Texas Data Privacy Act: Exceptions

TDPSA Exceptions

The TDPSA does not apply to the following.

• A state agency or a political subdivision of Texas;
• A financial institution or data subject to Title V, Gramm-Leach-Bliley Act;
• A covered entity or business associate governed by the privacy, security, and breach notification rules issued by the US Department of Health and Human Services, 45 C.F.R. Parts 160 and 164, established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act;
• A nonprofit organization;
• An institution of higher education; or
• An electric utility, a power generation company, or a retail electric provider, as those terms are defined by Texas Utilities Code § 31.002.

The following information is exempt from the TDPSA.

• Protected health information under HIPAA;
• Health records;
• Patient identifying information for purposes of 42 U.S.C. § 290dd-2;
• Identifiable private information;
• For purposes of the federal policy for the protection of human subjects under 45 C.F.R. Part 46;
• Collected as part of human subjects research under the good clinical practice guidelines issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use (ICH) or of the protection of human subjects under 21 C.F.R. Parts 50 and 56; or
• That is personal data used or shared in research conducted in accordance with the requirements set forth in the TDPSA or other research conducted in accordance with applicable law;
• Information and documents created for purposes of the Health Care Quality Improvement Act of 1986;
• Patient safety work product for purposes of the Patient Safety and Quality Improvement Act of 2005;
• Information derived from any of the healthcare-related information listed in Texas Bus. & Comm. Code § 541.003 that is deidentified in accordance with the requirements for deidentification under HIPAA;
• Information originating from, and intermingled to be indistinguishable with, or information treated in the same manner as, information exempt under Texas Bus. & Comm. Code § 541.003 that is maintained by a covered entity or business associate as defined by HIPAA or by a program or a qualified service organization as defined by 42 U.S.C. § 290dd-2;
• Information that is included in a limited data set as described by 45 C.F.R. § 164.514(e), to the extent that the information is used, disclosed, and maintained in the manner specified by 45 C.F.R. § 164.514(e);
• Information collected or used only for public health activities and purposes as authorized by HIPAA;
• The collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency or furnisher that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that the activity is regulated by and authorized under the Fair Credit Reporting Act;
• Personal data collected, processed, sold, or disclosed in compliance with the Driver's Privacy Protection Act of 1994;
• Personal data regulated by the Family Educational Rights and Privacy Act of 1974;
• Personal data collected, processed, sold, or disclosed in compliance with the Farm Credit Act of 1971;
• Data processed or maintained in the course of an individual applying to, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role;
• Data processed or maintained as the emergency contact information of an individual under the TDPSA that is used for emergency contact purposes; or
• Data that is processed or maintained and is necessary to retain to administer benefits for another individual that relates to an individual described by Texas Bus. & Comm. Code § 541.003(15) and used for the purposes of administering those benefits.

The TDPSA does not apply to the processing of personal data by a person in the course of a purely personal or household activity.

The TDPSA may not be construed to restrict a controller's or processor's ability to do the following.

• Comply with federal, state, or local laws, rules, or regulations;
• Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
• Investigate, establish, exercise, prepare for, or defend legal claims;
• Provide a product or service specifically requested by a consumer or the parent or guardian of a child; perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty; or take steps at the request of the consumer before entering into a contract;
• Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another individual and in which the processing cannot be manifestly based on another legal basis;
• Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity;
• Preserve the integrity or security of systems or investigate, report, or prosecute those responsible for breaches of system security;
• Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board or similar independent oversight entity that determines the following.
  • If the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller;
  • Whether the expected benefits of the research outweigh the privacy risks; and
  • If the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification; or
• Assist another controller, processor, or third party with any of the requirements under Texas Bus. & Comm. Code § 541.201(a).

The TDPSA may not be construed in the following ways.

• To prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of Texas as part of a privileged communication;
• As imposing a requirement on controllers and processors that adversely affects the rights or freedoms of any person, including the right of free speech; or
• As requiring a controller, processor, third party, or consumer to disclose a trade secret.

The requirements imposed on controllers and processors under the TDPSA may not restrict a controller's or processor's ability to collect, use, or retain data to do the following.

• Conduct internal research to develop, improve, or repair products, services, or technology;
• Effect a product recall;
• Identify and repair technical errors that impair existing or intended functionality; or
• Perform internal operations that are the following.
  • Are reasonably aligned with the expectations of the consumer;
  • Are reasonably anticipated based on the consumer's existing relationship with the controller; or
  • Are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.

Personal data processed by a controller under Subchapter E of the TDPSA may not be processed for any purpose other than a purpose listed in Subchapter E of the TDPSA unless otherwise allowed by the TDPSA.

Personal data processed by a controller under Subchapter E of the TDPSA may be processed to the extent that the processing of the data is the following.

• Reasonably necessary and proportionate to the purposes listed in Subchapter E of the TDPSA; and
• Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in Subchapter E of the TDPSA.

Personal data collected, used, or retained under Texas Bus. & Comm. Code §541.202(a) must, where applicable, take into account the nature and purpose of such collection, use, or retention. The personal data described by Texas Bus. & Comm. Code §541.202(a) is subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data.

A controller that processes personal data under an exemption in Subchapter E of the TDPSA bears the burden of demonstrating that the processing of the personal data qualifies for the exemption and complies with the requirements of Texas Bus. & Comm. Code §541.204(a) and (b).

A requirement imposed on a controller or processor under the TDPSA does not apply if compliance with the requirement by the controller or processor, as applicable, would violate an evidentiary privilege under the laws of Texas.