TDPSA Title Text

What is the TDPSA?

The Texas Data Privacy and Security Act (TDPSA) is a state-level data privacy law enacted to enhance the privacy rights of Texas residents and impose requirements on businesses handling their personal data. Similar to other U.S. state privacy laws, the TDPSA aims to give consumers more control over their personal information. The Texas Data Privacy and Security Act (TDPSA) was signed into law on June 18, 2023, and is set to take effect on July 1, 2024.

Where does the TDPSA apply?

The Texas Data Privacy and Security Act (TDPSA) applies to businesses that conduct business in Texas, or produce products or services targeted to Texas residents. To fall under the TDPSA, businesses must meet specific thresholds or requirements:
Specific Requirements:
- Data Volume: process or control the personal data of at least 50,000 Texas residents in a calendar year.
- Revenue from Data Sales: process or control the personal data of 25,000 Texas residents and derive at least 25% of their gross revenue from the sale of personal data.
Exemptions:
- Nonprofits and government entities.
- Businesses subject to federal regulations such as HIPAA, GLBA, or FERPA.

graphic of a white magnifying glass against a blue background

What are some possible reasons for a penalty?

Common reasons include:
- Failure to Respond to Consumer Requests such as ignoring or not fulfilling consumer rights requests, such as accessing, correcting, deleting, or opting out of personal data processing, within the required timeframe.
- Processing Sensitive Data without consent: Collecting or processing sensitive data (e.g., biometric, health, or precise geolocation information) without obtaining explicit, opt-in consent from consumers.
- Lack of Transparency by not providing a clear, accessible privacy notice that explains data collection practices, usage purposes, and consumer rights.
- Insufficient Data Security Measures.

Who is liable for a penalty under TDPSA?

Under the Texas Data Privacy and Security Act (TDPSA), liability for penalties primarily falls on data controllers and data processors.

Penalties are enforced by the Texas Attorney General, targeting businesses that violate the law, regardless of their size, if they meet the applicability thresholds.

graphic of a building in white against a blue background
white sheet of paper graphic against a blue background with shield in front of it

What are the penalties for
Non-Compliance?

- Fines: Businesses can be fined up to $7,500 per violation, with each affected consumer potentially counting as a separate violation.
- Legal Action: The Attorney General can file lawsuits to stop unlawful practices and require businesses to fix any issues.
- Cure Period: Before penalties are applied, businesses are usually given 30 days to address and resolve any violations after being notified. If they fail to fix the issues, fines and further actions may follow.

Get the UCPA checklist for Free

Improve the effectiveness of your compliance strategy now.

Download checklist
graphic of a white notepad page against a black background

Frequently Asked Questions

How do I obtain consent from individuals under the TDPSA?

To get consent under the Texas Data Privacy and Security Act (TDPSA), you need to make sure individuals clearly agree to how their data will be used.
Here’s how:
- Be clear and transparent about what data you’re collecting, why you need it, how it will be used, and if it will be shared with others.
- Use active consent by asking people to actively agree, like clicking “I agree” or checking a box. Pre-checked boxes or implied consent are not allowed.
- Get special permission for Sensitive Data - if you’re collecting sensitive information (like health, biometric, or geolocation data) you need opt-in consent where individuals clearly say “yes” to its use.
- Allow easy withdrawal -  people can change their minds and withdraw consent at any time, and explain how they can do this.

How is the TDPSA enforced?

The Texas Data Privacy and Security Act (TDPSA) is enforced by the Texas Attorney General, who investigates violations and ensures businesses follow the rules. If a business breaks the law, they usually get 30 days to fix the problem. If they don’t, the Attorney General can fine them up to $7,500 for each violation and take legal action to stop the bad practices.

Consumers cannot sue businesses directly under the TDPSA. Instead, they can report issues to the Attorney General, who decides if action is needed. This process keeps enforcement fair and gives businesses a chance to fix mistakes.

How do I make my business compliant with the TDPSA?

Start by determining if the law applies to you, such as processing data for 50,000 or more Texas residents or earning significant revenue from selling personal data for at least 25,000 individuals. Create a clear and accessible privacy policy that explains what data you collect, how you use it, and the rights consumers have under the TDPSA. Set up systems that allow people to access, correct, delete, or opt out of having their data sold or used for targeted advertising. If you process sensitive data, obtain clear, opt-in consent before collecting or using it. Finally, train your staff on the TDPSA requirements and best practices for handling personal data responsibly.

For Shopify merchants, tools like Consentmo can simplify compliance by managing cookie banners, consumer requests, and other privacy-related tasks.

Is your site compliant?