The Texas Data Privacy and Security Act (TDPSA), signed into law in June 2023 and effective July 1, 2024, brings comprehensive privacy protections to one of the nation's largest states. With nearly 30 million residents, Texas's entry into state privacy regulation significantly expands the number of Americans with enforceable data privacy rights. Understanding the TDPSA helps Texas residents protect their personal information.
Who Is Protected
The TDPSA protects Texas residents acting as individuals, not in commercial or employment contexts. Unlike some other state laws, the TDPSA has no minimum threshold for the number of consumers a business must serve—it applies to any business that conducts business in Texas or produces products or services consumed by Texas residents, processes or sells personal data, and is not a small business as defined by the Small Business Administration.
The small business exemption means many local businesses fall outside the law's requirements. However, the lack of specific consumer number or revenue thresholds means many mid-sized businesses are covered that would be exempt under other states' laws.
Standard exemptions apply to entities covered by HIPAA, Gramm-Leach-Bliley, the Fair Credit Reporting Act, and similar federal privacy laws. Nonprofits and higher education institutions are also exempt.
Your Right to Know and Access
Texas residents can confirm whether a business is processing their personal data and access that data. Upon request, businesses must provide the categories of personal data they process, the purposes for processing, categories of third parties with whom data is shared, and the specific pieces of personal data held about you.
Businesses must respond within 45 days, with one 45-day extension permitted when reasonably necessary. Responses must be free of charge unless requests are excessive or manifestly unfounded.
Your Right to Delete
You can request deletion of personal data a business has collected about you. Businesses must delete your data and instruct their processors to do the same upon receiving a valid request. Standard exceptions apply for data necessary to complete transactions, comply with legal obligations, detect security incidents, and similar purposes.
Your Right to Correct
The TDPSA includes the right to correct inaccurate personal data. You can request that businesses fix errors in your information, and they must take reasonable steps to make corrections considering the nature of the data and purposes for processing.
Your Right to Data Portability
You can obtain your personal data in a portable, readily usable format. This right allows you to take your data to competing services or maintain your own records. The format must allow you to transmit the data to another controller without hindrance.
Your Right to Opt Out
Texas provides important opt-out rights covering targeted advertising, sale of personal data, and profiling that produces legal or similarly significant effects. You can direct businesses to stop using your data for personalized advertising based on your activities across different websites and services, selling your data to third parties, and making automated decisions that significantly affect you.
Universal Opt-Out Recognition
The TDPSA requires businesses to recognize universal opt-out mechanisms beginning January 1, 2025. Like Colorado, Texas will require businesses to honor opt-out preference signals sent by browsers, devices, or other technical mechanisms. Global Privacy Control and similar technologies will allow you to automatically communicate opt-out preferences to every covered business you interact with.
Sensitive Data Protections
Processing sensitive data requires your consent under the TDPSA. Sensitive data categories include racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic data, biometric data for identification, data from known children, and precise geolocation.
The consent requirement provides stronger protection than standard opt-out rights. Businesses must obtain your affirmative agreement before processing these sensitive categories.
Special Provisions for Data Brokers
The TDPSA includes specific provisions for data brokers—businesses that primarily buy, sell, or license personal data about consumers with whom they have no direct relationship. Data brokers must register with the Secretary of State and are subject to additional requirements.
This registration requirement increases transparency about the data broker industry and provides a mechanism for enforcement against businesses that trade in personal information without consumer relationships.
How to Exercise Your Rights
Submit requests through the methods businesses provide. You must provide information sufficient for identity verification. Businesses cannot require you to create an account solely to submit a privacy request.
If a business denies your request, you can appeal. The business must respond to appeals within 60 days. If the appeal is denied, you must be informed of how to contact the Texas Attorney General.
Enforcement
The Texas Attorney General has exclusive enforcement authority. There is no private right of action for TDPSA violations. The Attorney General must provide 30 days' notice and opportunity to cure before bringing an enforcement action. Civil penalties can reach $7,500 per violation.
How TDPSA Compares to Other State Laws
The TDPSA closely follows the Virginia model but with some Texas-specific provisions. The lack of minimum consumer thresholds potentially covers more businesses than Virginia or Colorado's laws. The small business exemption, rather than specific numerical thresholds, determines coverage differently than other states.
The universal opt-out requirement, effective in 2025, aligns Texas with Colorado in mandating recognition of opt-out preference signals. Data broker registration requirements add a layer of regulation not present in all state privacy laws.
Conclusion
The Texas Data Privacy and Security Act provides Texas residents with meaningful privacy rights including access, deletion, correction, portability, and opt-out rights. With universal opt-out recognition beginning in 2025 and special data broker provisions, Texas's law includes some of the more consumer-friendly elements of state privacy legislation. Understanding and exercising these rights helps you maintain control over your personal information.