DATA PROTECTION IMPACT ASSESSMENT (DPIA)

(State overlay: TX)

1. Project Overview

• Project name/ID: [name]; owner: [business owner]; sponsor: [executive].
• Purpose and objectives: [describe].
• Timeline and launch date: [dates].

2. Scope of Processing

• Data subjects: [customers/employees/vendors/end users].
• Personal data categories: [contact, IDs, financial, location, biometric, health, minors].
• Sensitive data (TDPSA definition): Check all that apply: (1) Health information (information that describes individual's physical/mental health history, condition, treatment, diseases, or diagnosis by healthcare professional); (2) Precise geolocation data (within 1,750-foot radius); (3) Racial or ethnic origin; (4) Religious beliefs; (5) Biometric data processed for purpose of uniquely identifying consumer; (6) Sexual orientation; (7) Citizenship status (notably, TX includes citizenship in sensitive data definition unlike most other states); (8) Genetic data; (9) Data from a known child (under 13). Critical requirement: Opt-in consent required BEFORE collecting sensitive data (not just processing).
• Volume and retention: [records/year], [retention schedule and deletion triggers per business purpose].
• Processing activities: [collection, storage, analysis, sharing/sale/sharing status]. TDPSA definitions: "Sale" = exchange of personal data for monetary or other valuable consideration by controller to third party; "Targeted advertising" = displaying to consumer advertisement selected based on personal data obtained or inferred from consumer's activities over time and used to predict consumer preferences or interests; "Profiling" = automated processing of personal data to evaluate, analyze, or predict consumer characteristics including economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

3. Legal Basis, Notices, and Rights

• Primary state privacy law(s): Texas Data Privacy and Security Act (TDPSA), Tex. Bus. & Com. Code § 541.001 et seq., effective July 1, 2024; universal opt-out mechanism provisions effective January 1, 2025.
• Applicability thresholds: UNIQUE THRESHOLD STRUCTURE - NO revenue or data volume minimums. TDPSA applies to entities that: (1) Conduct business in Texas OR produce products/services consumed by Texas residents; AND (2) Process or engage in sale of personal data; AND (3) Are NOT classified as "small business" per U.S. Small Business Administration standards (SBA thresholds vary by NAICS code/industry). Critical exception: Even small businesses must obtain consent if they sell sensitive data. This makes TDPSA potentially applicable to significantly more businesses than other state laws.
• Entity type exemptions: GLBA-covered financial institutions for activities subject to GLBA, HIPAA-covered entities/business associates for protected health information, higher education institutions, nonprofit organizations, electric utilities, retail electric providers, institutions subject to state/federal regulatory oversight with equivalent privacy protections.
• Consumer rights covered: (1) Right to confirm whether controller is processing personal data and access the personal data; (2) Right to correct inaccuracies in personal data; (3) Right to delete personal data provided by or obtained about consumer; (4) Right to obtain copy of personal data in portable and readily usable format; (5) Right to opt out of processing for targeted advertising, sale of personal data, or profiling in furtherance of decisions producing legal or similarly significant effects. Response timeline: Not explicitly specified in statute (unlike most state laws which specify 45 days); must respond to requests in reasonable manner and timeframe. Authentication: Reasonable measures to verify consumer identity.
• Consent/opt-out mechanics required for sensitive data, minors, targeted ads, sale/sharing: (1) CRITICAL: Opt-in consent required BEFORE collecting sensitive data (more stringent than processing requirement in other states); (2) Must recognize universal opt-out mechanisms (effective January 1, 2025) including Global Privacy Control for sale/targeted advertising; (3) Opt-out required for profiling for legal/similarly significant decisions; (4) Consent must be clear, conspicuous, freely given, specific, informed, and unambiguous.
• Notice/labeling requirements: Privacy notice must be reasonably accessible and clear, disclosing: categories of personal data processed, purposes, how to exercise consumer rights, categories of personal data shared with third parties, categories of third parties with whom data is shared, how to opt out of sale/targeted advertising. Must provide effective mechanism for submitting requests.
• Contracts with processors/service providers: Contract required between controller and processor. Must include: clear instructions regarding processing; nature and purpose of processing; type of data; duration; controller and processor rights and obligations; requirement that processor assists controller in meeting obligations; requirement that processor deletes or returns data at end of provision of services.

4. Data Flow and Transfers

• Source systems: [list]; storage/hosting locations: [cloud region/data centers].
• Cross-border transfers: [EU/UK/other]; transfer tool: [SCCs/IDTA/CBPR if applicable].
• Recipients/vendors: [processors/subprocessors/controllers]; due diligence status and DPAs in place.
• Access controls: RBAC groups, least privilege, joiner/mover/leaver process.

5. Security and Controls

• Technical controls: Encryption in transit/at rest [specify algorithms/key lengths], key management [HSM/KMS], network segmentation, endpoint protections [EDR/AV], logging/monitoring [SIEM], DLP, backups [frequency/retention/testing], vulnerability management [scanning cadence/remediation SLAs].
• Organizational controls: Written information security policies, annual training cadence, vendor due diligence [security questionnaires/assessments], incident response playbook [tested annually], change management, privacy-by-design reviews.
• Authentication/authorization: [MFA method: TOTP/FIDO2/SMS]; [SSO/SAML provider]; session timeouts [specify]; privileged access reviews [quarterly/semi-annual].
• Reasonable security: Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices.

6. Risks and Impact Assessment

• Risks/threats: [unauthorized access, data minimization failure, purpose creep, profiling risk, transfer risk, children/minors risk, sensitive data exposure].
• Likelihood: [low/medium/high]; Impact: [low/medium/high]; Risk rating matrix: [insert].
• Texas AG enforcement focus: December 2024 investigations of Character.AI, Reddit, Instagram, Discord regarding privacy/safety practices for minors demonstrates active enforcement posture.

7. Mitigations and Residual Risk

• Planned mitigations: [controls, timelines, owners].
• Testing/validation: [pen test, privacy-by-design checklist, security assessments].
• Residual risk after mitigations: [rating]; decision: [accept/mitigate further/block].

8. Incident Response and Breach Notification

• Breach notification statute: Tex. Bus. & Com. Code § 521.053 (Notification Required Following Breach of Security of Computerized Data); amended September 1, 2023.
• Timeline: Notice to affected Texas residents required without unreasonable delay and not later than 60 days after date controller determines breach occurred (same deadline for individuals as many states). CRITICAL DIFFERENCE: Notice to Texas Attorney General required as soon as practicable and not later than 30 days from determination of breach if affects 250+ Texas residents (shorter AG deadline than resident deadline; most states require concurrent notification).
• Notification triggers: Unauthorized acquisition of computerized data compromising security, confidentiality, or integrity of sensitive personal information. Sensitive personal information = Texas resident's first name or first initial and last name in combination with one or more of: (a) SSN; (b) Driver's license/government-issued ID number; (c) Financial account/credit/debit card number with security code/access code/password/PIN permitting account access; (d) Information regarding individual's medical history, mental/physical condition, or medical treatment/diagnosis by healthcare professional.
• Encryption safe harbor: Notice not required if sensitive personal information was encrypted, redacted, or otherwise rendered unreadable through another method and encryption key or method for rendering information readable was not acquired and is not reasonably believed to have been acquired.
• Regulator/AG notice: If breach affects 250+ Texas residents, must notify Texas Attorney General as soon as practicable and not later than 30 days from determination of breach. AG maintains publicly accessible listing of breaches on website; listing updated within 30 days of AG receiving notification; notifications removed from listing after 1 year if no additional breaches during that period.
• Content requirements: Notice must include description of: incident; categories of sensitive personal information involved; actions taken to protect affected individuals from further harm; whether law enforcement is investigating; contact information for individual to obtain more information.
• Third-party data maintainers: Person maintaining computerized data on behalf of another must notify data owner immediately following discovery of breach if sensitive personal information was or is reasonably believed to have been acquired by unauthorized person.
• Law enforcement delay: Notice may be delayed at request of law enforcement if notification will impede criminal investigation; must provide notice as soon as law enforcement determines notification will not compromise investigation.
• Consumer reporting agency notification: Not explicitly required under Texas law.
• Coordination with other states/GLBA/HIPAA requirements if multi-state: [Coordinate breach notification obligations; GLBA and HIPAA have separate timelines and requirements].

9. State Overlay Checklist (TX)

• Applicability thresholds and exemptions: NO revenue or data volume thresholds. Applies if: conduct business in TX OR produce products/services for TX residents, AND process or engage in sale of personal data, AND NOT "small business" per SBA standards (varies by NAICS code). CRITICAL: Small business exemption disappears if selling sensitive data. Potentially broadest applicability of any state law. Exemptions: GLBA institutions (for GLBA activities), HIPAA covered entities (for PHI), higher education, nonprofits, electric utilities, entities with equivalent regulatory oversight.
• Sensitive data definition and consent/opt-out requirements: 9 categories of sensitive data (see Section 2 above): health info, precise geolocation (1,750 ft), racial/ethnic origin, religious beliefs, biometric data, sexual orientation, citizenship status (unique to TX), genetic data, child data (under 13). CRITICAL: Opt-in consent required BEFORE collecting (not just processing) sensitive data. More stringent than other states. Small businesses must obtain consent if selling sensitive data even if otherwise exempt.
• Consumer rights and response timelines/appeals: Access/confirm, correct, delete, portability, opt-out of sale/targeted ads/profiling. Response: Must respond in "reasonable manner and timeframe" (no explicit 45-day deadline unlike most state laws). No explicit appeal requirement in statute.
• Opt-out of sale/targeted advertising/profiling requirements: Must provide clear and conspicuous method for opting out. Must recognize universal opt-out mechanisms (effective January 1, 2025) including Global Privacy Control. Opt-out required for profiling in furtherance of decisions producing legal or similarly significant effects.
• Processor/service provider contract requirements (flow-downs, audit rights, deletion/return): Contract required. Must include: processing instructions, nature/purpose, data type, duration, parties' rights/obligations, processor assistance obligations, deletion/return at end of services.
• Data Protection Assessment / Risk Assessment triggers: TDPSA does not explicitly require data protection assessments (like UT, unlike CA/CO/CT/VA). However, conducting internal risk assessments remains best practice for demonstrating reasonable security and accountability, especially given TX AG's active enforcement posture.
• Security measures expectations (reasonable security; specific mandates if any): Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices. No specific security mandates beyond "reasonable" practices. Document security controls in internal assessments.
• Breach notice timeline and content requirements: 60 days to notify residents from determination of breach; 30 days to notify AG if 250+ residents affected (shorter AG timeline than resident timeline). Content: incident description, PI categories involved, protective actions, law enforcement investigation status, contact info. AG maintains public breach listing (updated within 30 days, removed after 1 year with no additional breaches).
• Children/minors rules (e.g., COPPA; state-specific if any): Data from known children under 13 is sensitive data requiring opt-in consent before collection. December 2024 TX AG investigations of Character.AI, Reddit, Instagram, Discord demonstrate focus on minors' privacy/safety. Controllers must comply with COPPA.
• Non-discrimination/retaliation prohibitions under state law: Consumers may not face retaliation or discrimination for exercising TDPSA rights, including denial of goods/services, charging different prices/rates, or providing different level/quality. Businesses may offer financial incentives, loyalty programs, or premium features with reasonable relationship to value of consumer's data.
• Recordkeeping: ROPA/DPIA retention and appeal tracking: Maintain documentation of consumer request responses. No DPA requirement (though best practice). Permanent 30-day cure period (does not sunset); TX AG provides notice of violation and 30 days to cure before penalties. Attorney General has exclusive enforcement authority; civil penalties up to $7,500 per violation. No private right of action. AG maintains public breach listing demonstrating active oversight.

10. Approvals and Accountability

• Privacy lead/DPO review: [name/date].
• Security review: [name/date].
• Legal review (state law overlay): [name/date].
• Business owner certification: [name/date].
• Executive approver: [name/title/date].

11. Attachments

• Data flow diagrams/architecture.
• Records of processing activities entry.
• Vendor list and processor agreements.
• Internal risk assessments (best practice even though not legally required).
• Security practices documentation.
• Sensitive data consent mechanisms and documentation.
• Universal opt-out mechanism implementation (effective January 1, 2025).
• State-specific notices/links and breach templates.