Texas Data Privacy and Security Act (TDPSA)

The Texas Data Privacy and Security Act (TDPSA) took effect on July 1, 2024, making Texas one of the largest US states to pass comprehensive privacy legislation. If your business collects or processes personal data from Texas residents, here is what you need to know.

What Is the TDPSA?

The TDPSA establishes a framework for how businesses must handle Texans' personal data. Unlike some US state privacy laws, it doesn't set a revenue or data volume threshold; most commercial entities that process personal data and do business in Texas are covered.

The law gives consumers rights over their data, requires businesses to be transparent about their data practices, and mandates opt-out mechanisms for targeted advertising, data sales, and certain profiling activities. Controllers must respond to consumer requests within 45 days, extendable by another 45 days when reasonably necessary.

Who Does the TDPSA Apply To?

The TDPSA applies to businesses that conduct business in Texas or offer products or services to Texas residents, and that process personal data in the course of that activity. There's no minimum revenue or consumer threshold.

Exemptions apply to Texas state agencies, financial institutions regulated under the Gramm-Leach-Bliley Act, HIPAA-covered entities and their business associates, and nonprofit organisations. Higher education institutions and certain employment-related data are also carved out. Small businesses as defined by the US Small Business Administration are exempt, provided they don't sell sensitive data.

Consumer Rights Under the TDPSA

Texas residents can exercise the following rights against businesses covered by the law:

• Right to access: confirm whether a business is processing their personal data and request a copy
• Right to correction: request that inaccurate personal data be corrected
• Right to deletion: request deletion of personal data the consumer provided or that was collected about them
• Right to data portability: receive a copy of their personal data in a portable, usable format
• Right to opt out: opt out of the sale of their personal data, targeted advertising, and profiling used for decisions with legal or similarly significant effects

Businesses must respond to verified requests within 45 days. If a business denies a request, the consumer may appeal, and the business must respond to the appeal within 60 days.

Opt-Out Requirements

The TDPSA requires businesses to give consumers a clear, accessible way to opt out of three specific activities: the sale of personal data, targeted advertising, and profiling that produces decisions with significant legal effects.

Businesses were also required to recognise universal opt-out signals (including the Global Privacy Control) by January 1, 2025. This means that if a user's browser sends a GPC signal, the business must treat it as a valid opt-out request without requiring the consumer to take any additional action.

Sensitive Data and Opt-In Consent

Processing sensitive data under the TDPSA requires opt-in consent before processing. The law defines sensitive data as racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship status; genetic or biometric data processed to uniquely identify an individual; personal data of a known child under 13; and precise geolocation data (within a 1,750-foot radius).

This is stricter than the opt-out default that applies to most personal data under the law, and requires an affirmative consent mechanism before any sensitive data processing begins.

Data Protection Assessments

Controllers must conduct data protection assessments before undertaking processing activities that present heightened risk, including:

• Targeted advertising
• Sale of personal data
• Processing sensitive data
• Profiling where there is a reasonably foreseeable risk of harm to consumers
• Any other processing that presents a heightened risk of harm to consumers

These assessments don't need to be published, but must be made available to the Texas Attorney General upon request. There's no set format required, but the assessment should document the purpose of the processing, the benefits weighed against the risks, and any safeguards in place.

Cookies and Tracking Under the TDPSA

Cookies and tracking technologies that collect personal data fall within the TDPSA's scope when used for targeted advertising or data sales. IP addresses, device identifiers, browsing behaviour, and location data can all constitute personal data under the law.

Businesses relying on third-party ad technology should audit which vendors receive personal data and ensure opt-out mechanisms extend to those data flows, not just first-party collection. A data protection assessment is likely required for any targeted advertising activity.

Use the UniConsent Cookie Consent Manager to manage opt-out preferences and universal opt-out signal recognition across your Texas audience.

How UniConsent Supports TDPSA Compliance

UniConsent provides the consent and preference management infrastructure businesses need to meet TDPSA requirements:

• Opt-out and opt-in consent banners configurable by jurisdiction
• Global Privacy Control (GPC) signal recognition
• Consumer data rights request management (access, correction, deletion, portability)
• Data protection assessment support and documentation
• Integration with websites, mobile apps, and tag managers

Explore UniConsent's compliance tools or get started with a free account.