By Blake Hollingsworth | Reporter
The Texas Data Privacy and Security Act is a new law that sets rules for how businesses can handle the personal data of Texas residents, requiring the businesses to meet strict compliance standards.
The legislation, which went into effect July 1, requires businesses to obtain consent before processing consumers’ sensitive data, according to Davis Wright Tremaine LLP. This, in turn, can prevent companies from misusing such data in a harmful manner.
Unlike many state-level data privacy laws, the TDPSA broadly covers businesses regardless of revenue or data volume. While small businesses defined by the Small Business Administration may be exempt, many entities face new regulatory scrutiny, making it hard for businesses that don’t already have systems in place to manage and protect consumer data, according to cyber law Professor David Reid.
“Those companies that don’t meet the purview of other data privacy laws and suddenly are finding themselves within the coverage of [TDPSA] may not have the robust compliance and management tools that likely are going to be required,” Reid said. “It’s just a very difficult operational thing to manage consent, corrections and to respond if there’s a huge compliance piece.”
Conversation around the TDPSA also highlighted the influence of technological advancements in data processing. These advancements have resulted in extensive privacy laws signifying a broader push to regulate the balance between business interests and consumer rights.
“The way technology and tech tools have advanced, it’s perhaps never been as easy to leverage data as it is today for businesses of any size,” Reid said. “When you take the ease of processing personal data with the increased importance to consumers of that data, because the scope of the data is expanding, many of us expect that the new ways of looking at or enforcing existing laws — that dynamic will continue.”
The Texas Attorney General’s enforcement of the law has already been felt, with the state recently reaching a $1.4 billion settlement with Meta over issues largely centered on biometric (physical characteristics) data privacy violations, according to the AG’s website. Texas has also targeted companies like Marriott and TikTok and sent compliance letters to numerous data brokers, Reid said.
Looking ahead, the TDPSA will require businesses to allow consumers to opt out of having their personal data sold and used for targeted advertising by 2025. Although this introduces another layer of complexity to compliance, Reid argued that it also presents an opportunity for companies to gain additional trust from their customers.
“If their [the company’s] mission and value proposition are, in part, dependent on consumer and brand loyalty, they have a real opportunity to be ahead of this and to be proactive with consumers in a way that can increase trust and brand loyalty,” Reid said.
Business law professor Lotte Bostick shared an anecdote demonstrating the pervasiveness of targeted advertising.
“My poor husband called somebody about solar panels on our house, and he constantly, for the last two years, has gotten telephone calls from solar panel providers,” Bostick said. “That causes frustration when you can’t turn it off.”
The broader implications of the TDPSA and similar state laws point to a growing emphasis on data privacy across the United States, particularly regarding the balance of consumer protection with business innovation.
“I’m encouraged by states balancing clear, thoughtful laws that support innovation while protecting consumers in these unprecedented technological times,” Reid said.