Skip links
texas banner

The Texas Data Privacy and Security Act (TDPSA) – Overview

The Texas Data Privacy and Security Act (TDPSA)

On July 1, 2024, Texas joined the vanguard of states implementing comprehensive consumer data protection measures with the Texas Data Privacy and Security Act (TDPSA). This landmark legislation marks a significant shift in the landscape of digital rights and corporate responsibilities in the Lone Star State.

Read the full text of the Act here

Table of Contents

The TDPSA: A New Sheriff in Town

What Is the TDPSA?

The Texas Data Privacy and Security Act is a groundbreaking piece of legislation designed to safeguard the personal data of Texas residents. Drawing inspiration from existing laws, particularly the Virginia Consumer Data Protection Act, the TDPSA establishes a robust framework for data privacy protection while holding businesses accountable for their data practices.

Key Consumer Rights Under the TDPSA

The TDPSA empowers Texas residents with a suite of digital rights, including:

Data Access

The right to confirm and access personal data processed by controllers

Correction

The ability to rectify inaccuracies in personal data

Deletion

The power to request the removal of personal data

Data Portability

The right to obtain a copy of personal data in a usable format

Opt-Out Options

The ability to decline personal data processing for targeted advertising, sales, or profiling

scope

Understanding TDPSA’s Scope

Unlike many of its counterparts in other states, the TDPSA introduces a unique set of criteria for determining which entities must comply:

  1. Business Presence: Entities conducting business in Texas or producing goods/services “consumed” by Texas residents
  2. Data Handling: Organizations that process or sell personal data
  3. Size Matters: Entities not classified as “small businesses” under U.S. Small Business Administration (SBA) definitions

The SBA sets size standards for different industries, which are typically based on either the number of employees or average annual receipts. These standards vary widely depending on the specific industry:

  • For employee-based size standards, the maximum number of employees can range from 100 to over 1,500.
  • For revenue-based size standards, the maximum annual receipts can range from $1 million to over $40 million

A broader range of Texas-based companies could be affected by this approach.

Notable Exemptions

The TDPSA provides exemptions for certain entities, including:

  • State agencies and political subdivisions
  • Financial institutions governed by the Gramm-Leach-Bliley Act
  • HIPAA-regulated entities
  • Nonprofit organizations
  • Higher education institutions
  • Electric utility companies
Key Differences

Unique Features of the TDPSA

1. Enhanced Disclosure Requirements

The TDPSA introduces stringent disclosure mandates, particularly for entities dealing with sensitive or biometric data. These businesses must prominently display notices about potential data sales, ensuring transparency in their data practices.

2. Redefined "Sale of Personal Data"

The TDPSA adopts a broader definition of data sales, encompassing transfers for “monetary or other valuable consideration.” This aligns more closely with California’s approach than Virginia’s, potentially expanding the scope of regulated transactions.

3. Perpetual Cure Period

Unlike some state laws with sunsetting cure periods, the TDPSA offers a perpetual 30-day window for businesses to address violations after notification. This provision aims to foster compliance while allowing businesses room for corrective action.

Enforcement and Penalties

Enforcement and Penalties

The Texas Attorney General is tasked with enforcing the TDPSA.

Violations can result in penalties of up to $7,500 per incident. However, the law does not provide for private right of action, meaning individual citizens cannot initiate lawsuits for violations.

Preparing for Compliance

Businesses operating in Texas should take proactive steps to align with the TDPSA’s requirements:

  1. Review and update privacy policies
  2. Implement robust data access and modification request processes
  3. Establish clear appeals procedures for consumer requests
  4. Revise contracts with third-party data handlers
  5. Prepare for the global opt-out technology provision, effective January 1, 2025
hoggo banner

Conclusion

With the TDPSA’s implementation, Texas joins a growing cohort of states with active consumer data privacy regulations. As of July 1, 2024, eight states, including California, Colorado, and Virginia, have such laws in effect. An additional dozen states are set to roll out similar regulations by January 1, 2026, creating a complex patchwork of data privacy rules across the nation.

The Texas Data Privacy and Security Act represents a significant leap forward in protecting consumer data rights. While presenting challenges for businesses, it also offers opportunities for companies to build trust with their Texas customers through transparent and responsible data practices.

Noa_Kahalon
Noa Kahalon
COO at hoggo | + posts

Noa is a certified CIPM, CIPP/E, and a Fellow of Information Privacy (FIP) from the IAPP. Her background consists of marketing, project management, operations, and law. She is the co-founder and COO of hoggo, an AI-driven Digital Governance platform that allows legal and compliance teams connect, monitor, and automate digital governance across all business workflows.