirements

A controller must provide consumers with a reasonably accessible and clear privacy notice that includes all of the following.

• The categories of personal data processed by the controller, including, if applicable, any sensitive data processed by the controller;
• The purpose for processing personal data;
• How consumers may exercise their consumer rights under Subchapter B of the TDPSA, including the process by which a consumer may appeal a controller's decision with regard to the consumer's request;
• If applicable, the categories of personal data that the controller shares with third parties;
• If applicable, the categories of third parties with which the controller shares personal data; and
• A description of the methods required under Texas Bus. & Comm. Code § 541.055 through which consumers can submit requests to exercise their consumer rights under the TDPSA.

If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose that process and the manner in which a consumer may exercise the right to opt out of that process.

If a controller engages in the sale of personal data that is the following, each such notice must be posted in the same location and in the same manner as the privacy notice.

• Sensitive data, the controller must include the following notice: "NOTICE: We may sell your sensitive personal data."
• Biometric data, the controller must include the following notice: "NOTICE: We may sell your biometric personal data."