Skip to Content
Cyber and Privacy Risk and Insurance

Texas Data Privacy Act: Controllers, Assessments, Data, Enforcement

Melissa Krasnow | July 21, 2023

On This Page
Map of Texas on top of American flag

Texas Data Privacy and Security Act (TDPSA) application, definitions, consumer rights, and notice requirements are discussed in "Texas Data Privacy Act: Application, Definitions, Rights, and Notice." This article discusses TDPSA controller and processor responsibilities, controller-processor contracts, data protection assessments, deidentified data, and Texas attorney general enforcement. Exceptions in the law are addressed in "Texas Data Privacy Act: Exceptions."

TDPSA Controller Responsibilities

A controller must do the following.

  • Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which that personal data is processed, as disclosed to the consumer; and
  • For purposes of protecting the confidentiality, integrity, and accessibility of personal data, establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue.

A controller may not do the following.

  • Except as otherwise provided by the TDPSA, process personal data for a purpose that is neither reasonably necessary to nor compatible with the disclosed purpose for which the personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent;
  • Process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers;
  • Discriminate against a consumer for exercising any of the consumer rights contained in the TDPSA, including by denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer; or
  • Process the sensitive data of a consumer without obtaining the consumer's consent, or, in the case of processing the sensitive data of a known child, without processing that data in accordance with the Children's Online Privacy Protection Act of 1998.

Texas Bus. & Comm. Code § 541.101(b)(3) may not be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the consumer has exercised the consumer's right to opt out under Texas Bus. & Comm. Code § 541.051 or the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.

TDPSA Processor Responsibilities

A processor must adhere to the instructions of a controller and must assist the controller in meeting or complying with the controller's duties or requirements under the TDPSA, including the following.

  • Assisting the controller in responding to consumer rights requests submitted under Texas Bus. & Comm. Code § 541.051 by using appropriate technical and organizational measures, as reasonably practicable, taking into account the nature of processing and the information available to the processor;
  • Assisting the controller with regard to complying with the requirement relating to the security of processing personal data and to the notification of a breach of security of the processor's system under Chapter 521 of the Texas Bus. & Comm. Code, taking into account the nature of processing and the information available to the processor; and
  • Providing necessary information to enable the controller to conduct and document data protection assessments under Texas Bus. & Comm. Code § 541.105.

TDPSA Controller-Processor Contracts

A contract between a controller and a processor must govern the processor's data processing procedures with respect to processing performed on behalf of the controller and must include the following.

  • Clear instructions for processing data;
  • The nature and purpose of processing;
  • The type of data subject to processing;
  • The duration of processing;
  • The rights and obligations of both parties; and
  • A requirement that the processor must do the following.
    • Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
    • At the controller's direction, delete or return all personal data to the controller as requested after the provision of the service is completed, unless retention of the personal data is required by law;
    • Make available to the controller, on reasonable request, all information in the processor's possession necessary to demonstrate the processor's compliance with the requirements of the TDPSA;
    • Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor; and
    • Engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the requirements of the processor with respect to the personal data.

Notwithstanding the requirement described by Texas Bus. & Comm. Code § 541.104(b)(6)(D), a processor, in the alternative, may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the requirements under the TDPSA using an appropriate and accepted control standard or framework and assessment procedure. The processor must provide a report of the assessment to the controller on request.

TDPSA Data Protection Assessments

A controller must conduct and document a data protection assessment of each of the following processing activities involving personal data.

  • The processing of personal data for purposes of targeted advertising;
  • The sale of personal data;
  • The processing of personal data for purposes of profiling, if the profiling presents a reasonably foreseeable risk of the following.
    • Unfair or deceptive treatment of or unlawful disparate impact on consumers;
    • Financial, physical, or reputational injury to consumers;
    • A physical or other intrusion on the solitude or seclusion, or the private affairs or concerns, of consumers, if the intrusion would be offensive to a reasonable person; or
    • Other substantial injury to consumers;
    • The processing of sensitive data; and
    • Any processing activities involving personal data that present a heightened risk of harm to consumers.

Such data protection assessment must do the following.

  • Identify and weigh the direct or indirect benefits that may flow from the processing to the controller, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with that processing, as mitigated by safeguards that can be employed by the controller to reduce the risks; and
  • Factor into the assessment the following.
    • The use of deidentified data;
    • The reasonable expectations of consumers;
    • The context of the processing; and
    • The relationship between the controller and the consumer whose personal data will be processed.

A single data protection assessment may address a comparable set of processing operations that include similar activities.

A data protection assessment conducted by a controller for the purpose of compliance with other laws or regulations may constitute compliance with the requirements of Texas Bus. & Comm. Code § 541.105 if the assessment has a reasonably comparable scope and effect.

Data protection assessments required to be conducted under Texas Bus. & Comm. Code § 541.105, as added by the TDPSA, apply only to processing activities generated after July 1, 2024, and are not retroactive.

TDPSA Deidentified Data

A controller in possession of deidentified data must do the following.

  • Take reasonable measures to ensure that the data cannot be associated with an individual;
  • Publicly commit to maintaining and using deidentified data without attempting to reidentify the data; and
  • Contractually obligate any recipient of the deidentified data to comply with the provisions of the TDPSA.

The TDPSA may not be construed to require a controller or processor to do the following.

  • Reidentify deidentified data or pseudonymous data;
  • Maintain data in identifiable form or obtain, retain, or access any data or technology for the purpose of allowing the controller or processor to associate a consumer request with personal data; or
  • Comply with an authenticated consumer rights request under Texas Bus. & Comm. Code § 541.051, if the controller does the following.
    • Is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data;
    • Does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data or associate the personal data with other personal data about the same specific consumer; and
    • Does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted by Texas Bus. & Comm. Code § 541.106.

The consumer rights under Texas Bus. & Comm. Code § 541.051(b)(1)-(4) and controller duties under Texas Bus. & Comm. Code § 541.101 do not apply to pseudonymous data in cases in which the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information.

A controller that discloses pseudonymous data or deidentified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or deidentified data is subject and must take appropriate steps to address any breach of the contractual commitments.

TDPSA Enforcement

The Texas attorney general has exclusive authority to enforce the TDPSA.

Before bringing an action under Texas Bus. & Comm. Code § 541.155, the Texas attorney general must notify a person in writing, not later than the 30th day before bringing the action, identifying the specific provisions of the TDPSA that the Texas attorney general alleges have been or are being violated. The Texas attorney general may not bring an action against the person if the following occurs.

  • Within the 30-day period, the person cures the identified violation; and
  • The person provides the Texas attorney general a written statement that the person has done the following.
    • Cured the alleged violation;
    • Notified the consumer that the consumer's privacy violation was addressed, if the consumer's contact information has been made available to the person;
    • Provided supportive documentation to show how the privacy violation was cured; and
    • Made changes to internal policies, if necessary, to ensure that no such further violations will occur.

A person that violates the TDPSA following the cure period described by Texas Bus. & Comm. Code § 541.154 or that breaches a written statement provided to the Texas attorney general under Texas Bus. & Comm. Code § 541.154 is liable for a civil penalty not to exceed $7,500 for each violation.

The Texas attorney general may bring an action to do the following.

  • Recover a civil penalty under Texas Bus. & Comm. Code § 541.154;
  • Restrain or enjoin the person from violating the TDPSA; or
  • Recover the civil penalty and seek injunctive relief.

A person that violates Texas Bus. & Comm. Code § 541.107 is subject to the above penalty under Texas Bus. & Comm. Code § 541.155.

The Texas attorney general may recover reasonable attorneys' fees and other reasonable expenses incurred in investigating and bringing an action under Texas Bus. & Comm. Code § 541.155.

The TDPSA may not be construed as providing a basis for, or being subject to, a private right of action for a violation of the TDPSA or any other law.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.