As data privacy continues to dominate headlines and regulatory agendas across the country, Texas has joined the movement with its own sweeping legislation—the Texas Data Privacy and Security Act (TDPSA). Set to take effect on July 1, 2024, the TDPSA places new legal obligations on businesses while granting robust rights to consumers. Whether you are a business operating in Texas or targeting its residents, understanding the TDPSA is essential to avoid legal risk and maintain trust in data-driven marketplace.
What Is the Texas Data Privacy and Security Act (TDPSA)?
The TDPSA is designed to strengthen consumer data rights and increase transparency around how businesses collect, use, and share personal information. It applies to companies that conduct business in Texas or offer goods and services to Texas residents, regardless of physical location.
Key definitions include:
- Personal data – information linked or reasonably linkable to an individual.
- Sensitive data – includes racial or ethnic origin, health data, biometric information, geolocation, and children’s data.
- Controller – a person or entity that determines the purpose and means of processing personal data.
- Processor – a party that processes data on behalf of a controller.
Who Must Comply?
The TDPSA generally applies to larger businesses, but it casts a wide net. A business must comply if it processes or sells personal data and is not a small business as defined by the U.S. Small Business Administration – unless it sells sensitive data, in which case it must comply regardless of size.
Entities exempt from the law include:
- State and local government entities
- Entities subject to HIPAA or the Gramm-Leach-Bliley Act (GLBA)
- Nonprofit organizations
- Institutions of higher education
Consumer Rights Under the TDPSA
The law grants Texas consumers a series of rights that echo those in other comprehensive privacy laws:
- Right to know what personal data is collected and processed
- Right to access, correct, and delete personal data
- Right to opt out of:
- Targeted advertising
- Sale of personal data
- Automated profiling that affects legal or similarly significant decisions
Importantly, businesses may not retaliate against consumers who exercise these rights.
Key Compliance Obligations for Businesses (Controllers)
Businesses that determine the purpose and means of data processing (i.e., controllers) must:
- Provide a clear and accessible privacy notice
- Limit data collection to what is adequate, relevant, and necessary
- Respond to consumer rights requests within 45 days
- Establish a mechanism for consumers to appeal denied requests
- Make specific disclosures when selling sensitive or biometric data
- Implement reasonable administrative, technical, and physical data security measures
Responsibilities of Data Processors
Processors are required to:
- Act only on a controller’s instructions
- Assist controllers in meeting their obligations, particularly in data security and consumer rights requests
- Sign data processing agreements that include mandatory terms and flow down to sub-processors
Data Protection Assessments
Controllers must conduct data protection assessments before engaging in high-risk data processing activities, such as processing sensitive data or conducting targeted advertising. These assessments must evaluate potential risks to consumer rights and be made available to the Texas Attorney General upon request, though the law provides confidentiality protections for such assessments.
Prohibited Business Practices
The TDPSA prohibits several practices, including:
- Retaliation against consumers for exercising their rights
- Processing sensitive or children’s data without obtaining consent
- Forcing consumers to create a new account to exercise rights
- Processing data for undisclosed or incompatible purposes without consent
Enforcement and Penalties
The TDPSA is enforced exclusively by the Texas Attorney General. Businesses have a 30-day cure period to address alleged violations before formal enforcement begins. Civil penalties can reach $7,500 per violation, but there is no private right of action, meaning consumers cannot sue directly under the law.
Practical Steps for Business Compliance
To comply with the TDPSA, businesses should act now. Key steps include:
- Reviewing and updating privacy notices
- Mapping data flows to understand what personal data is collected and why
- Establishing systems for handling consumer requests and appeals
- Reviewing and revising contracts with processors
- Providing internal training and documentation to ensure compliance across teams
How Texas Law Fits Into the National and Global Landscape
The TDPSA shares similarities with laws like the California Consumer Privacy Act (CCPA), the EU’s General Data Protection Regulation (GDPR), but also includes unique provisions that reflect Texas-specific policy choices. As more states adopt their own privacy laws, businesses operating across jurisdictions must coordinate compliance strategies and monitor for legal developments.
Conclusion: Stay Ahead of the Law
The Texas Data Privacy and Security Act marks another step toward a more transparent and consumer-centric digital economy. Businesses should take action now to update their policies, improve internal practices, and seek legal guidance where necessary. By doing so, they will not only reduce risk but also demonstrate a commitment to protecting consumer trust in a data-driven age. Contact an experienced privacy attorney today.
Contributions to this blog by Michael Touma.
Photo by Tech Daily on Unsplash
