The Texas comprehensive privacy law, known as the Texas Data Privacy and Security Act (TDPSA), goes into effect on Monday, July 1, 2024. One of the first steps of complying with the act is to conduct a Data Protection Impact Assessment. This is a process that helps organizations identify and minimize risks associated with processing personal data. DPIAs are a key component of compliance with the federal government’s General Data Protection Regulation.
In Texas, data protection impact assessments will be required by businesses that sell private data or use it for targeted advertising. When personal data is used for profiling, a data protection assessment will be required if profiling presents a reasonably foreseeable risk of discriminatory treatment. In contrast to most other State Data Privacy Laws, Texas does not provide any data processing or revenue thresholds for applicability purposes. However, Texas is similar to most other State Data Privacy Laws with respect to certain exclusions and exemptions.
For example, the Texas law only applies to personal data collected from "an individual who is a resident of [the] state. It expressly excludes personal data collected or processed from individuals acting in an employment or commercial context (e.g., business-to-business activities). The Texas law also does not apply to the processing of personal data by a person "in the course of a purely personal or household activity."
Many companies that do not meet the thresholds for other states’ laws can be subject to Texas’ requirements. It’s common for companies to be subject only to the California and Texas requirements but not any of the other states’ current comprehensive privacy laws.
Here are some steps for conducting a DPIA:
1. Identify the need: Make sure the need to process personal information (PII) is necessary and justified
2. Describe the processing: Explain how data is collected and processed, including the purpose and why it's being done
3. Consider consultation: Consult with the relevant parties
4. Assess necessity and proportionality: Determine if the use of personal data is necessary to achieve the goal and if the privacy breach is proportionate to the objective
5. Identify and assess risks: Consider the potential physical, emotional, or material harm the processing could cause to individuals, such as identity theft, loss of access to services, or loss of confidentiality
6. Identify measures to mitigate risks: Decide on measures to minimize or prevent privacy risks, and to comply with the GDPR
7. Sign off and record outcomes: Record the outcomes of the DPIA
Many companies that do not meet the thresholds for other states’ laws can be subject to Texas’ requirements. It’s common for companies to be subject only to the California and Texas requirements but not any of the other states’ current comprehensive privacy laws.
In Texas, there is no private right of action. Only the Attorney General may enforce the TDPSA. In addition, the law includes a 30-day notice and cure period before the Attorney General may bring an action. Violations can result in civil penalties not to exceed $7,500 per violation.
Should you have any questions or concerns about the Legal Issues addressed in this blog post, please reach out to Derek Saunders, Keith Strahan, or Richard Armstrong of our firm, shown here: https://lfbrown.law/our-team
Comments