Texas Data Privacy and Security Act
The TDPSA is Texas's comprehensive privacy law that applies based on small-business status rather than revenue thresholds, reaching many mid-sized firms. It grants broad consumer rights and requires opt-out signals and assessments, enforced by the Texas Attorney General.
The Texas Data Privacy and Security Act (TDPSA) is a comprehensive state consumer privacy law signed in June 2023 and effective July 1, 2024. It follows the controller and processor framework used by other state laws but takes a distinctive approach to scope. Instead of relying on revenue or large consumer-count thresholds, the TDPSA applies based on whether a business is small, using the federal Small Business Administration definition. This makes the law apply to a much wider range of mid-sized companies.
The TDPSA is enforced exclusively by the Texas Attorney General. There is no private right of action.
Who It Applies To
The TDPSA applies to a person that conducts business in Texas or produces products or services consumed by Texas residents, processes or sells personal data, and is not a small business as defined by the U.S. Small Business Administration. Small businesses are largely exempt, though they must still obtain consent before selling sensitive data. The law protects consumers acting in an individual or household context. Standard sectoral exemptions for HIPAA, GLBA, and similar laws apply.
Key Requirements
Consumers have the rights to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of targeted advertising, the sale of personal data, and certain profiling. Controllers must respond within 45 days and offer an appeal process. Opt-in consent is required to process sensitive data, and a specific statutory notice is required for businesses that sell sensitive or biometric data. Controllers must recognize universal opt-out preference signals. They must publish a privacy notice, apply data minimization, sign data processing agreements with processors, and conduct data protection assessments for high-risk processing such as targeted advertising, sale of data, and certain profiling.
Penalties for Non-Compliance
The Texas Attorney General can seek civil penalties of up to USD 7,500 per violation, plus injunctive relief and recovery of investigative costs and attorney fees. There is a 30-day cure period after notice of an alleged violation.
How to Comply
Determine whether you qualify as a small business under the SBA definition. Publish a privacy notice and include any required sensitive-data sale notices. Build channels for access, correction, deletion, and portability within 45 days, with appeals. Recognize universal opt-out signals. Obtain opt-in consent for sensitive data. Sign data processing agreements and conduct data protection assessments for high-risk processing.