The Texas Data Privacy and Security Act (TDPSA) was signed by Governor Greg Abbott on June 18, 2023, and took effect July 1, 2024. Texas's law is notable for its extremely broad applicability: unlike most other state privacy laws, the TDPSA has no minimum threshold for the number of consumers whose data must be processed — it applies to any for-profit business that conducts business in Texas or targets Texas residents, processes personal data, and is not a small business as defined by the U.S. Small Business Administration. This means many more businesses are covered by the TDPSA than by comparable state laws. However, the SBA small business exemption does carve out many smaller companies. The TDPSA covers all standard consumer rights and includes strong provisions on sensitive data, which requires explicit consent before processing.
Residents of Texas have the following legally enforceable privacy rights under TDPSA:
Confirm whether a business processes your personal data and obtain a copy in portable format.
Request correction of inaccurate personal data held about you by covered businesses.
Request deletion of personal data you've provided or that has been collected about you.
Receive your personal data in a machine-readable, portable format to transfer to other services.
Prevent businesses from selling your personal data to third parties for commercial purposes.
Stop businesses from using your data to show you personalized ads based on your online behavior.
Opt out of automated decision-making used in significant decisions about credit, employment, or housing.
Businesses cannot penalize you with higher prices or reduced service for exercising your rights.
The TDPSA applies to persons that conduct business in Texas or produce or distribute products or services consumed by Texas residents, that process or engage in the sale of personal data, and are not a small business as defined by the SBA. The absence of a data volume threshold is the key distinguishing feature — any qualifying business regardless of scale must comply. Exemptions include government entities, financial institutions subject to GLBA, HIPAA-covered entities, nonprofit organizations, and higher education institutions.
Under TDPSA, the following categories are classified as sensitive personal data and require explicit opt-in consent before processing:
Racial or ethnic origin · Religious or philosophical beliefs · Mental or physical health diagnoses · Sexual orientation or gender identity · Citizenship or immigration status · Genetic or biometric data uniquely identifying a person · Personal data of known minors · Precise geolocation data (within 1,750 feet)
Under TDPSA, businesses must respond to consumer rights requests within 45 days of receipt. This may be extended by an additional 45 days with prior written notice explaining the reason for the delay. Businesses must also establish an internal appeals process for denied requests, with a response due within 60 days.
The Texas Attorney General has exclusive enforcement authority. The AG must first provide 30 days' written notice identifying the alleged violations and allowing cure. If violations are not cured within 30 days, the AG may seek civil penalties of up to $7,500 per violation. There is no private right of action. The AG's Consumer Protection Division is responsible for enforcement.
To exercise your rights under TDPSA, contact the business through their official privacy portal (typically linked at the bottom of their website under "Privacy" or "Your Privacy Rights"). Clearly state:
1. That you are a Texas resident invoking rights under TDPSA
2. Your full name and contact information linked to your account
3. The specific right you are invoking (access, deletion, opt-out of sale, etc.)
4. The legal deadline for response (45 days)
If the company denies your request, you have the right to appeal. If the company does not respond or appeal fails, you may file a complaint with the Texas Attorney General's office.
| Term | Definition Under TDPSA |
|---|---|
| Personal Data | Any information linked or reasonably linkable to an identified or identifiable natural person. Does not include de-identified data or publicly available information. |
| Controller | A natural or legal person that, alone or jointly with others, determines the purposes and means of processing personal data. |
| Processor | A natural or legal person that processes personal data on behalf of a controller (e.g., a cloud hosting vendor). |
| Sale of Personal Data | The exchange of personal data for monetary or other valuable consideration by the controller to a third party. |
| Targeted Advertising | Displaying ads selected based on personal data obtained from a consumer's activities across non-affiliated websites or applications. |
| Profiling | Automated processing to evaluate, analyze, or predict aspects of a consumer's economic situation, health, personal preferences, behavior, location, or movements. |