Skip to Navigation Skip to Content

The Texas Data Privacy and Security Act (TDPSA) is a US state law that took effect on July 1, 2024, protecting Texas residents’ personal data rights. It regulates how businesses collect, use, and handle personal information of Texas consumers. The law applies to companies doing business in Texas or serving Texas residents, requiring them to implement security measures and obtain consent for processing sensitive data. Small businesses are generally exempt unless they sell sensitive data

Create a TDPSA ready privacy policy in minutes

Privacy Policy Generator

Who is protected by the TDPSA?

TDPSA extends its coverage to Texas residents, both as individuals and within a household context. Notably, those operating in a commercial or employment context aren’t categorized as “consumers” under Section 541.001 Part (7) of the law.

Is TDPSA compliance mandatory?

Yes, entities under TDPSA are mandated to collect personal data from consumers only when reasonably necessary and proportionate to the stated processing purposes. The details of data collection must be transparently provided to the consumer.

TDPSA compliance guidelines

To ensure compliance with TDPSA, businesses must adhere to specific requirements concerning the collection, processing, and use of personal data from Texas consumers. Here are some of the key components:

  1. Data Controllers and Transparency: According to Section 541.101, transparency stands as a primary duty for data controllers under TDPSA. Controllers must limit data collection to what is adequate, relevant, and reasonably necessary for the disclosed processing purpose unless explicit customer consent is obtained.
  2. Data Security Standards: TDPSA mandates data controllers to establish and maintain reasonable administrative, technical, and physical data security practices. These practices should align with the volume and nature of the personal data in question (Section 541.101 Part (a)(2)). Failure to protect personal information may hold controllers financially accountable for cybercrimes and unauthorized breaches.
  3. Consent Requirements: Under TDPSA, user consent is necessary under specific circumstances. Legal guardian consent is required for processing personal data about a child under thirteen. Consent is also essential when processing personal data for purposes beyond “reasonably necessary” or “compatible with the disclosed purposes” for initial processing. Additionally, user consent is mandatory for processing sensitive personal data.

Understanding and adhering to these TDPSA requirements is crucial for businesses to navigate the legal landscape effectively, emphasizing the commitment to transparency, security, and consumer empowerment.

What are the main rights granted to Texas residents under the TDPSA?

The TDPSA grants Texas residents several fundamental data privacy rights:

Access and Confirmation

Texas residents can verify if businesses are processing their personal data and access their information in a readable format.

Data Control

  • The right to correct inaccurate personal information
  • The right to delete personal data that was provided by or obtained about them
  • The right to data portability, allowing them to obtain their data in a usable format

Opt-Out Rights

Consumers can opt out of:

  • Targeted advertising
  • Personal data sales
  • Automated profiling for decisions about financial services, housing, insurance, healthcare, education, employment, criminal justice, or basic necessities

Additional Protections

  • Protection against discrimination or retaliation for exercising these rights
  • Right to appeal company decisions regarding their data requests
  • Parents can exercise these rights on behalf of children under 13

Businesses must respond to these rights requests within 45 days, with a possible 45-day extension if needed

Key provisions of the TDPSA

  1. Wide Applicability: Unlike other states that consider revenue and data volume thresholds, TDPSA applies to almost anyone conducting business or offering products/services consumed by Texans, involving the processing or sale of personal data.
  2. Inclusive Definition of Personal Data: TDPSA stands out by including pseudonymous data in its definition of personal data, especially when combined with other information linking it to an identifiable individual.
  3. Ban on Dark Patterns: Following the privacy laws of California, Connecticut, and Colorado, TDPSA prohibits the use of dark patterns—user interfaces designed to undermine user autonomy.
  4. Small Business Exemption (Mostly): Small businesses are exempt, except when selling sensitive data, requiring them to secure consumer consent beforehand.
  5. Specific Privacy Policy Disclosures: Controllers selling sensitive or biometric data must incorporate precise disclosures verbatim into their privacy notices.
  6. Data Protection Assessments (DPAs): The law mandates controllers to conduct DPAs for specific processing activities. Controllers must consider factors that weigh the benefits against the risks of the activity.

These provisions highlight the unique aspects of TDPSA, its impact on businesses of different sizes, and its alignment with evolving privacy standards observed in other states.