Wendell Bartnick, Christian Blair and Stuart Cobb for Law 360:
On June 18, Texas enacted the Texas Data Privacy and Security Act, becoming the 11th state to enact a comprehensive consumer data privacy law.
Businesses regulated by the TDPSA have until July 1, 2024, to come into compliance with the law. The TDPSA does not tread much new ground for material privacy-related obligations, but its scope and applicability will require new thinking.
[T]the TDPSA likely applies to a larger swath of businesses than other state privacy laws because it may apply when a business produces a product or service that is consumed by a Texas resident. Analyzing the applicability of the TDPSA could look like a first-year civil procedure question examining personal jurisdiction.
It seems possible that a business without any operations in Texas or any desire to offer products or services in Texas could be regulated by the TDPSA if an individual takes a product from another state and uses it in Texas.
Similar to other comprehensive state privacy laws, the TDPSA provides exemptions depending on characteristics of the business or the data, including exemptions for nonprofits and businesses or data regulated by certain federal and state laws.