Iubenda logo
Start generating


Table of Contents

Texas Data Privacy and Security Act (TDPSA): A Comprehensive Look at the New Privacy Law

Texas has joined the growing list of US states that have enacted comprehensive data privacy laws. On May 29, the Texas legislature passed the Texas Data Privacy and Security Act (TDPSA), also known as H.B. 4, that was signed into law on June 18 by Governor Greg Abbott. 

The Act will take effect on July 1, 2024, giving businesses just over a year to prepare for compliance.

This article provides an overview of the key provisions of the Texas Data Privacy and Security Act and its implications for businesses and consumers.

Texas Data Privacy and Security Act

Who does the Texas Data Privacy and Security Act apply to? 

The Texas Data Privacy and Security Act differs from existing state privacy laws in its broad scope, as it does not provide for any revenue or data processing volume thresholds. It applies to companies and individuals who: 

  1. conduct business in Texas or produce products or services consumed by Texas residents;
  2. process or sell personal data; and 
  3. does not fall within the definition of small business, as defined by the United States Small Business Administration
The act does not apply to, among others: 
  • state agencies;
  • nonprofit organizations;
  • higher education institutions; or 
  • entities governed by the Health Information Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act.

Please note: As anticipatedthe act does not include a data-processing volume and revenue threshold, making it applicable to most Texas businesses. However, small businesses*, as defined by the U.S. Small Business Administration (SBA), are exempted from certain provisions. 

A small business, as defined by the Small Business Administration’s (SBA) Table of Size Standards, refers to a company that falls within specific criteria based on the North American Industry Classification System (NAICS) codes. These criteria vary significantly across industries, encompassing a range of firm revenues from $1 million to over $40 million and employing between 100 to over 1,500 employees.

Consumer rights under the TDPSA

The Texas Data Privacy and Security Act grants several rights to consumers regarding their personal data. 

Consumers have the right to: 
  • confirm whether their data is being processed;
  • access their personal data;
  • correct inaccuracies;
  • delete their data;
  • obtain a portable copy of their data;
  • opt out of processing for targeted advertising; 
  • opt out of the sale of personal data; and 
  • opt out of certain profiling.

These rights provide consumers with greater control over their personal data and its use by businesses.

Rules for the processing of personal data under the TDPSA

The act imposes restrictions on the collection and processing of personal data by controllers. 

Controllers must:
  1. Only collect data that is necessary for disclosed purposes, and may not process data for purposes that are not reasonably necessary or compatible without the consumer’s consent. 
  2. Establish measures to safeguard data and are prohibited from using “dark patterns” to obtain consent for processing.

Sensitive data, including information such as race, ethnicity, religion, genetic or biometric data, and precise geolocation, can only be processed with the consumer’s consent.

Privacy notice and data protection assessments under the TDPSA

The Texas Data Privacy and Security Act requires controllers to provide a reasonably accessible and clear privacy notice to consumers, outlining, among others:

  1. the categories of personal data, including sensitive data, if applicable, being processed and the purposes of processing;
  2. how consumers can exercise their rights; and
  3. the categories of personal data shared with third parties and the categories of third parties with whom the information is shared.

If controllers perform the sale of sensitive data, they are required to provide an appropriate disclosure to consumers. 

For certain types of data processing, data controllers must complete data protection assessments. 

Enforcement and penalties under the TDPSA

The Texas Attorney General is the sole enforcement and investigative authority for the Texas Data Privacy and Security Act.

Before bringing an action against an alleged violator, the Attorney General must provide a 30-day cure period for the violation. After the cure period, the Attorney General may impose penalties of up to $7,500 per violation, as well as seek injunctive relief and attorney’s fees.

Stay compliant with iubenda

The TDPSA isn’t the only US privacy law you need to care about — there are others that are already being enforced

Start Generating