*Co-author Lynn Rohland
The Texas Data Privacy and Security Act (TDPSA) is now in full effect, and this comprehensive legislation establishes stringent mandates on how consumer-related personal data of Texas residents should be collected, used, processed, sold and shared. In the construction industry, businesses that market or sell goods or services to consumers, or B2C businesses, are likely impacted. Here’s what those businesses need to know:
Enforcement & Penalties
Texas Attorney General (AG) Ken Paxton has signaled that enforcement will be taken very seriously, having already formed a specialized data privacy enforcement team established within the Consumer Protection Division, suggesting that the state has invested significant resources in ensuring compliance with the new law.
Non-compliance with TSDPA can result in costly penalties, with civil penalties of up to $7,500 per violation. A cure period of up to 30 days is provided for remediation. To date, the AG’s office announced a settlement of $1.4 billion with Meta Platforms for alleged violations of the Texas Biometric Identifier Act, as well as a $3.5 million settlement with Marriott International following a data breach of 131 million guest records.
In a press release announcing the Marriott settlement, Paxton said “Texas law is clear that companies in possession of Texans’ personal information have a duty to safeguard that data. Given the frequency of cyberattacks today, it is simply unreasonable for companies to lack a comprehensive risk-based data security program.”
For B2C construction companies, this could mean substantial financial impacts if they are found to be non-compliant in part or whole with the TDPSA, especially considering the volume of client data often handled by a $766 billion industry. Moreover, both the supply chain and construction industries are major targets of ransomware cyberattacks, underscoring the need for strong cybersecurity programs and compliance with data privacy laws. Beyond the potential for direct financial penalties, companies found in violation of privacy laws may face reputational damage and loss of consumer trust, possibly affecting future contracts and bids.
Applicability to Construction Industry
The TDPSA applies to entities whose business models engage with personal data of Texas consumers, regardless of company size or revenue. For B2C construction companies, this could include:
- Collecting personal information through project bids or quotes
- Maintaining the personal data of past, potential and current client databases for past and current projects
- Using cookies or tracking technologies on company websites
- Using geolocation data for equipment or vehicle tracking on residential work sites
- Utilizing a contact or data collection form on company websites
Key types of personal data covered by the TDPSA that are relevant to construction include:
- Full names and contact information of clients or costumers
- Home addresses
- Financial information for billing
- Geolocation data from equipment or vehicle tracking systems
Actions Needed
With the TDPSA now in effect, B2C construction companies should take the following steps:
- Perform a comprehensive data privacy assessment to understand what personal data is being collected, processed, and shared across all aspects of the business, and externally.
- Review and update privacy policies and notices, including those on company websites and in client contracts.
- Implement processes for handling consumer rights requests, which may come from customers as well as potential customers.
- Conduct data protection assessments for high-risk processing activities, such as large-scale consumer marketing initiatives or client financial information handling.
- Review and update contracts with third-party data processors, including software providers, and subcontractors.
- Train employees on new data handling procedures, emphasizing the importance of data privacy in consumer and client relationships and project management.
Given the complexity of construction operations and the potential consequences of non-compliance, many construction businesses may benefit from professional guidance from data privacy experts.
Remember, compliance with the TDPSA is not just about avoiding penalties; it’s about building trust with interested consumers, existing clients and potential customers. In an industry where reputation is crucial, robust data protection practices can be a significant competitive advantage, potentially setting your company apart in bids and contract negotiations.