Texas Has a Privacy Law — and Most Texas Businesses Haven’t Acted On It
Is your Texas business ready for the Texas Data Privacy and Security Act (TDPSA)? The law has been in effect since July 1, 2024. It’s been nearly two years, and many Texas-based companies have done little to nothing about it. Some assume it doesn’t apply to them. Others think California Consumer Privacy Act (CCPA) compliance is enough. A few know it exists but are waiting to see if there’s enforcement activity before they invest time and resources.
Navigating the TDPSA is a bit like learning local traffic laws when you move to a new state—the fundamentals are familiar, but the specific rules catch people off guard. That’s understandable but risky. TDPSA is enforceable. The Texas Attorney General can bring enforcement actions. Civil penalties run up to $7,500 per violation, and violations can stack up quickly if you’re handling large volumes of Texas consumer data. If you’re a Texas-based company, or if you do business with Texas residents at scale—especially if you’re collecting personal data—TDPSA compliance should already be on your roadmap.
What Is the TDPSA?
The Texas Data Privacy and Security Act (TDPSA) is a comprehensive privacy statute that imposes obligations on companies that collect and process personal data of Texas residents. It gives Texas residents new rights over their personal data and requires companies to implement specific protections and practices.
It’s modeled partly on the California Consumer Privacy Act (CCPA) and the broader trend of state privacy laws across the US, but it has its own structure, definitions, and requirements. If you’re CCPA-compliant, TDPSA compliance is achievable, but it’s not automatic. The two laws differ in important ways.
TDPSA covers “controllers” (companies making decisions about what data to collect and how to process it) and “processors” (companies processing data on behalf of controllers). It applies to Texas personal data and is enforced only by the Texas Attorney General—not by private right of action like CCPA.
Does It Apply to Your Business? (The Thresholds)
TDPSA applies if you meet BOTH of these conditions:
Geographic trigger: You conduct business in Texas OR produce products or services consumed by Texas residents.
Data volume trigger: You do at least one of the following:
- Process personal data of 100,000 or more Texas consumers or households in a 12-month period, OR
- Process personal data of 25,000 or more Texas consumers or households AND derive more than 25% of your annual revenue from selling personal data
If you hit both the geographic and data volume thresholds, you’re in scope.
Exemptions: Even if you meet the thresholds, you may be exempt if you are:
- A financial institution subject to GLBA (Gramm-Leach-Bliley Act)
- A HIPAA-covered entity or business associate
- A nonprofit organization
- A higher education institution
- A state or federal agency
- A small business as defined by the SBA
Most mid-market tech companies, SaaS platforms, e-commerce businesses, and marketing/advertising firms will be in scope. Many healthcare and financial companies are exempt due to other regulations.
What Rights Does It Give Texas Consumers?
Once you’re in scope, Texas residents have five key rights under TDPSA:
Right to access: Consumers can request a copy of the personal data you’re holding about them. You must provide this within 45 days (or request a 45-day extension). The data must be in a portable, machine-readable format when technically feasible.
Right to correction: Consumers can request that you correct inaccurate personal data. You have 45 days to correct it or explain why you can’t.
Right to deletion: Consumers can request deletion of personal data you hold about them. You have 45 days to delete it or explain a reason you can’t (e.g., legal obligation, fraud prevention). This right is broader than CCPA’s in some respects, more limited in others.
Right to portability: Consumers can request a copy of their personal data in a portable format. This is similar to the access right but emphasizes the ability to move data between service providers.
Right to opt-out: Consumers can opt out of three categories of processing:
- Processing for targeted advertising (including interest-based advertising and behavioral advertising)
- Processing for the “sale of personal data” (meaning sharing data for valuable consideration)
- Processing for automated decision-making that has a material effect on the consumer (e.g., credit decisions, employment decisions, or decisions affecting legal rights or obligations)
If a consumer opts out, you must stop the specified processing within 30 days.
What You’re Required to Do: A Compliance Checklist
Provide a clear, accessible privacy notice. You must post a privacy notice that clearly describes the categories of personal data you collect, the purposes for collection, the consumer rights they can exercise, and how to submit a request. The notice must be provided before or at the point of collection, and it must be conspicuous and easy to understand. This is different from CCPA’s notice requirements in subtle ways, so don’t assume your CCPA privacy notice is sufficient.
Establish a process for consumer requests. You need a functioning system for receiving access, correction, deletion, and portability requests. This includes a way for consumers to submit requests (usually a web form), a way to verify their identity, and a process for responding within 45 days. Many companies use privacy request management platforms like OneTrust, TrustArc, or similar tools for this.
Honor opt-out requests. You must provide a way for consumers to opt out of targeted advertising, data sales, and automated decision-making. Once you receive an opt-out, you must honor it within 30 days. This requires tracking opt-outs and integrating them into your data processing workflows.
Data minimization and purpose limitation. You must collect personal data only for the stated purposes and collect only what’s necessary for those purposes. You can’t collect everything “just in case.” This principle should govern your data collection policies and practices.
Conduct a data protection impact assessment for high-risk processing. If you’re processing personal data in a way that has significant potential for harm (e.g., large-scale profiling, automated decision-making affecting legal rights, sensitive data processing), you must conduct a Data Protection Impact Assessment (DPIA). The law doesn’t define exactly which scenarios require a DPIA, so you need to exercise judgment or work with counsel.
Implement reasonable security measures. You must implement reasonable, industry-standard measures to protect personal data from unauthorized access, breach, or misuse. This is vague, but it generally means encryption in transit and at rest, access controls, monitoring, and incident response procedures.
Execute data processing agreements with vendors. If you share personal data with processors or other third parties, you must have written agreements that obligate them to process data only as directed and to implement appropriate security. These agreements must include specific terms about the processor’s obligations and limitations on how data can be used.
Don’t discriminate against consumers who exercise their rights. You can’t deny services, charge different prices, or provide lower quality service to someone just because they exercised an access, deletion, or opt-out right. This is an important protection against retaliation.
Enforcement: What Happens If You Don’t Comply?
TDPSA is enforced only by the Texas Attorney General. There’s no private right of action (unlike CCPA), so consumers can’t sue you directly for violations. However, that doesn’t mean there are no consequences.
The Texas AG can investigate violations, issue a notice of violation, and give you 30 days to cure. If you don’t cure within 30 days, the AG can bring an enforcement action and seek civil penalties.
Civil penalties are up to $7,500 per violation. The question is: what counts as a “violation”? That’s not entirely clear yet, but the AG could argue that each instance of non-compliance (each failure to respond to a request, each failure to honor an opt-out, each unauthorized processing) is a separate violation. For a company processing data at scale, penalties could accumulate quickly.
Additionally, significant violations could damage your reputation, invite regulatory scrutiny on other fronts (CCPA, GDPR, state AGs in other jurisdictions), and become a liability issue in M&A, funding, or customer negotiations.
TDPSA vs. CCPA: The Key Differences
| Feature | TDPSA | CCPA |
|---|---|---|
| Effective date | July 1, 2024 | January 1, 2020 |
| Volume threshold | 100K consumers OR 25K + 25% revenue from data sales | $25M+ revenue OR 100K+ consumers/households OR derive 25%+ revenue from selling/sharing data |
| Consumer rights | Access, correct, delete, portability, opt-out (targeted ads, sales, automated decisions) | Access, delete, opt-out (sales, sharing), opt-in for sensitive data. No correction right. |
| Sale vs. sharing | Sale only (exchange for valuable consideration) | Sale AND sharing (includes free sharing in some contexts) |
| Enforcement | Texas AG only; no private right of action | California AG + private right of action for data breaches (under CPRA) |
| Penalties | Up to $7,500/violation; 30-day cure period | $2,500 per unintentional violation; $7,500 per intentional violation (CPRA, Cal. Civ. Code § 1798.155); private right of action for data breaches: $100–$750/consumer per incident |
| DPIA requirement | Required for high-risk processing (undefined in statute) | No explicit DPIA requirement (CPRA adds some assessment requirements) |
| Correction right | Yes | No |
If you’re already CCPA-compliant, your privacy notice, opt-out mechanisms, and request handling systems are mostly transferable to TDPSA. The main differences are the correction right (which is TDPSA-specific), the clearer opt-out framework, and the emphasis on DPIAs for high-risk processing. You’ll need to audit your current practices against these additions, but the heavy lifting is already done.
Where to Start If You’re Behind
Step 1: Assess whether TDPSA applies to you. Count how many Texas residents you’re processing data for. If you’re under 100,000 and don’t derive revenue from data sales, you might be out of scope. If you’re unsure, assume it applies. The threshold is easier to reach than you might think, especially if you’re a digital company with a national customer base.
Step 2: Audit your current privacy practices. What personal data are you collecting? Why? Who has access to it? Where is it stored? Who are you sharing it with? What security measures do you have? This audit forms the foundation for your compliance roadmap. If you’ve already done a CCPA audit, dust it off and use it as the starting point.
Step 3: Review and update your privacy notice. You may already have one (especially if you’re CCPA-compliant), but make sure it addresses the specific TDPSA requirements: categories of data, purposes, consumer rights, and how to exercise them. Make sure it’s clear and conspicuous.
Step 4: Establish or refine your consumer request process. If you don’t have a system in place, implement one. This could be a simple web form connected to your legal or privacy team, or it could be a full-featured privacy platform like OneTrust or TrustArc. For mid-market companies, a managed platform usually makes sense because it scales with your request volume. Our Privacy Audit can help you assess what’s needed.
Step 5: Implement opt-out mechanisms for targeted advertising and data sales. Depending on your business model, this might mean adding a “Do Not Sell My Personal Data” link on your website, or it might mean updating how you handle opt-outs in your advertising platforms and data processing workflows. Make sure you can actually honor opt-outs when requested.
Step 6: Review vendor and processor agreements. Make sure your data processing agreements with vendors and third parties include the right language about how data can be used, security requirements, and the processor’s obligations.
Step 7: Document your DPIA process. For high-risk processing, conduct and document a data protection impact assessment. Define what counts as high-risk for your organization, and establish a process for conducting DPIAs when you introduce new processing activities.
This roadmap will take time, especially if you’re starting from scratch. Plan for 2–4 months to get the basics in place, longer if you need to integrate new tools or make significant changes to your data processing practices.