Applicability of the Texas Data Privacy and Security Act (TDPSA)

The Texas Data Privacy and Security Act (TDPSA) establishes a framework for regulating the processing of personal data within Texas. Its applicability is determined by several material and territorial factors, as outlined in the law.

Material Applicability Factors

Material applicability focuses on the types of entities and data processing activities that are subject to or exempt from the TDPSA. Below are the key factors:

1. Sale of Personal Data Criterion

• Provision: "This chapter applies only to a person that: (2) processes or engages in the sale of personal data; and" (TDPSA Sec. 541.002(a)(2)).
• Analysis: The TDPSA applies to entities that process or sell personal data, targeting businesses that monetize personal information. Unlike some other jurisdictions, no revenue threshold is specified, meaning even small-scale data sales trigger applicability.
• Implications: Businesses engaging in data sales must comply with TDPSA requirements, regardless of their size or revenue derived from such activities.

2. Sectoral Exceptions Regulated by Other Laws

• Provision: Various exemptions exist for data already regulated under federal laws, such as:
  • "protected health information under HIPAA" (TDPSA Sec. 541.003(1)).
  • "personal data regulated by FERPA" (TDPSA Sec. 541.003(13)).
  • "information regulated by the Gramm-Leach-Bliley Act" (TDPSA Sec. 541.002(b)(2)).
• Analysis: These exemptions prevent duplicative regulation for sectors like healthcare, finance, education, and consumer reporting.
• Implications: Entities in these sectors must adhere to their respective federal frameworks but are not subject to TDPSA provisions.

3. Employment and Agency Relationship Exemption

• Provision: "data processed or maintained in the course of an individual applying to, being employed by, or acting as an agent or independent contractor..." (TDPSA Sec. 541.003(15)).
• Analysis: Employee-related data used within professional contexts is exempt from the TDPSA.
• Implications: Employers are responsible for compliance at an organizational level, while individual employees and contractors are not directly subject to obligations.

4. Nonprofit Organization Exemption

• Provision: "This chapter does not apply to: (4) a nonprofit organization;" (TDPSA Sec. 541.002(b)(4)).
• Analysis: Nonprofits are excluded from TDPSA requirements regardless of their activities or the volume of personal data processed.
• Implications: This reduces regulatory burdens but may leave gaps in privacy protections for individuals interacting with nonprofits.

5. Higher Education Institution Exemption

• Provision: "This chapter does not apply to: (5) an institution of higher education;" (TDPSA Sec. 541.002(b)(5)).
• Analysis: Universities and colleges are exempt, likely due to existing federal regulations like FERPA.
• Implications: Educational institutions operate under FERPA but are not bound by TDPSA provisions.

6. Personal and Domestic Use Exemption

• Provision: "This chapter does not apply to the processing of personal data by a person in the course of a purely personal or household activity." (TDPSA Sec. 541.004).
• Analysis: Activities strictly limited to personal or household contexts are excluded.
• Implications: Individuals can process personal data privately without compliance obligations, but businesses offering related services cannot claim this exemption.

7. Exemptions for Specific Purposes

• Provisions:
  • Research Data ("personal data used or shared in research conducted in accordance with applicable law;" TDPSA Sec. 541.003(4)(C)).
  • Emergency Contact Information ("data processed as emergency contact information used for emergency purposes;" TDPSA Sec. 541.003(16)).
• Analysis: These exemptions balance privacy protection with societal benefits like scientific research and public safety.
• Implications: Organizations must ensure exempted data is used solely for its intended purpose.

Territorial Applicability Factors

Territorial applicability determines whether an entity’s geographic presence or activities within Texas bring it under the TDPSA’s scope.

1. Doing Business in Jurisdiction

• Provision: "This chapter applies only to a person that conducts business in this state or produces a product or service consumed by residents of this state;" (TDPSA Sec. 541.002(a)(1)).
• Analysis: The law applies broadly to entities with a commercial presence in Texas or those targeting Texas residents with products or services.
• Implications:
  • Out-of-state businesses offering digital services to Texans must comply if they meet other criteria.
  • The provision ensures comprehensive coverage of entities interacting with Texas residents.

Exemptions Summary

The TDPSA explicitly excludes certain entities and processing activities:

1. Government agencies (Sec. 541.002(b)(1)).
2. Utilities (Sec. 541.002(b)(6)).
3. Data governed by federal laws like HIPAA, GLBA, FERPA, FCRA, etc.

These exclusions aim to avoid overlapping regulations while focusing on commercial entities handling consumer data.

Conclusion

The Texas Data Privacy and Security Act applies primarily to businesses conducting economic activities in Texas that process or sell personal data unless specifically exempted under material or territorial factors such as sectoral regulations, nonprofit status, or government functions. This framework ensures robust consumer protections while minimizing redundant compliance burdens for certain sectors and activities.