Your website have users accessing from Texas? So be ready… the Texas Data Privacy and Security Act is here to shake things up. Don't worry; we've got your back. This guide will walk you through everything you need to know to ensure your website complies with the new regulations.

Let's dive in!

The Texas Data Privacy and Security Act (TDPSA) is Texas's answer to growing concerns about data privacy. Signed into law recently, it aims to protect the personal information of Texas residents. The law places new obligations on businesses regarding data collection, storage, and sharing. If your website has visitors from Texas, you'll need to pay attention to this law.

The TDPSA is designed to protect the privacy of residents in Texas. It sets out rules and guidelines for how companies should handle personal information. This act is similar to other privacy laws, like the CCPA in California, GDPR in Europe, PIPEDA in Canada, but with some specific rules tailored for Texas.

Personal data refers to any information that can identify an individual, either directly or indirectly. This includes: names, addresses, email addresses, and even IP addresses. Essentially, if a piece of information can be traced back to a specific person, it's considered personal data.

Sensitive data is a subset of personal data that requires extra protection due to its nature. This includes information like race, ethnicity, religious beliefs, health information, and biometric data (like fingerprints). Handling sensitive data comes with stricter requirements to ensure it's protected appropriately.

Consent under the TDPSA means that individuals must give clear and explicit permission for their personal data to be collected and used. This is often managed through cookie banners and banners that users must agree to before their data is collected.

Important

The consent must be informed, meaning users should understand what they are agreeing to.

Consent is a crucial aspect of the TDPSA, as it ensures that users are fully aware of and agree to how their personal data is being collected, used, and shared. Here's what you need to know about obtaining consent:

1. Explicit Consent: You must obtain explicit consent from users before collecting their personal data. This means users should take a clear affirmative action, such as ticking a checkbox or clicking an “I Agree” button. Passive acceptance, like pre-ticked boxes or default settings, doesn’t count.

2. Clear Information: When asking for consent, provide clear and concise information about what data you’re collecting, why you’re collecting it, how it will be used, and with whom it will be shared. Avoid legal jargon and make sure the information is easily understandable.

3. Granular Consent: Allow users to consent to different types of data collection separately. For example, users should be able to agree to cookies for site functionality but reject cookies for advertising purposes.

4. Easy Withdrawal: Make it just as easy for users to withdraw their consent as it was to give it. Include simple and accessible options for users to change their consent preferences at any time.

5. Record Keeping: Keep detailed records of consent. This includes the data subject's identity, the time and date consent was given, and the specific information provided at the time of consent. This is crucial for demonstrating compliance if audited.

A controller is an entity (like a company) that decides how and why personal data is processed. If your company determines the purpose and means of processing personal data, you are considered a controller. For example, an online store that collects and analyzes customer data to improve their services would be a controller.

The same happens with local and offline businesses like schools, clinics, pet shops, farmacies, etc. If you collect user/customer data you are considered a controller.

A processor is an entity that processes personal data on behalf of a controller. This could be a third-party service that handles data analytics or customer management. They don't decide what to do with the data; they just process it according to the controller's instructions.

For example: You have an Italian Restaurant chain that sells in-store and delivery. If you have a company/contractor receiving the orders with: Name, Address and Phone in order to deliver the pizza… This "entity" can be considered a processor for the data your company collects.

Get your business complied with the TDPSA today! Schedule a demo with our specialist today!

The Texas Data Privacy and Security Act (TDPSA) applies to any business that collects personal information from Texas residents. Whether you're a small business or a large corporation, if you handle personal data of Texans, this law affects you. It's important to understand that this isn't just about companies based in Texas; even if your business is located elsewhere but you serve Texas customers, you need to comply.

Not all businesses fall under the TDPSA. There are certain exemptions, such as:

• Small Businesses: Some very small businesses might be exempt if they don't meet certain thresholds in revenue or the amount of data processed.

• Nonprofits: Many nonprofit organizations are also exempt.

• Certain Types of Data: If the data you're handling is already regulated by other laws, such as HIPAA for medical information, you might be exempt from TDPSA.

Tip

It's crucial to verify if your business qualifies for any exemptions to avoid unnecessary compliance efforts.

Under the TDPSA, consumers have the right to know what personal data a business holds about them. This means they can request a detailed report of all the data collected, stored, and used by the business. It's a way to ensure transparency and give individuals control over their personal information.

If a consumer finds that the data a business holds about them is incorrect or outdated, they have the right to request corrections. This ensures that the information remains accurate and relevant, preventing potential issues from using incorrect data.

Consumers can also ask businesses to delete their personal data. Known as the "right to be forgotten," this allows individuals to have their data removed from a company's databases. There are some exceptions, such as when the data is required for legal reasons or ongoing services, but generally, this right provides significant control to the consumer.

Data portability is the right to receive personal data in a format that can be easily transferred to another service provider. This means consumers can ask for their data in a structured, commonly used, and machine-readable format, making it easier to switch services or products without losing their data.

Consumers can opt out of having their personal data sold or used for targeted advertising. This is particularly relevant for digital marketing, where consumer data is often used to tailor ads. By opting out, individuals can prevent their data from being used in ways they are not comfortable with.

The TDPSA ensures that consumers exercising their privacy rights are not discriminated against. This means that businesses cannot deny services, charge different prices, or provide a different level of quality just because a consumer has exercised their privacy rights.

If a business denies a consumer's request to exercise any of these rights, the consumer has the right to appeal the decision. This adds an extra layer of protection, ensuring that businesses comply with the law and respect consumer rights.

If you need to teach your visitors how to delete the cookies in their browser, feel free to use this guide.

Under the TDPSA, businesses, also known as controllers, are required to collect and use personal data only for specific, clearly defined purposes. This means you can't gather data for one reason and then decide to use it for something entirely different without informing and getting consent from the individual. This principle ensures that data is not misused and that users are aware of how their information will be utilized.

Data security is a critical component of the TDPSA. Businesses must implement appropriate measures to protect personal data from unauthorized access, loss, or damage. This includes using encryption, secure storage solutions, and regular security audits. Ensuring robust data security helps prevent breaches and protects the sensitive information of individuals.

A Data Protection Assessment (DPA) is a thorough review of how personal data is handled within your organization. It involves identifying potential risks to data privacy and determining how to mitigate those risks. Conducting a DPA is essential for compliance, as it helps businesses understand their data flows and identify areas that need improvement.

Consent is a cornerstone of data privacy under the TDPSA. Businesses must obtain clear and explicit consent from individuals before collecting, using, or sharing their personal data. This is often managed through cookie banners and notices that require users to agree before proceeding.

Info

It's important to make sure that the consent is informed, meaning users fully understand what they are agreeing to.

The TDPSA prohibits businesses from discriminating against individuals who exercise their privacy rights. This means you can't deny services, charge higher prices, or provide a lower quality of service to users who opt out of data collection or request deletion of their data. Ensuring nondiscrimination is key to maintaining trust and fairness in your data practices.

A privacy notice is a document that informs individuals about how their personal data is collected, used, and protected by your business. Under the TDPSA, it's mandatory to provide a clear and easily accessible privacy notice that details your data practices. This notice should cover what data is collected, why it's collected, how it's used, and who it's shared with.

What is the ideal privacy policy for your company?

The TDPSA supports a universal opt-out signal, allowing consumers to opt out of data processing for specific purposes, such as targeted advertising. This signal can be sent from the consumer’s device and should be recognized and respected by your systems. Implementing a universal opt-out mechanism ensures that user preferences are consistently honored across different platforms and services.

If your business works with third-party vendors who process personal data on your behalf, you need to have data processing agreements in place. These agreements outline the responsibilities of each party and ensure that the data is handled in compliance with the TDPSA. It's crucial to choose vendors who adhere to strict data privacy standards and include specific clauses about data protection in your contracts.

This is a guide to help you mapping all the data in your company

—-------

To simplify managing these obligations and ensure full compliance with the TDPSA, consider using a CMP like AdOpt. It helps streamline consent management, data processing agreements, and privacy notices, making compliance easier for your business.

Interested in learning how AdOpt can help your business comply with the TDPSA? Schedule a demo with our specialist today!

Under the Texas Data Privacy and Security Act (TDPSA), businesses that fail to comply with the regulations can face significant fines and penalties. The law is designed to ensure that companies take data privacy seriously. Penalties can range from monetary fines to more severe actions, depending on the nature and severity of the violation.

For instance, repeated or intentional violations may result in higher fines. It’s crucial for businesses to understand these consequences and take steps to comply with the TDPSA to avoid these penalties.

1. Violation Penalties: Each violation of the TDPSA can result in a fine of up to $7,500. Importantly, each instance of non-compliance is considered a separate violation. For example, if you fail to obtain consent for 1,000 users, that could mean 1,000 individual violations.

2. Cumulative Fines: Because penalties are per violation, fines can accumulate rapidly. For instance, if you have multiple compliance issues across various aspects of data processing, the total fines could be substantial.

3. Enforcement: The Texas Attorney General is responsible for enforcing the TDPSA. This includes investigating complaints, conducting audits, and taking legal action against non-compliant businesses. The Attorney General’s office has broad authority to enforce compliance and seek remedies for violations.

4. Mitigating Factors: When determining the amount of a fine, the Attorney General may consider several factors, including the severity and duration of the violation, the number of affected consumers, the level of intent, and the business’s efforts to comply with the law.

5. Avoidance and Mitigation: To avoid fines, businesses should conduct regular audits of their data practices, train staff on data protection requirements, and implement robust compliance programs. Proactive measures, such as appointing a data protection officer or using privacy-enhancing technologies, can also mitigate risks.

Here’s a quick rundown of your main obligations under the TDPSA:

1. Transparency: Clearly inform users about data collection practices.

2. Data Security: Implement robust security measures to protect user data.

3. Data Access: Allow users to access, correct, or delete their personal data.

4. Opt-Out: Provide easy ways for users to opt-out of data collection or sale.

5. Data Minimization: Only collect data that is necessary for the stated purpose.

Here’s how the TDPSA stacks up against other states privacy laws:

Law	State	Revenue Threshold	Data Processing	Consent Required	Fines
TDPSA	Texas	$25M	50,000 residents	Yes	Up to $7,500 per violation
CCPA	California	$25M	50,000 residents or 50% revenue	Yes	Up to $7,500 per violation
TIPA	Tennessee	N/A	25,000 residents or 50% revenue	Yes	Up to $7,500 per violation
VCDPA	Virginia	$25M	100,000 residents or 50% revenue	Yes	Up to $7,500 per violation
CTDPA	Connecticut	N/A	100,000 residents or 25% revenue	Yes	Up to $7,500 per violation
OCPA	Oregon	$25M	100,000 residents	Yes	Up to $7,500 per violation
FDBR	Florida	-	50,000 residents or 50% revenue	Yes	Up to $5,000 per violation
CPA	Colorado	$25M	100,000 residents or 25% revenue	Yes	Up to $20,000 per violation

And here’s a look at how TDPSA compares globally:

Preparing for TDPSA compliance involves several steps that ensure your business meets all the requirements set out by the law. Here’s how to get started:

1. Conduct a Data Mapping Exercise: Identify all the personal data your business collects, where it’s stored, and how it’s processed. This process, known as data mapping, helps you understand the flow of data within your organization.

2. Implement a Privacy Policy: Develop a clear and comprehensive privacy policy that outlines how you handle personal data. This policy should be easily accessible to your customers and include details about data collection, use, and sharing practices.

3. Appoint a Data Protection Officer: If required, appoint a Data Protection Officer (DPO) to oversee your data privacy efforts and ensure compliance with the TDPSA.

4. Use a CMP: Implement a Consent Management Platform (CMP) like AdOpt to manage user consents efficiently. A CMP helps you track and manage consents, ensuring that you have the necessary permissions to collect and process personal data.

5. Educate Your Team: Train your employees on the importance of data privacy and the specific requirements of the TDPSA. Regular training sessions can help ensure that everyone in your organization understands their role in maintaining compliance.

The TDPSA requires businesses to obtain clear and explicit user consent before collecting or processing any personal data through cookies. This means that users must be informed about what data is being collected and for what purpose, and they must agree to it before the cookies are activated. This is typically managed through a cookie banner that appears when a user visits your website.

A cookie banner must be clear, concise, and provide all necessary information about data collection. It should include options for users to accept or reject different types of cookies, ensuring they have control over their personal data. The banner should be easily accessible and not obscure the content of your website, providing a user-friendly experience.

Cookie banners are a visible way to inform users about data collection practices through cookies and to obtain their consent. Here’s how to implement an effective cookie banner in line with the TDPSA:

1. Visibility: The cookie banner should be immediately visible when a user visits your site. It should not be hidden away in the footer or require scrolling to find.

2. Informative: Clearly state what cookies are being used, what data they collect, and the purpose of this data collection. Be transparent about both first-party and third-party cookies.

3. Options: Provide users with clear options to accept or reject different types of cookies. Typically, these include essential cookies (necessary for website functionality), performance cookies (used for analytics), and targeting cookies (used for advertising).

4. Detailed Information: Include a link to a detailed cookie policy where users can learn more about your cookie practices. This policy should be easy to understand and provide comprehensive information about each type of cookie used.

5. No Cookie Walls: Avoid using cookie walls that force users to accept cookies to access the site. Users should be able to reject non-essential cookies and still use your website.

6. Compliance Tools: Consider using a Consent Management Platform (CMP) to manage cookie consents. CMPs can help automate the process of obtaining and storing consent, ensuring compliance with TDPSA.

Managing cookie preferences involves giving users the ability to change their consent choices at any time. This can be done through a cookie consent management platform (CMP) that allows users to update their p

Privacy Regulations are an opportunity for Marketing Agencies - Learn more!

Complying with the Texas Data Privacy and Security Act (TDPSA) can seem daunting, but breaking it down into manageable steps can make the process smoother. Here’s a straightforward guide to help your business stay compliant:

1. Understand the Requirements: Familiarize yourself with the specifics of the TDPSA. Know what data you collect, how it’s used, and the obligations you have under the law.

2. Conduct Data Mapping: Perform a data mapping exercise to identify where all personal data is stored and processed in your organization. This helps in understanding data flow and pinpointing areas that need attention.

3. Update Privacy Policies: Create or update your privacy policy to reflect TDPSA requirements. Ensure it includes details on data collection, usage, sharing, and the rights of individuals.

4. Implement Consent Management: Use a CMP like AdOpt to manage user consents efficiently. This platform helps you gather and record consents in compliance with the law.

5. Train Your Team: Educate your employees on TDPSA requirements and best practices for data handling. Regular training ensures everyone understands their role in maintaining compliance.

6. Monitor and Update: Continuously monitor your compliance efforts and update your practices as needed. Regular audits can help identify and rectify any issues promptly.

Complying with the TDPSA can present several challenges. Here are some common issues and how to address them:

• Data Inventory Management: Keeping track of all the data your business collects can be challenging. Implementing robust data mapping tools and practices can help you maintain an accurate inventory.

• Obtaining Consent: Ensuring that you have clear and explicit consent from users can be tricky. Using a comprehensive cookie banner can help in clearly communicating consent requests to users.

• Staying Updated with Regulations: Privacy laws can change, making it difficult to stay compliant. Regularly reviewing updates to the law and adapting your practices accordingly is essential. Consider subscribing to industry updates or working with a dedicated data protection officer to stay informed.

To ensure ongoing compliance with the TDPSA, here are some best practices to follow:

• Adopt Privacy by Design: Incorporate privacy by design principles into your operations. This means considering privacy at every stage of your data processing activities.

• Use a Reliable CMP: A trusted Consent Management Platform like AdOpt can simplify managing user consents and compliance efforts. It helps in tracking consent, providing transparency, and updating preferences.

• Regular Audits: Conduct regular data audits to ensure compliance and identify any potential issues. These audits can help you stay on top of your data management practices and make necessary adjustments.

• Clear Communication: Maintain clear and transparent communication with your users about how their data is used and their rights. This builds trust and ensures users are informed about your data practices.

10 risky processes you should rethink under a privacy regulation

---

To make managing compliance easier and more efficient, consider using AdOpt, a Google-certified CMP that is highly rated on platforms like G2 AdOpt can help you implement these best practices and ensure that your business stays compliant with the TDPSA.

Navigating the complexities of the Texas Data Privacy and Security Act (TDPSA) can be challenging. If you're feeling overwhelmed or unsure about how to ensure your business is fully compliant, you're not alone. Many businesses struggle with understanding and implementing the necessary steps to protect personal data and meet regulatory requirements. That's where we come in.

At AdOpt, we specialize in helping businesses like yours navigate the intricacies of data privacy laws. Our Google-certified Consent Management Platform (CMP) is designed to make compliance straightforward and efficient. Whether you need assistance with data mapping, setting up cookie banners, or updating your privacy policies, our team of experts is here to help.

Don't let compliance challenges hold your business back. Reach out to us for personalized support and solutions tailored to your specific needs.

AdOpt is the best for TDPSA cookie compliance! Schedule a demo with our specialist today! Our experts will walk you through the features and benefits of our platform, and show you how we can help you stay compliant and protect your customers' data effectively.

The TDPSA goes into effect on July 1st, 2024.

The Texas Attorney General is responsible for enforcing the TDPSA.

Personal data includes any information that can be used to identify an individual, directly or indirectly. This includes: names, addresses, email addresses, and even IP addresses. Essentially, if a piece of information can be traced back to a specific person, it's considered personal data.

A: Review your data collection practices, update your privacy policies, and implement robust security measures. These are 6 steps for you:

Understand the Requirements Conduct Data Mapping Update Privacy Policies Implement Consent Management Train and Educate Your Team Monitor and Update

Verify the identity of the requester, then provide access, correction, or deletion of their data as applicable. This tutorial can help you

A: Yes, certain types of data and organizations may be exempt, such as small business, non-profit, etc. Data collected for employment purposes or data regulated by other specific privacy laws may also vary. Double check if you need to comply!

The Texas Data Privacy and Security Act (TDPSA) regulates the collection, use, processing, and treatment of consumers' personal data. Businesses that violate its regulations face civil penalties.

Yes, if a US company handles data of EU residents, it must comply with GDPR requirements, including those passed to any organization outside the EU.

No, GDPR is not a US law. However, there are US federal and state privacy laws that offer similar protections.

As of June 2024, there is no comprehensive federal privacy law, but experts suggest one might be created soon to address privacy concerns across the nation.

GDPR stands for General Data Protection Regulation, a European law implemented in 2018 to enhance the control EU citizens have over their personal data.

The US equivalent of GDPR is the CCPA (California Consumer Privacy Act), which provides similar protections for personal data of online consumers.

Personal data includes any information that can identify a person, such as telephone numbers, credit card numbers, account data, license plate numbers, appearance, customer numbers, or addresses.

• Trade Union Membership
• Genetic & Biometric Data
• Health Information (mental or physical)
• Sex Life or Sexual Orientation

The Texas Data Privacy and Security Act (TDPSA) becomes effective on July 1, 2024, establishing requirements for data collection, processing, and disclosure for consumer-facing companies in Texas.

Texas law requires businesses and organizations experiencing a data breach affecting 250 or more Texans to report the breach to the Texas Attorney General within 30 days of discovery.

Below are the 7 principles of GDPR, and Yes, you can use the same logic for TDSPA.

• Lawfulness, Fairness, and Transparency
• Purpose Limitation
• Data Minimization
• Accuracy
• Storage Limitation
• Integrity and Confidentiality
• Accountability

Below are the 8 rights of individuals under GDPR, and Yes, you can use the same logic for TDSPA.

• Right of Access
• Right to Rectification
• Right to Erasure
• Right to Restrict Processing
• Right to Data Portability
• Right to Object
• Right not to be subject to Automated Decision-Making
• Right to be Informed

Yes, Texas enacted the Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024, becoming the eleventh state to pass comprehensive data privacy legislation.

The Cybercrime Act in Texas makes unauthorized use or intentional harm to protected computer systems or data files a crime, with penalties ranging from misdemeanors to third-degree felonies.

• Necessary
• Proportionate
• Relevant
• Adequate
• Accurate
• Timely
• Secure

A Data Protection Impact Assessment (DPIA) is a process to identify and minimize data protection risks in a project, required for processing likely to result in high risk to individuals.

So far, the CCPA (California Consumer Privacy Act) is the closest US equivalent to GDPR, providing comprehensive data privacy protections for Californian residents. However, new state regulations are coming into force, like: Texas, Florida, Oregon, Colorado... which may increase this list.