Deep Dive: The Texas Data Privacy and Security Act

July 31, 2023


As of June 18, 2023, Texas is now the 10th state to join the rapidly growing list of states with state-level data privacy legislation. The Texas Data Privacy and Security Act (TDPSA) is similar to the Virginia Consumer Data Protection Act (VCDPA), but it offers several novel approaches to privacy not seen in other state-level legislation.


When considering the impact of this new legislation, it is essential to remember that out of all states, Texas has the second-largest gross domestic product (GDP) at $2.1 trillion and the second-largest population at 29.5 million. The technology, energy and agriculture industries significantly contribute to Texas’s economy. The impact of the TDSPA could be on par with the California Consumer Privacy Act (CCPA) passed in 2018 by the U.S. state with the largest GDP and population.


Application and Scope

The TDPSA applies to a person that:


  1. conducts business in this state or produces a product or service consumed by residents of this state
  2. processes or engages in the sale of personal data
  3. is not a small business as defined by the United States Small Business Administration (SBA)


The application of the TDPSA differs from other legislation in notable ways. It defines its scope in terms of “products or services consumed by residents” instead of “products or services targeted to residents.” This difference could be seen as a stricter definition, as it relies on a resident’s actual use of products or services instead of the business’ actions toward the resident. In addition, the law ties the “small business” threshold to the SBA, which uses an industry-specific method that includes revenue and the number of employees to define “small business.” This method for determining a “small business” differs from other state legislation, which often limits the “small business” threshold by a company’s revenue or by the number of state residents that a company process data on.


Differences in Common Terms

The TDPSA shares terms and definitions with many other state legislations, but there are some noteworthy differences. The term, “personal data,” includes pseudonymous data when used “in conjunction with additional information that reasonably links the data to an identified or identifiable individual.” The TDPSA is the first state law to explicitly include pseudonymous data in the scope of what is deemed personal data.


The “sale of personal data” includes personal data exchanged for monetary or “other valuable consideration.” This definition is more like the state legislation of California and Colorado, rather than Virginia state legislation, which does not include the sale of data for “other valuable consideration.” “Sensitive data” includes all of the standard items except for the use of “sexuality” instead of “sexual life” or “sexual orientation.” The TDPSA defines a “known child” as a person under 13 years of age whom the business has actual knowledge of or “willfully disregards” the child’s age.


Consumer Rights

Similar to other privacy legislation, the TDPSA includes several consumer rights relating to their personal data. The consumer rights represented include:


  • The right to confirm that a controller is processing a consumer’s personal data.
  • The right to access a consumer's personal data processed by the controller.
  • The right to correct inaccuracies in the consumer’s personal data.
  • The right to delete personal data provided by or obtained about the consumer.
  • The right to portable data in a digital and useable format so the consumer can use their personal data with other controllers.
  • The right to opt out of processing for the purposes of targeted advertising, the sale of personal data, or profiling.
  • The right to appeal a controller’s decision to refuse action on a request.


A controller has 45 days to respond to a request from the day it is received. Under certain circumstances, a controller may extend this deadline an additional 45 days, but they must notify the consumer of the extension and the reason for the extension before the original deadline ends.



The TDPSA requires consent for the processing of sensitive personal data and the processing of personal data for secondary purposes. Consent for a “known child” (under the age of 13) must comply with the federal requirements found in the Children’s Online Privacy Protection Act (COPPA).


The TDPSA requires small businesses to collect consent from consumers before selling their sensitive personal data. This requirement applies to all small businesses, even if they were found out of scope and exempt from other aspects of the TDPSA.


Disclosure and Notice Requirements

Under the TDPSA, controllers must publish privacy notices that include the following information:


  • Categories of personal data processed.
  • Purposes for processing personal data.
  • Instructions on how consumers can exercise their rights, including the right to appeal.
  • Categories of personal data shared with third parties.
  • Categories of third parties that the controller shares data with.


Most other privacy laws share these privacy notice requirements. The TDPSA differentiates itself from others by requiring controllers, where applicable, to include a separate notice to consumers when selling specific personal data. A controller that sells sensitive personal data must post: "NOTICE: We may sell your sensitive personal data." A controller that sells biometric personal data must post: "NOTICE: We may sell your biometric personal data." These notices must be alongside the privacy notice.



The Texas attorney general has exclusive authority to enforce the TDPSA. The attorney general may issue a civil investigative demand when there is reasonable cause to believe that a person has engaged in a violation of the TDSPA. The attorney general may also request that a controller disclose any data protection assessments related to the investigation. A person who violates the TDPSA is liable for a penalty not exceeding $7,500 per violation and any injunctive relief.


The TDPSA includes a 30-day period allowing a person to address and cure the violated identified by the attorney general. The person must cure the identified violation within the 30-day period and provide the attorney general with a written statement that the person:


  • Cured the alleged violation.
  • Notified the consumer that the person addressed the consumer’s privacy violation.
  • Provided supportive documentation showing how the person cured the violation.
  • If necessary, made changes to internal policies.


Most provisions under the TDPSA take effect on July 1, 2024. Controllers must begin recognizing universal opt-out methods on January 1, 2025.


How to Comply?

Although the TDPSA begins enforcement about a year from now, companies can take several steps to prepare and position themselves for compliance:


  • Consumer Rights and Consent – Update or implement procedures for actioning on consumer rights, methods for collecting consent and mechanisms for honoring a consumer’s right to opt out.
  • Assessments and Inventories – Conduct new data protection assessments with requirements from the TDPSA to proactively identify and mitigate potential risks. Conduct or update a data inventory that identifies the personal data collected, processed and shared within your organization and with third parties.
  • Notices, Contracts and Training – Review and revise current privacy notices to meet the requirements of the TDPSA. Update employee training programs to include the new requirements of the TDPSA. Review and ensure that third parties are contractually obligated to comply with the TDPSA.


Sources Cited

Luke Barden
Consultant | Optiv
Luke Barden has years of experience in data privacy as a consultant in both regulatory compliance and technical software implementation. He has brought value to small businesses and Fortune 500 corporations in many industries. Luke is a subject matter expert (SME) in privacy program management, data privacy law, and enterprise software solutions for privacy governance. Areas of expertise include data discovery, data mapping, and compliance with several regulatory frameworks, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the California Privacy Rights Act (CPRA).

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit