Effective July 1, 2024: Controllers, defined as organizations that engage in business in Texas or produce products or services that are consumed by the residents of Texas, process or engage in the sale of personal data, and are not defined by the United States Small Business Administration (SBA) as a small business, are required to:
(1) provide consumers with a privacy notice;
(2) limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purpose of processing as disclosed to the consumer;
(3) safeguard personal data;
(4) obtain consent before processing sensitive personal data;
(5) avoid discriminating against consumers for exercising their rights;
(6) enter into contracts containing specific provisions with processors, which is fairly consistent with the language required under other state privacy laws;
(7) conduct data protection assessments for certain high-risk processing activities; and
(8) clearly and conspicuously disclose any sale of personal data to third parties or processing of data for targeted advertising.
Texas Data Privacy and Security Act (TDPSA) also provides Texas residents rights to:
(1) confirm whether a controller is processing personal data and to access the personal data;
(2) correct inaccuracies in the personal data;
(3) delete personal data;
(4) obtain a copy of personal data; and
(5) opt out of sale, targeted advertising and profiling.
Controllers have 45 days to respond to requests to exercise these rights, and consumers have the right to appeal a controller’s refusal to take action on a privacy rights request.
The TDPSA does not apply in the business-to-business or employment context. It exempts state agencies, higher education institutions, nonprofit organizations, and entities governed by the Health Information Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act.
The following is also exempt from the TDPSA: “the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency or furnisher that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that the activity is regulated by and authorized under the Fair Credit Reporting Act.”
Click here for more information.
As Hire Image predicted in our Top Ten Background Screening Predictions for 2023, we will likely see similar privacy laws being passed this year, and these laws will undoubtedly impact background screening. Hire Image is committed to keeping you updated as to the passage of additional privacy laws in other states.
Contact us if you have any questions about how this law may affect you or about your background screening processes in general.
