Rapid Growth of State Privacy Laws
On June 18, 2023, Texas joined the growing list of U.S. states that have passed comprehensive consumer privacy laws, including its own 88(R) HB 4 the Texas Data Privacy and Security Act (TDPSA). At the time of publication, about one-third of the U.S. population resides in a state with a privacy law that is either in effect or is scheduled to become effective, such as the TDPSA on July 1, 2024. Gray Reed published an article earlier this year detailing the new Texas privacy law’s provisions, broad applicability, and the criteria for which it applies to individuals and businesses: Deep in the Heart of Privacy: Understanding the Texas Data Privacy and Security Act’s Impact on Businesses.
To achieve compliance with TDPSA, businesses must adopt a comprehensive approach encompassing documented policies, standard operating procedures, and business processes. Specifically, an organization needs to demonstrate due diligence has been performed and that evidence exists of policies and procedures being ‘operationalized’ or carried out.
In the next few months, our TDPSA Compliance Countdown blog series will cover the critical how-to activities to comply with the central tenets in the TDPSA:
- Enabling Consumer Rights Requests
- Disclosure Transparency and Privacy Notice Updates
- Conducting Data Protection Assessments
Enabling Consumer Rights Requests
Under the TDPSA, businesses must protect the personal data of Texas residents and residents can exercise a dozen rights that include:
- Obtaining verification if a controller is collecting or processing a consumer’s personal data;
- Obtaining access to or knowledge about their data;
- Obtaining correction of inaccuracies in the consumer’s data;
- Having personal deleted data provided by or obtained about the consumer;
- Obtaining a copy of the consumer’s data in a portable, and to the extent technically feasible, readily usable format so that a consumer may transmit the data to another controller;
- Opting out of the processing of personal data for targeted advertising;
- Opting out of the sale of personal data;
- Opting out of the processing of personal data for profiling;
- Having the right not to be discriminated against for exercising one’s privacy rights;
- Having the right to appeal a decision made about privacy rights;
- Obtaining a response to a privacy rights request within 45 days after the receipt of the request;
- If necessary, the 45-day response period may be extended by an additional 45 days.
De-Mystify Expectations and Document Processes
For businesses to comply with consumer rights requirements, companies should establish and formally publish a policy that requires the organization and its employees to adhere to the mandate and outline procedures for how to implement the policy. In other words, document and communicate to employees what is required to avoid any misinterpretation or a lack of knowledge about the policy’s existence.
The policy should articulate the options and processes for each organization (aka the ‘controller’) established for how individuals may submit a consumer request to exercise their right(s). Options may include email, a website portal, or a 1-800 number. The policy should also include a corresponding standard operating procedure (a step-by-step, repeatable process) for how the organization should implement consumer privacy rights. The methods in the procedure for instance, should capture the necessary actions for how the organization will authenticate the consumer making the request, which department and employee roles have the responsibilities for fulfilling requests within the 45-day deadline, and how to determine which third parties are relevant to a request, and steps for engaging their participation to complete the request.
Create Data Inventories
Another critical component for enabling consumer privacy rights requests is having complete and accurate data inventories on the personal data that an organization collects and processes. While many organizations have adopted automated solutions and software-as-a-service (SaaS) platforms to help identify, categorize, and map data across a business at the system-, program- and enterprise level, many companies have manually created and managed data inventories using more straightforward methods such as populating the information into a Microsoft Excel spreadsheet.
SaaS solutions are often preferred where an organization’s business model and revenue heavily depend on consumers’ personal information. Moreover, it can be beneficial whereby organizations maintain large and sometimes hard-to-manage volumes of structured and unstructured data that inundate the business daily.
The latter approach is preferable where the collection and processing of personal data is minimal or is not the primary asset for generating a business’s revenue. Thus, data inventories are less likely to require frequent updates, are lower in volume, and are smaller in scope, justifying the manual creation of data inventories. In either case, data inventories are critical for organizations that collect, store, access, transmit, sell, or otherwise process personal data, but especially for enabling compliance with consumer rights mandates and the ability to respond more swiftly to data breach incidents.
Establish A Consumer Rights Request (CRR) Lifecycle Process
While fulfilling a CRR will be straightforward for some companies and challenging for others, it will be similar. Success in responding to and completing activities required of consumer requests is all in mapping the process and decision flow details.
Critical considerations for implementing a CRR Lifecycle Process include but are not limited to:
- From where an organization receives consumer requests;
- Necessary actions to verify or ‘authenticate’ the identity of the requestors;
- Who and how to log incoming requests;
- Criteria for directing requests to the appropriate departments and employees to fulfill them;
- As applicable, contacting third parties to assist in the fulfillment of consumer rights requests;
- Tracking the compilation of details a consumer has requested and actions for completion (e.g., corrections, updates, or deletions to data) to respond to the consumer with the details;
- Monitoring the timeline of completed actions; and
- Communicating to consumers the status of their requests and closing them out.
Many organizations have also adopted automated tools and technologies to help enable the workflow of in-take, rights fulfillment, processing, tracking, and completion of consumer requests. These tools may include vendor solutions such as OneTrust, TrustArc, and more recently, using modules provided by governance, risk, and compliance (GRC) tools. Regardless of the decision to automate or fulfill CRRs manually, a decision flow helps guide employees on how best to move a request through the lifecycle (see illustrative example below).
Compliance with the TDPSA is a multifaceted endeavor to enable and adhere to individual consumer rights requests. Fulfilling requests requires meticulous planning and execution. By following the proposed policy topics and including the suggested procedures as part of documented guidance and the lifecycle process outlined in this blog, organizations can take substantial strides toward achieving and maintaining compliance with TDPSA. Keep in mind that data privacy and security governance, risk and compliance are ongoing commitments, and that staying vigilant is vital to protecting the rights and maintaining the trust of Texas residents.
Where do you stand with meeting the TDPSA compliance? Contact us today to evaluate your preparedness. Our team offers a quick, high-level evaluation to assess your current state and suggest steps for enhancement.
 Controller refers to an organization or business that determines the purpose and means of processing personal data that, as mandated by the TDPSA, must restrict data collection only to what is relevant, adequate, and necessary. Obligations of controllers include providing a privacy notice or policy that discloses what data is collected, purpose of the data processing, and articulating consumers’ rights and how they can exercise them.