Texas Data Privacy and Security Act – Part 1: Applicability 

In a digital era marred by big data monetization and weaponization and culminating in a renewed privacy awakening, Texas has taken a substantial first step toward protecting the privacy of its residents with the enactment of the Texas Data Privacy and Security Act (TDPSA). Taking effect on July 1, 2024, this new comprehensive privacy framework represents the state’s approach to requiring individual rights and organizational safeguards concerning personal data. While the TDPSA is designed for broad application, it includes specific applicability and exclusion provisions. 

An organization must comply with the TDPSA if it: 

(1) conducts business in Texas or produces a product or service consumed by Texas residents; 

(2) processes or engages in the sale of personal data; and 

(3) is not a small business as defined by the United States Small Business Administration, unless sensitive data is sold.

The TDPSA exempts certain organizations and data. The law specifically exempts from applicability state agencies and political subdivisions; financial institutions subject to the Gramm-Leach-Bliley Act; covered entities or business associates governed by HIPAA privacy, security, and breach notification rules; nonprofit organizations, institutions of higher education; and electric utilities, power generation companies, and retail electric providers.

The law also exempts several categories of data, including: HIPAA protected health information; data subject to the Gramm-Leach-Bliley Act; health records; patient identifying information for purposes of 42 U.S.C. Section 290dd-2; identifiable private information for purposes of the federal protection of human rights under 45 C.F.R. Part 46, collected as part of human subject research, or that is personal data used or shared in research conducted in accordance with law; information and documents created for purposes of the Health Care Quality Improvement Act of 1986; patient safety work product for purposes of the Patient Safety and Quality Improvement Act of 2005; health information that is de-identified in accordance with HIPAA regulations; information exempt by the TDPSA that is maintained by a HIPAA covered entity or business associate or by a program or qualified service organization as defined by 42 U.S.C. Section 290dd-2; certain information that is included in a limited dataset as described by 45 C.F.R. Section 164.514(e); information collected or used only for public health activities and purposes as authorized by HIPAA; personal information regulated by the Fair Credit Reporting Act; personal data collected, processed, sold, or disclosed in compliance with the Driver’s Privacy Protection Act of 1994; personal data regulated by the Family Educational Rights and Privacy Act of 1974; personal data collected, processed, sold, or disclosed in compliance with the Farm Credit Act of 1971; certain employment data and data necessary to administer benefits for another individual; information used for emergency contact purposes.

Additionally, the TDPSA does not apply to processing of personal data by a person in the course of purely personal or household activity. 

The TDPSA along with the Texas Identity Theft Enforcement and Protection Act each represents the growing trend of states taking a more comprehensive approach to ensuring the privacy and security of consumer data. By establishing organizational obligations and clear penalties for non-compliance, the TDPSA is poised to enhance data protection, empower consumers, and reduce distrust in this digital age. Organizations subject to the TDPSA should prioritize compliance efforts in advance to the TDPSA effective date to mitigate organizational risk.