Skip to Main Content
Main Menu
Search Opener
Search Close
Contact us
Regulation

Texas Data Privacy and Security Act

The Texas Data Privacy and Security Act (TDPSA) is the statewide privacy law in Texas, granting Texas consumers data privacy rights and establishing data protection obligations for covered organizations. It imposes a civil penalty for violations of the provisions in this law. It grants the Attorney General the exclusive authority of enforcement – effective on July 1, 2024.

Are you subject to the Texas Data Privacy and Security Act?

The Texas Data Privacy and Security Act (DPSA) applies to organizations who meet the following criteria:

  • Conducts business in Texas and produces products or services consumed by Texas residents

  • Processes or engages in the sale of personal information.

  • Is not a small business as defined by the United States Small Business Administration.

Obligations & Rights under the TDPSA

This data privacy and protection law requires organizations to provide control and transparency to Texas consumers on how their personal information is collected, sold, and disclosed.

Consents & opt-outs

Consent must be obtained before processing a consumer’s personal information and obtaining verifiable parental consent for children below the age of 13. Consumers must also be provided with clear information regarding their ability to opt out of targeted advertising, the sale of personal information, and profiling within the privacy notice. Under Texas DPSA, the opt out mechanism must be a technology that:

  • May not unfairly disadvantage another controller
  • May not utilize default settings but must require an affirmative, freely given, and unambiguous choice to opt out
  • Must be consumer-friendly and easy to use.

Covered organizations must recognize the required opt-out mechanism by January 1, 2025.

Policies & notices

Organizations must provide consumers with a reasonably accessible and a clear privacy notice, that includes the categories of personal information and sensitive personal information collected and shared with third parties, the purposes of data processing, and the instructions for consumers to exercise their rights. If a business engages in the sale of any of the following data, the equivalent notice must be provided to consumers in the same manner as the privacy notice via the required link on the homepage:

  • Sensitive personal information – “NOTICE: We may sell your sensitive personal data.”
  • Biometric data – “NOTICE: We may sell your biometric personal data.”

Data subject rights & requests

Consumers have the right to access, correct, delete, opt out of processing, and exercise data portability rights concerning their personal information. Businesses must be able to fulfill and address these requests without undue delay and within 45 days of receiving the request. Businesses must establish two or more secure and reliable methods to facilitate consumers in submitting requests to exercise their consumer rights.

Vendor management

Under the Texas DPSA, businesses must ensure that vendors are able to cooperate with reasonable assessments and have vendor contracts in place to ensure compliance.

Webinar

Nymity Framework: Privacy & Data Protection Update in 7 States

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data.

Achieve compliance

FAQs

  • Does the Texas DPSA require data protection assessments?

    The Act requires that a data protection assessment must be conducted and documented for each of the following processing activity involving personal information:

    • For purposes of targeted advertising
    • For the sale of personal information
    • For purposes of profiling
    • For the processing of sensitive personal information
    • Any processing activities involving personal information that present a heightened risk of harm to consumers.

    The mandated data protection assessments are applicable solely to processing activities initiated after the effective date of this law and are not retroactive.

  • Who has privacy rights under the Texas DPSA?

    The DPSA provides privacy rights to Texas consumers acting in an individual or household context but excludes individuals acting in a commercial or employment context.

  • What is personal information and sensitive personal information under the Texas DPSA?

    Personal information includes sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. This includes pseudonymous data when utilized in conjunction with supplementary information that facilitates the identification of an individual. It does not include de-identified data or publicly available information.

    Sensitive personal information is a category of personal information revealing (a) racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status; (b) genetic or biometric data that is processed for the purpose of uniquely identifying an individual; (c) personal data collected from a known child; or (d) precise geolocation data. Under DPSA, consent is required before processing sensitive personal information.

Related resources

View all resources

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top