The Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024, introduces comprehensive privacy rights for Texas residents while setting strict compliance obligations for businesses processing personal data. Signed into law by Governor Greg Abbott, TDPSA enhances consumer privacy protections and aligns Texas with broader U.S. data privacy trends.
What Is the Texas Data Privacy and Security Act (TDPSA)?
Why was the TDPSA passed?
What makes the TDSPA unique?
The Texas Data Privacy and Security Act (TDPSA) stands out among U.S. state privacy laws by exempting small businesses, as defined by the U.S. Small Business Administration, from its provisions. Additionally, the TDPSA grants the Texas Attorney General exclusive enforcement authority, without providing a private right of action for individuals. These distinctions highlight Texas's unique approach to balancing consumer data protection with business considerations.
The Texas Data Privacy and Security Act (TDPSA) includes key definitions that establish its scope and application. These definitions are detailed in House Bill 4, Sections 541.001 and 541.002.Â
Notable terms include:
Consumer: A Texas resident acting in an individual or household context, excluding those in commercial or employment contexts.
Controller: An entity that determines the purpose and means of processing personal data.
Personal Data: Information linked or reasonably linkable to an identified or identifiable individual, excluding de-identified or publicly available data.
Sensitive Data: Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, citizenship or immigration status, genetic or biometric data for identification, personal data of children under 13, and precise geolocation data.
Processor: An entity that processes personal data on behalf of a controller.
Sale of Personal Data: The sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.
Who must comply with the TDPSA?
The Texas Data Privacy and Security Act (TDPSA) applies to entities that:
Conduct business in Texas or produce products or services consumed by Texas residents.
Process or engage in the sale of personal data.
Are not classified as small businesses according to the U.S. Small Business Administration (SBA) standards, which vary by industry.
Notably, the TDPSA does not set specific thresholds based on annual revenue or the volume of data processed, differing from some other state privacy laws.Â
“Consumer" means an individual who is a resident of this state acting only in an individual or household context. The term does not include an individual acting in a commercial or employment context.
Certain entities are exempt from the TDPSA, including:
State agencies and political subdivisions.
Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA).
Entities governed by the Health Insurance Portability and Accountability Act (HIPAA).
Nonprofit organizations.
Institutions of higher education.
Electric utilities, power generation companies, and retail electric providers.Â
Key provisions of the TDPSA
The Texas Data Privacy and Security Act (TDPSA), introduces several key provisions to enhance consumer data protection:
1. Consumer rights
Access and correction: Consumers can confirm whether a business is processing their personal data and correct inaccuracies.
Deletion: Consumers have the right to request the deletion of their personal data.
Data portability: Consumers can obtain a copy of their personal data in a portable format.
Opt-out options: Consumers may opt out of the processing of their personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.
2. Business obligations
Data minimization: Businesses must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purposes.
Transparency: Clear and accessible privacy notices are required, detailing data collection and processing practices.
Data security: Implementation of reasonable administrative, technical, and physical data security practices is mandated.
Data protection assessments: Businesses must conduct assessments for certain processing activities, such as targeted advertising and the sale of personal data.
3. Sensitive data handling
Consent requirement: Explicit consumer consent is required before processing sensitive personal data, including information about race, health, or precise geolocation.
4. Enforcement
Authority: The Texas Attorney General has exclusive authority to enforce the TDPSA.
Cure period: Businesses have a 30-day period to address alleged violations upon notice before enforcement actions proceed.
Penalties: Non-compliance can result in civil penalties of up to $7,500 per violation.
These provisions align Texas with other states implementing comprehensive data privacy laws, emphasizing consumer rights and corporate responsibility in data management.
As an illustration, in December 2024, Texas Attorney General Ken Paxton initiated investigations into Character.AI, Reddit, Instagram, Discord, and other companies concerning their privacy and safety practices for minors. These actions aim to ensure compliance with the Securing Children Online through Parental Empowerment (SCOPE) Act and the Texas Data Privacy and Security Act (TDPSA), which mandate strict requirements for handling minors' personal data.Â
Paxton emphasized the state's commitment to enforcing data privacy laws to protect children from exploitation and harm:Â
“Technology companies are on notice that my office is vigorously enforcing Texas’s strong data privacy laws. These investigations are a critical step toward ensuring that social media and AI companies comply with our laws designed to protect children from exploitation and harm.”Â
- Attorney General Ken Paxton.Â
Requirements for businesses under the TDPSA
Under the Texas Data Privacy and Security Act (TDPSA), businesses that process personal data of Texas residents are required to:
Provide clear privacy notices: Businesses must offer accessible and transparent privacy notices detailing their data collection and processing practices.Â
Limit data collection: Data collection should be confined to what is adequate, relevant, and reasonably necessary for the disclosed purposes.
Implement data security measures: Reasonable administrative, technical, and physical safeguards must be established to protect personal data.Â
Facilitate consumer rights requests: Businesses are obligated to provide secure and reliable methods for consumers to submit requests to exercise their rights under the TDPSA.
Obtain consent for sensitive data processing: Prior consent is required before processing sensitive personal data, including precise geolocation data and personal data of children under 13.
Conduct data protection assessments: Businesses must perform assessments for processing activities that present a heightened risk of harm to consumers, such as targeted advertising and the sale of personal data.
Non-compliance with these requirements can result in enforcement actions by the Texas Attorney General, including civil penalties.Â
It's essential for businesses operating in Texas to review and update their data privacy practices to align with the TDPSA's provisions.
Penalties for non-compliance
Under the Texas Data Privacy and Security Act (TDPSA), non-compliance can lead to significant penalties:
Civil penalties: Businesses may face fines of up to $7,500 per violation.
Cure period: Upon receiving a notice of violation from the Texas Attorney General, businesses have 30 days to address and rectify the issue.
Enforcement authority: The Texas Attorney General holds exclusive authority to enforce the TDPSA, including issuing civil investigative demands and seeking injunctive relief.
It's important to note that the TDPSA does not provide a private right of action for consumers; enforcement is solely managed by the Attorney General's office.
To avoid these penalties, businesses should proactively ensure compliance with the TDPSA's requirements, including implementing robust data privacy practices and responding promptly to any identified violations.
‍
The impact of the TDPSA on businesses
The Texas Data Privacy and Security Act (TDPSA), introduces significant implications for businesses operating in Texas:
Opportunities
Enhanced Customer trust: Compliance demonstrates commitment to data privacy, boosting brand reputation and customer loyalty.
Market differentiation: Businesses can use compliance as a competitive advantage in privacy-conscious markets.
Operational efficiency: Streamlined data management and privacy processes can improve internal efficiency.
Legal alignment: Companies already complying with laws like CCPA may meet many TDPSA requirements, simplifying compliance efforts.
Challenges
Compliance costs: Significant investment may be needed for legal consultations, technology upgrades, and employee training.
Data Management complexity: Businesses must implement data mapping, consent management, and regular privacy audits.
Third-Party risks: Ensuring that third-party service providers comply with TDPSA standards adds complexity.
Enforcement risks: Non-compliance can lead to fines of up to $7,500 per violation, plus legal scrutiny from the Texas Attorney General.
The impact of the TDPSA on consumers
The Texas Data Privacy and Security Act (TDPSA) significantly enhances consumer data protection rights:
Access and correction: Consumers can confirm whether a business is processing their personal data and correct inaccuracies.
Deletion: Consumers have the right to request the deletion of their personal data.Â
Data portability: Consumers can obtain a copy of their personal data in a portable format.Â
Opt-out options: Consumers may opt out of the processing of their personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.Â
Protection of sensitive data: Businesses must obtain explicit consent before processing sensitive personal data, including information about race, health, or precise geolocation.
Non-discrimination: Businesses are prohibited from discriminating against consumers who exercise their data privacy rights, ensuring equal access to services and pricing.
Additionally, by holding businesses accountable for safeguarding personal data, the TDPSA fosters greater trust between consumers and companies. Consumers can feel more secure knowing that their data is protected by law and that violations can result in significant penalties for businesses.
Is the TDPSA opt-in or opt-out?
The Texas Data Privacy and Security Act (TDPSA) follows an opt-out model. Under this law, businesses are required to allow consumers to opt out of certain types of data processing activities, including:
Targeted advertising
Sale of personal data
Profiling for significant decisions affecting consumers
This means consumers are automatically included unless they take action to opt out. Additionally, businesses must provide a clear mechanism for consumers to exercise these rights.
Overall, the TDPSA equips Texas residents with greater transparency, control, and protection over their personal information, setting a higher standard for data privacy in the digital age.
How the TDPSA compares to other U.S. data privacy laws
The Texas Data Privacy and Security Act (TDPSA) is considered one of the more stringent state privacy laws in the United States. While it shares similarities with laws in Virginia, Colorado, and Connecticut, the TDPSA has unique aspects that may broaden its applicability and impact.
‍
State
Scope
Effective Date
Key Features
Penalties for Non-Compliance
Connecticut (CTDPA)
Connecticut residents
July 1, 2023
Similar to GDPR; right to access and correct data
$5,000 per violation
Colorado (CPA)
Colorado residents
July 1, 2023
Opt-out for targeted advertising; sensitive data consent
Up to $20,000 per violation
California (CCPA/CPRA)
California residents
January 1, 2023
Right to access, delete, opt-out; data protection assessments
Up to $7,500 per violation
Virginia (VCDPA)
Virginia residents
January 1, 2023
Opt-out rights, data protection assessments, consumer rights
Up to $7,500 per violation
Texas (TDPSA)
Texas residents
July 1, 2024
Consumer rights, data protection, opt-out of data sales
Up to $7,500 per violation
Iowa (ICDPA)
Iowa residents
January 1, 2025
Data protection, opt-out of data sharing
Up to $7,500 per violation
Nebraska (NDPA)
Nebraska residents
January 1, 2025
Privacy protections, consent requirements
Up to $7,500 per violation
Delaware (DPDPA)
Delaware residents
January 1, 2025
Data privacy, consumer rights protections
Up to $10,000 per violation
Minnesota (MCDPA)
Minnesota residents
July 31, 2025
Consumer data rights, opt-out options
TBD
‍
What makes the TDPSA stand out?
The TDPSA positioned itself among the more comprehensive and stringent state privacy laws, reflecting a growing trend toward enhanced consumer data protection in the U.S.
Broad Applicability: Unlike some state laws that set thresholds based on revenue or the volume of data processed, the TDPSA applies to entities conducting business in Texas or producing products or services consumed by Texas residents, regardless of size. However, it exempts "small businesses" as defined by the U.S. Small Business Administration, though these entities are still subject to certain provisions, such as obtaining consent for the sale of sensitive personal data.Â
Consent for Sensitive Data: The TDPSA requires businesses to obtain explicit consent before processing sensitive personal data, aligning with more consumer-friendly provisions found in other state laws.
Universal Opt-Out Mechanism: Similar to laws in Colorado, Connecticut, California, and Montana, the TDPSA mandates that businesses recognize universal opt-out mechanisms for the sale of personal data and targeted advertising, enhancing consumer control over personal information.
How Ketch can simplify TDPSA compliance
Complying with the TDPSA and other state privacy laws can be simpler than you think. The Ketch data permissioning platform helps businesses stay compliant by:
Deploy TDPSA-compliant privacy notices for Texas residents. Ketch Consent Management includes a pre-built policy template for the TDPSA, with ability to customize rights as desired, no coding required to make changes.Â
Gather the consent necessary to process sensitive data. Ketch consent banners and modals are customizable, making it easy for you to ensure consent is gathered for processing various types of data.Â
Respect universal opt-out mechanisms (UOOMs): Ketch makes it easy for companies to comply with Global Privacy Control (GPC) signals, enabling automatic recognition of GPC in the consumer’s browser.Â
Offer opt-out rights for sales, targeted advertising, and profiling. Ketch consent management makes it easy for businesses to offer customers a transparent option for opt-outs, and use our pre-built APIs to connect those opt-out signals to your business data systems and apps, ensuring you honor consumer choices.Â
Comply with the 30-day “cure” period. The Texas law provides businesses with 30 days to fix any violation of the law before the Texas Attorney General can bring enforcement action. Ketch is easy to deploy, with most customers going live within 2-3 weeks of implementation kick-off. If you’re concerned about speed-to-go-live, Ketch is a great fit.Â
‍
‍
Final thoughts: Preparing your business for the TDPSA
The Texas Data Privacy and Security Act represents a significant step forward in data privacy. By preparing for compliance now, businesses can avoid penalties and build stronger relationships with their customers.
Contact Ketch today to streamline your compliance and future-proof your privacy strategy.Â
This a sample accordion element needed for script above to work
Ketch supports compliance with major privacy laws, including GDPR, CCPA, CPRA, and various emerging US state laws, ensuring businesses meet global and local data privacy requirements.
Does the TDPSA apply to businesses outside Texas? Yes, the TDPSA applies to businesses outside Texas if they process personal data of Texas residents and meet specific thresholds.
Does the TDPSA apply to small businesses? The Texas Data Privacy and Security Act (TDPSA) does not apply to small businesses as defined by the U.S. Small Business Administration (SBA). This exemption is unique compared to other state privacy laws that often use revenue or data processing thresholds. ‍Definition of a Small Business: ‍A small business under the TDPSA follows the SBA’s industry-specific standards, which typically consider factors such as:
Number of Employees (e.g., fewer than 500 employees for some industries)
Annual Revenue (e.g., under $7 million in average annual receipts)
‍Exceptions for Small Businesses: ‍Even though small businesses are exempt, they may still be subject to specific TDPSA provisions, such as:
Consent Requirements: If processing sensitive personal data like health information or biometric identifiers, small businesses must obtain explicit consent from consumers.
Contractual Obligations: If they act as data processors for larger companies, they may need to comply contractually with TDPSA rules.
This exemption reduces compliance burdens on small businesses while ensuring that larger organizations meet stringent data privacy standards.
Is there a grace period for businesses to comply? No official grace period is provided. Businesses are expected to comply by July 1, 2024, though initial enforcement may focus on significant violations.
How does the TDPSA define "sale" of personal data? The TDPSA defines "sale" as exchanging personal data for monetary or other valuable consideration, excluding certain transfers like service provider sharing.
What rights do minors have under the TDPSA? Minors under 18 receive special protections, including requiring parental consent for processing data of children under 13 and direct consent for teens aged 13-17.
Are there specific rules for cross-border data transfers? While the TDPSA doesn’t explicitly address cross-border transfers, businesses must ensure compliance with privacy and security obligations regardless of data location.
Does the TDPSA require businesses to honor global privacy controls? Yes, businesses must honor universal opt-out mechanisms, including browser-based global privacy controls, where technically feasible.
Is a data protection officer required under the TDPSA? No, the TDPSA does not mandate appointing a data protection officer, though having one can support compliance efforts and risk management.
How long should businesses retain personal data? The TDPSA requires businesses to follow data minimization principles, retaining personal data only as long as necessary for legitimate business or legal purposes.
Does the TDPSA require a data breach notification? The TDPSA itself does not impose breach notification obligations. Businesses must follow Texas’s existing breach notification laws.
What record-keeping practices are recommended? While not required, maintaining records of data processing activities, consumer requests, and consent management is recommended for compliance verification.
Matt George is the Data Protection Officer at Ketch. A seasoned privacy attorney with a strong IT and data management background, he is also CIPP/US and CIPP/A certified from IAPP.
Automate your privacy compliance with Ketch
Risk of regulatory action or fine is no longer an unlikely, empty threat—regulators across Europe and now the United States are charging brands with irresponsible handing of consumer data.
Your knowledge of the regulations and requirements for your business may be the difference maker in ensuring your brand reputation stays intact. Ketch can help.
.webp)
