Learn about the Texas Data Privacy and Security Act (TDPSA), its applicability to businesses, personal data definitions, duties of controllers and processors, data processing agreements, privacy notice requirements, consent for data processing, universal opt-out mechanisms, consumer rights, personal data requests, privacy impact assessments, enforcement by the Texas Attorney General, and potential fines under the TDPSA.
Explore more privacy compliance insights and best practices
The state privacy law landscape in the United States is continually evolving. Texas is the tenth state with a consumer data privacy law aiming to protect the privacy of Texas residents.
The law came into effect on July 1, 2024, except for a few provisions, whose effective date is January 1, 2025.
The Texas Data Privacy and Security Act (TDPSA) is Texas’ state law that protects consumer privacy by imposing certain obligations on businesses and granting consumers data privacy rights. The TDPSA took effect on July 1, 2024, following its signing on June 18, 2023. However, the provisions on universal opt-out mechanisms come into effect six months later, on January 1, 2025.
Like all other privacy laws in the US states, the TDPSA also sets a threshold for applicability. However, this one differs somewhat. Instead of setting a monetary threshold, it primarily excludes small businesses.
The TDPSA applies to businesses that:
If you process personal data and target Texas consumers, a common practice for many US and global online businesses, you need to determine whether you qualify as a small business. This determination will establish whether this law applies to you.
The Small Business Administration uses various criteria across different industries to determine a business's size, so we cannot provide a straightforward answer here.
Even though they meet the applicability criteria, the following are not covered by the TDPSA:
You only need to obtain users’ consent for the processing of sensitive data, including children’s data, biometric data, precise geolocation data, or any data that reveals a person’s ethnic origin, religious beliefs, mental or physical health diagnosis, or citizenship or immigration status.
The consent must be:
For children’s data, you can also rely on the consent request methods described in the COPPA, which include verifiable methods for obtaining parental consent.
In all other cases, you don’t need consent. You're free to process personal data until the consumer opts out of the processing or requests deletion of their data.
If you sell sensitive personal data, you must include the following statement within your privacy notice: "We may sell your sensitive personal data." If you are involved in the sale of biometric data, you must include the following statement in your notice: "We may sell your biometric personal data." Post these notices in the same location and manner as the privacy notice.
The TDPSA requires businesses to respect universal opt-out mechanisms, such as Global Privacy Controls. This requirement is enforceable starting January 1, 2025.
Under the TDPSA, personal data includes any information, including sensitive data, linked or reasonably linkable to an identified or identifiable individual. Unlike some other laws, it doesn’t explicitly list the categories of personal data. As long as a piece of information can identify someone, that information is personal data and falls under the scope of the law.
The TDPSA provisions further clarify that pseudonymous data, when used in conjunction with additional information, also qualifies as personal data because it can reasonably link the data to an identified or identifiable individual.
The law exempts certain categories of personal information from its scope.
The TDPSA differentiates between personal data and sensitive personal data, giving the latter a special regime. Sensitive data encompasses the following types of information:
Controllers are companies that make decisions on data collection, processing, use, storage, etc. Processors are companies that act on behalf of the controllers.
If you run an e-commerce store, you are the data controller. The third-party tools you use to process personal data, such as those used for email communication, targeted ads on social media, or tracking website usage, are your data processors.
If you run a SaaS business, you can be a controller when you use data for your own business and act as a data processor for businesses that use your SaaS.
The duties of controllers include:
Processors’ duties include:
The Data Processing Agreement is a contractual agreement between the controller and the processor, wherein the controller provides instructions to the processor regarding processing.
This contract regulates the processor's data processing practices for tasks carried out on behalf of the controller. The Texas Consumer Privacy Act explicitly prescribes that the contract must include:
You owe your users information on how you handle personal data. You need to provide that information through your privacy notice, also widely known as a privacy policy.
The TDPSA, like many other laws, prescribes the essential elements that each privacy policy should contain. These include:
All US state data privacy laws mandate the provision of nearly identical information to all consumers in a clear and reasonably accessible privacy notice.
You should take into account the small differences between the laws in terms of consumer rights and address those in the policy.
Alternatively, you can utilize the Secure Privacy feature to customize your privacy policy for each customer based on their location. That would be the hassle-free option.
Consumer rights under the TDPSA align with those found in other states, with Texas leaning toward a more detailed approach. Texas consumers will have the following rights at their disposal:
Although not explicitly labeled as consumer rights, individuals will also have the power to challenge decisions made by data controllers and will be entitled to non-discrimination.
TDPSA requests are the tools with which consumers can hold businesses accountable in relation to their privacy practices.
Consumers have the ability to submit consumer rights requests to you at any time, and it is your responsibility to respond to them. Businesses will have 45 days to respond to verifiable consumer requests, and the complexity of the request may require an additional 45 days.
The Texas privacy legislation requires organizations to carry out Privacy Impact Assessments in some cases.
You must conduct and document data protection assessments for the following processing activities:
You can cover all the activities with a single assessment.
The Texas Attorney General enforces the TDPSA. The Texas Attorney General may initiate investigations regarding potential breaches of the TDPSA, as well as requesting and examining Data Protection Assessments to verify compliance with the legislation. Unlike California, Texas will not have a dedicated data protection agency. It's important to note that the TDPSA does not grant individuals a private right of action.
The TDPSA grants you a 30-day grace period to address any violations. Failure to take corrective action within this timeframe may result in the Attorney General imposing civil penalties of up to USD 7,500 for each violation. A violation of one consumer’s rights counts as one violation. Violation of 1,000 consumer’s rights counts as 1,000 violations, multiplied by up to USD 7,500. Fines can add up quickly.
