Texas Data Privacy and Security Act (TDPSA)

The Texas Data Privacy and Security Act (TDPSA) protects Texas residents' data privacy by establishing requirements for businesses that collect and process consumers' personal data.

Overview

Texas became one of the leading states in the United States to approve a comprehensive consumer privacy law, HB 4, which went into effect on July 1, 2024. Its passage on June 18, 2023 gave organizations time to prepare for TDPSA compliance.

What is the Texas Data Privacy and Security Act (TDPSA)?

The Texas Data Privacy and Security Act (TDPSA) is a state-level data privacy law that protects the digital privacy and personal data of over 30 million residents in Texas. It establishes data privacy requirements for businesses operating in the state or offering goods and services to Texas residents that process consumers' personal data.

Texas defines a consumer as someone who is a resident of or domiciled in the state and is acting on an individual or household basis rather than on a commercial or employment basis.

Texas follows an opt-out model like most other US state-level privacy laws, meaning that consumer consent isn't required before data collection or processing in many cases. There are some exceptions when prior consumer consent is required, particularly when dealing with sensitive personal data.

Businesses that fall under the scope of the Texas data privacy law must clearly inform consumers about their data collection and processing activities, outline consumer rights, and explain how to exercise those rights.

Definitions under the TDPSA

Personal data under the TDPSA

Personal data is defined as any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. The definition excludes deidentified data or publicly available information.

Sensitive data under the TDPSA

Sensitive data under the Texas privacy law includes categories of personal data that could cause harm if misused, including any of:

Racial or ethnic origin
Religious beliefs
Mental or physical health diagnosis
Sexual orientation
Citizenship or immigration status
Genetic or biometric data processed for the purpose of uniquely identifying an individual
Personal data from a known child (under 13 years of age, per federal COPPA standards)
Precise geolocation data

Consent under the TDPSA

The TDPSA defines consent as a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data. The Texas privacy law explicitly excludes the following from valid consent:

Acceptance of a general or broad terms of use that contains descriptions of personal data processing alongside unrelated information
Hovering over, muting, pausing, or closing a given piece of content
Agreement obtained through the use of dark patterns

Texas's privacy law also requires that consumers should be able to revoke their consent at any time.

Controller under the TDPSA

A controller under the TDPSA is any person that, alone or jointly with others, determines the purpose and means of processing personal data.

Processor under the TDPSA

A processor is a person who processes personal data on behalf of a controller.

Sale of personal data under the TDPSA

The Texas data privacy law defines the sale of personal data as the exchange of personal data for monetary or other valuable consideration by the controller to a third party. It excludes disclosures to processors acting on the controller's behalf, disclosures to third parties for services requested by the consumer, and data the consumer intentionally made available to the general public.

Targeted advertising under the TDPSA

Targeted advertising means displaying advertisements to a consumer selected based on personal data obtained from that consumer's activities over time across unaffiliated websites or online applications, used to predict preferences or interests.

Who has to comply with the Texas Data Privacy and Security Act?

The TDPSA applies to businesses that:

Conduct business in Texas or produce products or services consumed by Texas residents, and
Process or engage in the sale of personal data, and
Are not a small business as defined by the U.S. Small Business Administration

The TDPSA does not include a revenue threshold, making it broader in scope than some other state laws. Unlike Florida's FDBR (which targets businesses with over USD 1 billion in global gross annual revenue) or California's CCPA/CPRA (which requires compliance at USD 25 million in gross annual revenue), Texas's law applies to all non-small-business entities that process Texas residents' data — regardless of revenue.

Exemptions to TDPSA compliance

The Texas data privacy law exempts certain institutions from complying, including:

State and local government bodies
Financial institutions subject to the Gramm-Leach-Bliley Act
Covered entities or business associates under HIPAA
Nonprofit organizations
Higher education institutions

Data-related exemptions include:

Protected health information under HIPAA
Personal data regulated by the Family Educational Rights and Privacy Act (FERPA)
Data processed solely for employment purposes
Personal data regulated by the Fair Credit Reporting Act
Data covered by the Children's Online Privacy Protection Act (COPPA)
Personal data processed for research purposes consistent with federal standards

Consumers' rights under the Texas Data Privacy and Security Act

Consumers have several rights under the Texas data privacy law:

Right to access: Consumers can confirm whether the controller is processing their personal data and request access to that data.
Right to correction: Consumers can request that inaccurate personal data held by the controller be corrected.
Right to deletion: Consumers can request the deletion of personal data the controller has about them.
Right to portability: Consumers have the right to obtain a copy of their personal data in a portable, readily usable format.
Right to opt out: Consumers can opt out of:
- The processing of their personal data for sale
- Targeted advertising
- Certain profiling that produces a legal or similarly significant effect

Parents or legal guardians can exercise these rights on behalf of their children.

The TDPSA does not grant consumers a private right of action, meaning consumers cannot directly sue violators. Enforcement is handled exclusively by the Texas Attorney General.

Controllers' obligations under the Texas Data Privacy and Security Act

Consumer rights requests under the TDPSA

Controllers must notify consumers of:

Their rights regarding their personal data
How consumers can exercise those rights
The procedure for appealing a controller's decision (e.g., rejection of a request)

Controllers must establish at least one secure and reliable method for consumers to submit requests. The controller has 45 days from receipt to respond to an authenticated consumer request. This period can be extended by an additional 45 days when reasonably necessary, with prior notification to the consumer.

If a request is denied, consumers can appeal the decision. The controller has 60 days to respond to an appeal.

Privacy notice under the TDPSA

Controllers must publish a privacy notice that clearly discloses:

Categories of personal data processed, including sensitive data
Purpose(s) for processing personal data
How consumers can exercise their rights and submit appeals
Categories of personal data shared with third parties, if any
Categories of third parties receiving personal data, if any
How consumers can opt out of the sale of personal data or targeted advertising

Purpose limitation under the TDPSA

Controllers may process personal data only for the purpose(s) disclosed to consumers, provided that processing remains adequate, relevant, and reasonably necessary in relation to those purposes.

Data security under the TDPSA

Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data being processed.

Data protection assessments under the TDPSA

The TDPSA requires controllers to conduct and document data protection assessments when processing personal data:

For targeted advertising
For sale
Categorized as sensitive personal data
For profiling that poses a foreseeable risk of harm to consumers

The Texas Attorney General can request these assessments as part of an investigation into potential violations.

Consent requirements under the TDPSA

Texas operates on an opt-out model for general personal data. However, obtaining explicit opt-in consent is required before processing sensitive personal data.

For children, the TDPSA follows the federal Children's Online Privacy Protection Act (COPPA), requiring parental or guardian consent before processing personal data of a known child under 13.

Data processing agreements under the TDPSA

The TDPSA requires controllers to enter into contracts with processors that include:

Instructions for processing personal data
The nature and purpose of processing
The type of personal data being processed
The duration of processing
The rights and obligations of both parties

Processors must assist controllers in meeting compliance obligations and must only process personal data according to the controller's instructions.

Enforcement of the Texas Data Privacy and Security Act

The Texas Attorney General has exclusive authority to enforce the TDPSA. Consumers cannot directly sue violators but can report suspected violations to the Attorney General.

After receiving notice of a potential violation, an organization has a 30-day cure period to resolve the issue before the Attorney General may pursue legal action. This cure period is available until January 1, 2025, after which the Attorney General has discretion over whether to grant a cure opportunity.

Fines and penalties under the TDPSA

If a controller or processor remains in violation after the cure period, the Texas Attorney General may seek civil penalties of up to USD 7,500 per violation.

The TDPSA and consent management

Texas's consumer privacy law requires opt-in consent only for processing sensitive personal data and children's data. For all other data, consumers must have the option to opt out of collection and processing for purposes like sale or targeted advertising.

A consent management platform (CMP) can help businesses automate the detection of cookies and tracking technologies, manage opt-out and opt-in workflows, and deliver the required disclosures to consumers.

CMPs allow businesses to display customized consent banners based on each user's location, enabling compliance with the TDPSA alongside other US state laws and global regulations like the EU's General Data Protection Regulation (GDPR).

Preparing for the Texas Data Privacy and Security Act

Organizations doing business in Texas or serving Texas residents should assess their compliance posture as the TDPSA takes effect. Businesses already compliant with other US state-level privacy laws — such as the California Consumer Privacy Act/California Privacy Rights Act (CCPA/CPRA) or Virginia Consumer Data Protection Act (VCDPA) — will have a strong foundation, but should review Texas-specific requirements around sensitive data consent, the absence of a revenue threshold, and the cure period timeline.

A privacy by design approach benefits any organization, whether for regulatory compliance or for building consumer trust.

Compliance with the TDPSA requires understanding its specific requirements, publishing an accessible privacy notice, and offering opt-out mechanisms to consumers.

As the TDPSA is a relatively new law, case law and Attorney General guidance may provide additional clarity over time. Consulting qualified legal counsel or a data protection expert is advisable to ensure your organization meets all compliance obligations.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.