Texas Data Privacy and Security Act (TDPSA)

    Overview

    The Texas Data Privacy and Security Act (TDPSA), signed into law on June 18, 2023,  establishes regulations regarding the collection, use, processing, and protection of personal data by businesses operating in Texas. It aims to enhance transparency and accountability in the handling of consumer data, introducing rights for individuals and responsibilities for data controllers and processors. The TDPSA provides for civil penalties for violations and grants enforcement authority to the Texas Attorney General. It is comparable to the Virginia Consumer Data Protection Act but less stringent than California and Colorado privacy laws.

     

     

    Regulation Summary

    Timeline
    • June 18, 2023: TDPSA signed into law by Governor Greg Abbott.
    • July 1, 2024: TDPSA becomes effective.
    • January 1, 2025: Requirements for unified opt out mechanisms and GPC signals take effect.
    What Businesses Are Affected
    • Applicability Thresholds: Businesses conducting operations in Texas that meet one or more of the following criteria:
      • Generate $25 million or more in annual revenue.
      • Process personal data of 50,000 or more consumers annually.
      • Derive 25% or more of gross revenue from selling personal data.
    Exemptions
    • State agencies, nonprofits, and institutions of higher education.
    • Entities governed by HIPAA, GLBA, or FERPA.
    • Personal data processed for employment purposes or publicly available data.
    Responsibilities for Businesses
    • Transparency: Provide clear and accessible privacy notices detailing data collection and sharing practices.
    • Consumer Rights: Allow consumers to:
      • Access and delete their personal data.
      • Opt out of targeted advertising, data sales, and profiling.
    • Data Security: Implement administrative, technical, and physical safeguards appropriate to the volume and sensitivity of the data.
    Specific Responsibilities for Website Owners
    • Display privacy notices and explicit opt-out mechanisms for data sales and targeted advertising.
    • Respond to verified consumer requests within 45 days, extendable by another 45 days if necessary.
    • Honor opt-out preference signals starting January 1, 2025.
    Additional Requirements
    • Data Protection Assessments: Conduct assessments for high-risk activities, including:
      • Targeted advertising.
      • Sale of personal data.
      • Profiling with significant consumer impact.
    • Sensitive Data: Obtain explicit consent before processing sensitive data.
    Data Subject Rights
    • Access: Request confirmation of data processing and obtain copies of personal data.
    • Correction: Rectify inaccuracies in personal data.
    • Deletion: Request deletion of personal data.
    • Portability: Receive data in a portable format.
    • Opt-Out: Refuse targeted advertising, profiling, and data sales.
    Enforcement
    • Enforced by the Texas Attorney General.
    • Cure Period: 30 days to address violations.
    • Penalties: Civil penalties of up to $7,500 per violation.
    • No private right of action.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you..

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596