Skip to Main Content
Main Menu
Regulation

Texas Data Privacy and Security Act

The Texas Data Privacy and Security Act (TDPSA) is the statewide privacy law in Texas, granting Texas consumers data privacy rights and establishing data protection obligations for covered organizations. It imposes a civil penalty for violations of the provisions in this law. It grants the Attorney General the exclusive authority of enforcement – effective on July 1, 2024.

Are you subject to the Texas Data Privacy and Security Act?

The Texas Data Privacy and Security Act (DPSA) applies to organizations who meet the following criteria:
  • Conducts business in Texas and produces products or services consumed by Texas residents

  • Processes or engages in the sale of personal information.

  • Is not a small business as defined by the United States Small Business Administration.

Obligations & Rights under the TDPSA

This data privacy and protection law requires organizations to provide control and transparency to Texas consumers on how their personal information is collected, sold, and disclosed.

Consents & opt-outs

Consent is required before processing personal information, including verifiable parental consent for children under 13. Consumers should be clearly informed about their right to opt out of targeted advertising, personal information sales, and profiling in the privacy notice.

The opt-out mechanism must:

  • Not unfairly disadvantage another controller.
  • Require an affirmative, freely given, and unambiguous choice to opt-out.
  • Be consumer-friendly and easy to use.

Covered organizations must recognize the required opt-out mechanism by January 1, 2025.

Policies & notices

Organizations must give consumers an accessible, clear privacy notice. It should outline the types of personal and sensitive information collected, shared with third parties, the purposes of processing this data, and how consumers can exercise their rights. If a business sells any of the following data, it must inform consumers clearly, using a notice similar to the privacy notice, accessible via a link on the homepage:

  • Sensitive personal information – “NOTICE: We may sell your sensitive personal data.”
  • Biometric data – “NOTICE: We may sell your biometric personal data.”

Data subject rights & requests

Consumers have the right to access, correct, delete, opt out of processing, and exercise data portability for their personal information. Businesses must address these requests within 45 days without undue delay. They must establish at least two secure and reliable methods for consumers to submit such requests.

Vendor management

Under the Texas DPSA, businesses must ensure that vendors are able to cooperate with reasonable assessments and have vendor contracts in place to ensure compliance.

Webinar

Nymity Framework: Privacy & Data Protection Update in 7 States

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data.

FAQs

  • Does the Texas DPSA require data protection assessments?

    The Act requires that a data protection assessment must be conducted and documented for each of the following processing activity involving personal information:

    • For purposes of targeted advertising
    • For the sale of personal information
    • For purposes of profiling
    • For the processing of sensitive personal information
    • Any processing activities involving personal information that present a heightened risk of harm to consumers.

    The mandated data protection assessments are applicable solely to processing activities initiated after the effective date of this law and are not retroactive.

  • Who has privacy rights under the Texas DPSA?

    The DPSA provides privacy rights to Texas consumers acting in an individual or household context but excludes individuals acting in a commercial or employment context.

  • What is personal information and sensitive personal information under the Texas DPSA?

    Personal information includes sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. This includes pseudonymous data when utilized in conjunction with supplementary information that facilitates the identification of an individual. It does not include de-identified data or publicly available information.

    Sensitive personal information is a category of personal information revealing (a) racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status; (b) genetic or biometric data that is processed for the purpose of uniquely identifying an individual; (c) personal data collected from a known child; or (d) precise geolocation data. Under DPSA, consent is required before processing sensitive personal information.

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top