Library / Jurisdictions
TDPSA

Texas Data Privacy and Security Act

Texas's comprehensive consumer privacy law, in force since July 2024, applying broadly to businesses with no consumer-count or revenue threshold for non-small businesses.

At a glance
Effective
1 July 2024
Authority
Texas Attorney General
Maximum fine
$7,500 per violation
Vendor monitoring
Required (§ 541.104, processor obligations)

The Texas Data Privacy and Security Act is the most broadly applicable of the comprehensive US state privacy laws by design. It does not impose a revenue threshold or a consumer-count threshold for businesses that are not "small businesses" under the SBA definition — meaning many medium-sized companies fall in scope that would not under VCDPA, CPA, or CCPA.

Who it applies to

TDPSA applies to a person who:

  • Conducts business in Texas or produces products / services consumed by Texas residents,
  • Processes or engages in the sale of personal data, and
  • Is not a small business as defined by the U.S. Small Business Administration.

The SBA definition varies by industry but is roughly: under 500 employees in most manufacturing sectors, under specific revenue limits in service sectors. Many B2B SaaS vendors targeting US customers find themselves above the small-business threshold and therefore in scope.

Controller and processor obligations

Largely parallel to VCDPA and CPA:

  • Privacy notice with specified contents.
  • Data Protection Assessments for high-risk processing (sale, targeted advertising, profiling, sensitive data).
  • Processor contracts with required terms.
  • Consumer rights with appeal mechanism.

Sensitive data — opt-in

Sensitive data under TDPSA:

  • Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status.
  • Genetic or biometric data processed for the purpose of uniquely identifying an individual.
  • Personal data of a known child.
  • Precise geolocation data.

Processing requires opt-in consent, with a heightened disclosure requirement: privacy notices must include the statement "NOTICE: We may sell your sensitive personal data" if the business sells such data.

Consumer rights

The standard set: access, correct, delete, portability, opt-out of sale / targeted advertising / profiling. Response within 45 days. Right to appeal a denial.

What vendor monitoring looks like under TDPSA

The compliance pattern is similar enough to VCDPA and CPA that a single vendor monitoring program can satisfy all three. Specific Texas considerations:

  • Sensitive-data sale disclosure. A vendor whose privacy notice includes language indicating they sell sensitive data triggers the disclosure obligation for the controller's notice.
  • Small-business carveout reliance. A small-business vendor not directly subject to TDPSA may still be a controller's processor, and the controller's TDPSA obligations flow through the contract regardless.

Enforcement

The Attorney General has exclusive enforcement authority. There is a 30-day cure period before action. No private right of action.

Enforcement to date has been low-volume and generally informal, consistent with most state-level privacy regulators in the early years of a new regime.

Related references