The Texas Data Privacy and Security Act (TDPSA)
On July 1, 2024, Texas joined the vanguard of states implementing comprehensive consumer data protection measures with the Texas Data Privacy and Security Act (TDPSA). This landmark legislation marks a significant shift in the landscape of digital rights and corporate responsibilities in the Lone Star State.
Table of Contents
The TDPSA: A New Sheriff in Town
What Is the TDPSA?
The Texas Data Privacy and Security Act is a groundbreaking piece of legislation designed to safeguard the personal data of Texas residents. Drawing inspiration from existing laws, particularly the Virginia Consumer Data Protection Act, the TDPSA establishes a robust framework for data privacy protection while holding businesses accountable for their data practices.
Key Consumer Rights Under the TDPSA
The TDPSA empowers Texas residents with a suite of digital rights, including:
Data Access
The right to confirm and access personal data processed by controllers
Correction
The ability to rectify inaccuracies in personal data
Deletion
The power to request the removal of personal data
Data Portability
The right to obtain a copy of personal data in a usable format
Opt-Out Options
The ability to decline personal data processing for targeted advertising, sales, or profiling
Understanding TDPSA’s Scope
Unlike many of its counterparts in other states, the TDPSA introduces a unique set of criteria for determining which entities must comply:
- Business Presence: Entities conducting business in Texas or producing goods/services “consumed” by Texas residents
- Data Handling: Organizations that process or sell personal data
- Size Matters: Entities not classified as “small businesses” under U.S. Small Business Administration (SBA) definitions
The SBA sets size standards for different industries, which are typically based on either the number of employees or average annual receipts. These standards vary widely depending on the specific industry:
- For employee-based size standards, the maximum number of employees can range from 100 to over 1,500.
- For revenue-based size standards, the maximum annual receipts can range from $1 million to over $40 million
A broader range of Texas-based companies could be affected by this approach.
Notable Exemptions
The TDPSA provides exemptions for certain entities, including:
- State agencies and political subdivisions
- Financial institutions governed by the Gramm-Leach-Bliley Act
- HIPAA-regulated entities
- Nonprofit organizations
- Higher education institutions
- Electric utility companies
Unique Features of the TDPSA
1. Enhanced Disclosure Requirements
The TDPSA introduces stringent disclosure mandates, particularly for entities dealing with sensitive or biometric data. These businesses must prominently display notices about potential data sales, ensuring transparency in their data practices.
2. Redefined "Sale of Personal Data"
The TDPSA adopts a broader definition of data sales, encompassing transfers for “monetary or other valuable consideration.” This aligns more closely with California’s approach than Virginia’s, potentially expanding the scope of regulated transactions.
3. Perpetual Cure Period
Unlike some state laws with sunsetting cure periods, the TDPSA offers a perpetual 30-day window for businesses to address violations after notification. This provision aims to foster compliance while allowing businesses room for corrective action.
Enforcement and Penalties
The Texas Attorney General is tasked with enforcing the TDPSA.
Violations can result in penalties of up to $7,500 per incident. However, the law does not provide for private right of action, meaning individual citizens cannot initiate lawsuits for violations.
Preparing for Compliance
Businesses operating in Texas should take proactive steps to align with the TDPSA’s requirements:
- Review and update privacy policies
- Implement robust data access and modification request processes
- Establish clear appeals procedures for consumer requests
- Revise contracts with third-party data handlers
- Prepare for the global opt-out technology provision, effective January 1, 2025
Conclusion
With the TDPSA’s implementation, Texas joins a growing cohort of states with active consumer data privacy regulations. As of July 1, 2024, eight states, including California, Colorado, and Virginia, have such laws in effect. An additional dozen states are set to roll out similar regulations by January 1, 2026, creating a complex patchwork of data privacy rules across the nation.
The Texas Data Privacy and Security Act represents a significant leap forward in protecting consumer data rights. While presenting challenges for businesses, it also offers opportunities for companies to build trust with their Texas customers through transparent and responsible data practices.
Noa Kahalon
Noa is a certified CIPM, CIPP/E, and a Fellow of Information Privacy (FIP) from the IAPP. Her background consists of marketing, project management, operations, and law. She is the co-founder and COO of hoggo, an AI-driven Digital Governance platform that allows legal and compliance teams connect, monitor, and automate digital governance across all business workflows.