Texas TDPSA Compliance

The Texas Data Privacy and Security Act became effective July 1, 2024. Texas joined the growing list of US states with comprehensive privacy laws. TDPSA is enforced by the Texas Attorney General. Texas has a distinctive applicability threshold tied to small business status rather than data volume.

This page covers what TDPSA requires, who is in scope, and how to build compliance.

Does TDPSA apply to you

TDPSA applies to persons that:

  • Conduct business in Texas or produce a product or service consumed by Texas residents; and

  • Process or engage in the sale of personal data; and

  • Are not a small business as defined by the United States Small Business Administration.

The "small business" exemption is the distinctive feature of TDPSA. Small business definitions vary by industry under SBA standards, but generally cover companies under specific revenue or employee thresholds. For most technology companies, the small business exemption typically does not apply beyond very early stage.

Notably, TDPSA does not require a specific number of Texas consumers to be processed. The combination of doing business in Texas, processing personal data, and not being a small business is sufficient. This is a broader scope than VCDPA, CPA, and CCPA.

What TDPSA requires

A compliant privacy notice. The notice must describe categories of personal data processed, purposes of processing, how consumers can exercise their rights, categories of personal data shared with third parties, and a description of the methods to exercise rights.

Consumer rights operational capability. Texas consumers have rights including:

Right to access Right to correction Right to deletion Right to data portability Right to opt out of the sale of personal data, targeted advertising, and profiling in furtherance of decisions that produce legal or similarly significant effects

Controllers must respond to consumer requests within 45 days, extendable by 45 days.

Universal opt-out mechanism. Texas requires controllers to recognize valid universal opt-out signals beginning January 1, 2025.

Sensitive data consent. Processing of sensitive personal data requires opt-in consent. Sensitive data definitions are similar to other state laws.

Data protection assessments. Controllers must conduct and document data protection assessments for processing activities involving targeted advertising, sale of personal data, profiling with high-risk effects, sensitive data, or other heightened-risk processing.

Processor contracts. Contracts between controllers and processors must include specific terms similar to other state laws.

Sale of sensitive personal data disclosure. TDPSA includes a specific requirement to clearly disclose any sale of sensitive personal data with specific notice language including "NOTICE: We may sell your sensitive personal data."

Sale of biometric data disclosure. TDPSA includes a specific requirement to clearly disclose any sale of biometric data with specific notice language.

Enforcement

The Texas Attorney General has exclusive enforcement authority. No private right of action.

Penalties up to 7,500 USD per violation.

TDPSA includes a 30-day cure period before the Attorney General can initiate enforcement.

The Texas Attorney General has been an active state-level privacy enforcer in other contexts and is expected to actively enforce TDPSA.

How TDPSA compares to other state laws

TDPSA shares structure with VCDPA and CPA but with distinctive elements:

  • Small business threshold rather than consumer count threshold. This brings more companies into scope than the consumer-count thresholds of California, Virginia, and Colorado.

  • Specific notice language for sensitive data and biometric data sales. The required notice language is more prescriptive than other state laws.

  • Universal opt-out mechanism requirement.

  • No cure period expiration mechanism, providing slightly more cure flexibility than Colorado.

How Engage Compliance helps

TDPSA compliance is included in our DPO services for clients serving Texas residents. Specific work includes:

  • Small business threshold assessment to determine applicability.

  • Privacy notice with Texas-specific sections including required notice language for sensitive and biometric data sales.

  • Consumer rights process design and implementation.

  • Universal opt-out mechanism implementation.

  • Data protection assessment documentation.

  • Multi-state harmonization across TDPSA and other US state laws.

Get started

If you have Texas operations and need TDPSA compliance support, book a consultation.