Overview
The Texas Data Privacy and Security Act (TDPSA) is a comprehensive data privacy law that strengthens consumer data protections while setting clear compliance requirements for businesses operating in Texas. Signed into law on June 18, 2023, TDPSA took effect on July 1, 2024, making Texas the second-largest U.S. state (after California) to enact a broad consumer privacy law.
TDPSA introduces strong consumer rights, limits data sales, and mandates security measures, though it remains more business-friendly than Californiaβs CPRA.
Who Must Comply?
TDPSA applies to businesses that operate in Texas or target Texas consumers, with no revenue threshold. Unlike other state laws, Texas uses a broad business applicability test:
β Applies to businesses that process or sell personal data of Texas residents
β Covers companies that produce goods or services consumed by Texas residents
Exemptions:
The law does not apply to:
π« Small businesses (as defined by the U.S. Small Business Administration)
π« Government agencies
π« Nonprofits
π« Financial institutions subject to GLBA
π« HIPAA-covered entities
Key Consumer Rights Under TDPSA
β Right to Access β Consumers can request a copy of their personal data.
β Right to Correct β Consumers can request corrections to inaccurate personal data.
β Right to Delete β Consumers can request the deletion of personal data.
β Right to Data Portability β Consumers can receive their data in a portable format.
β Right to Opt-Out β Consumers can opt out of:
- Targeted advertising
- Sale of personal data
- Automated profiling that affects legal or financial decisions
Business Compliance Requirements
β Universal Opt-Out Mechanism (Starting January 1, 2025) β Businesses must recognize Global Privacy Control (GPC) signals.
β Opt-In Consent for Sensitive Data β Businesses must obtain explicit consent before processing:
π Racial/ethnic origin
π Religious beliefs
π Biometric data
π Health conditions
π Childrenβs data
β Privacy Policy & Transparency β Companies must publish clear privacy policies detailing data collection and use.
β Data Security Standards β Businesses must implement reasonable security measures to protect personal data.
β Data Protection Assessments (DPA) β Businesses must assess high-risk processing activities, such as:
π Targeted advertising
π Data sales
π AI-driven decision-making
Real-World Enforcement Cases
The Texas Attorney General is responsible for enforcing TDPSA, with penalties of up to $7,500 per violation.
Since the law took effect in July 2024, major enforcement cases are expected in 2025, likely targeting ad tech firms, data brokers, and companies that fail to honor consumer opt-out requests.
π Comparison with Other State Privacy Laws
The Texas TDPSA is more business-friendly than Californiaβs CPRA but stronger than Virginiaβs CDPA due to:
β
Stronger Consumer Opt-Out Rights β Universal opt-out required by 2025.
β
No Revenue Threshold for Businesses β Applies to all large-scale data processors.
β
Longer Compliance Grace Period β Businesses have until 2025 to fully comply.
Future of TDPSA Regulation
π Expanded enforcement for AI-driven profiling and automated decision-making.
π Stronger penalties for non-compliance starting in 2025.
π Potential updates to align with federal privacy laws if passed.
Texasβs TDPSA is one of the strongest consumer privacy laws in the U.S. while still accommodating businesses with flexible compliance timelines and clear opt-out mechanisms.
