The Texas Data Privacy and Security Act (TDPSA)

On July 1, 2024, Texas joined the vanguard of states implementing comprehensive consumer data protection measures with the Texas Data Privacy and Security Act (TDPSA). This landmark legislation marks a significant shift in the landscape of digital rights and corporate responsibilities in the Lone Star State.

Read the full text of the Act here

The TDPSA: A New Sheriff in Town

What Is the TDPSA?

The Texas Data Privacy and Security Act is a groundbreaking piece of legislation designed to safeguard the personal data of Texas residents. Drawing inspiration from existing laws, particularly the Virginia Consumer Data Protection Act, the TDPSA establishes a robust framework for data privacy protection while holding businesses accountable for their data practices.

Key Consumer Rights Under the TDPSA

The TDPSA empowers Texas residents with a suite of digital rights, including:

Data Access

The right to confirm and access personal data processed by controllers

Correction

The ability to rectify inaccuracies in personal data

Deletion

The power to request the removal of personal data

Data Portability

The right to obtain a copy of personal data in a usable format

Opt-Out Options

The ability to decline personal data processing for targeted advertising, sales, or profiling

Understanding TDPSA’s Scope

Unlike many of its counterparts in other states, the TDPSA introduces a unique set of criteria for determining which entities must comply:

Business Presence: Entities conducting business in Texas or producing goods/services “consumed” by Texas residents
Data Handling: Organizations that process or sell personal data
Size Matters: Entities not classified as “small businesses” under U.S. Small Business Administration (SBA) definitions

The SBA sets size standards for different industries, which are typically based on either the number of employees or average annual receipts. These standards vary widely depending on the specific industry:

For employee-based size standards, the maximum number of employees can range from 100 to over 1,500.
For revenue-based size standards, the maximum annual receipts can range from $1 million to over $40 million

A broader range of Texas-based companies could be affected by this approach.

Notable Exemptions

The TDPSA provides exemptions for certain entities, including:

State agencies and political subdivisions
Financial institutions governed by the Gramm-Leach-Bliley Act
HIPAA-regulated entities
Nonprofit organizations
Higher education institutions
Electric utility companies

Unique Features of the TDPSA

1. Enhanced Disclosure Requirements

The TDPSA introduces stringent disclosure mandates, particularly for entities dealing with sensitive or biometric data. These businesses must prominently display notices about potential data sales, ensuring transparency in their data practices.

2. Redefined "Sale of Personal Data"

The TDPSA adopts a broader definition of data sales, encompassing transfers for “monetary or other valuable consideration.” This aligns more closely with California’s approach than Virginia’s, potentially expanding the scope of regulated transactions.

3. Perpetual Cure Period

Unlike some state laws with sunsetting cure periods, the TDPSA offers a perpetual 30-day window for businesses to address violations after notification. This provision aims to foster compliance while allowing businesses room for corrective action.

Enforcement and Penalties

The Texas Attorney General is tasked with enforcing the TDPSA.

Violations can result in penalties of up to $7,500 per incident. However, the law does not provide for private right of action, meaning individual citizens cannot initiate lawsuits for violations.

Preparing for Compliance

Businesses operating in Texas should take proactive steps to align with the TDPSA’s requirements:

Review and update privacy policies
Implement robust data access and modification request processes
Establish clear appeals procedures for consumer requests
Revise contracts with third-party data handlers
Prepare for the global opt-out technology provision, effective January 1, 2025

Conclusion

With the TDPSA’s implementation, Texas joins a growing cohort of states with active consumer data privacy regulations. As of July 1, 2024, eight states, including California, Colorado, and Virginia, have such laws in effect. An additional dozen states are set to roll out similar regulations by January 1, 2026, creating a complex patchwork of data privacy rules across the nation.

The Texas Data Privacy and Security Act represents a significant leap forward in protecting consumer data rights. While presenting challenges for businesses, it also offers opportunities for companies to build trust with their Texas customers through transparent and responsible data practices.

Noa Kahalon

COO at hoggo

Noa is a certified CIPM, CIPP/E, and a Fellow of Information Privacy (FIP) from the IAPP. Her background consists of marketing, project management, operations, and law. She is the co-founder and COO of hoggo, an AI-driven SaaS platform for B2B trust where sellers can showcase & improve compliance and buyers can evaluate, manage and monitor them.

By Solution

Trust Hub

My Vendors

Marketing Risk Radar

By Use Case

One-Click Vendor Assessment

Get Your Trust Center

Vendor Management

Marketing Compliance

By Regulation

GDPR (EU)

CCPA/CPRA (California)

VCDPA (Virginia)

About Us

How It Works?

Pricing

Why should you use hoggo?

Articles & Blog

Privacy Resources

Newsletter

Data Protection Discord Server

Privacy Glossary

Privacy & Security Training