Everything You Need to Know about the TXCPA

Well, it’s happening. After the introduction of the GDPR in Europe, it was only a matter of time before some jurisdiction in the U.S. took up the cause of data protection and privacy. That came in the form of the CCPA in California, which in turn, was expected to lead to data legislation in the other 50 states. Now, the first of these expected attempts is here, with Texas, the second most populous state in the U.S. after California.

Like the CCPA and GDPR, the Texas Consumer Privacy Act (TXCPA) is all about creating a basic layer of regulation around the use of data that empowers consumers and gives them some control over the information they generate and that companies profit from. In fact, the TXCPA is very similar indeed to the CCPA, with a few general differences that we’ll mention here:

• It hasn’t been passed yet – The TXCPA is still just a bill at this stage, which means there could be changes made between now and when it would come into force on September 1, 2020. It could technically be scrapped altogether, but overall trends suggest that data regulation will make it through in one form or another.
• Texas legislation is split into two bills – The TXCPA is actually just one part of the data regulations that Texas is considering, with the Texas Privacy Protection Act (TXPPA) being the other. In many areas, the two bills overlap and repeat one another but together they cover many of the same principles as the CCPA, including transparency clauses regarding the use of data and gaining consent from consumers to process their data.
• The scope of the TXCPA is different – As legislation from Texas, the TXCPA and TXPPA target businesses of a certain size (measured in profits and the number of consumers they process data from) that operate in Texas. Many, but not all of the businesses that are included in the scope of this legislation will be the same ones that had to handle CCPA, and possibly also GDPR compliance, due to the often global nature of data-driven businesses. 

How You Should Prepare

At this stage, before the passing of these bills into law, full-on, certified compliance isn’t possible. But you can start preparing your organization rather than leaving it for later. We suggest you read up on the CCPA to understand the overall concept and get an idea of what will be required of you.

But beyond informing yourself, you can start to take some meaning action – action that will no doubt benefit your organization regardless of the TXCPA. First and foremost, you should adopt ISO 27001 as a baseline framework for how your organization handles data. Though not a government-mandated regulation in most areas, ISO 27001 is an industry standard and, as we’ve discussed before, has served many California companies as a great base to build off of to achieve CCPA compliance.

Similarly, approaching the TXCPA through the lens of ISO 27001 will put your organization ahead of the curve no matter what changes are or are not made to these bills as they currently stand.

If you do embark on a readiness project, consulting with compliance experts is the best way to go. The first step is performing a risk assessment and gap analysis for your organization to determine exactly where and in what ways you might fall short of what’s expected from the TXCPA. Experts can help guide you through that process and make sure you’re on the ball and getting it done right.

Even more important, a dedicated compliance team can start to help you address the technical aspects of the TXCPA rather than focusing on documentation alone.