Looking to streamline your TPRM? Join our Product Deep Dive Webinar with live Q&A!
Register Now
Blog
Resources
Blog
Breaches
eBooks, reports, & more
Events
News
Compliance and Regulations
Categories
Attack Surface Management
Company News
Compliance and Regulations
Cybersecurity
Data Breaches
DevOps
Human Cyber Risk
Risks and Vulnerabilities
Third-Party Risk Management
Vendor Risk Management
The Texas Data Privacy and Security Act: TDPSA Explained
Last updated
January 16, 2025
{x} minute read

The Texas Data Privacy and Security Act: TDPSA Explained

Download the PDF guide
Free trial
Written by
Nicholas Sollitto
Senior Cybersecurity Writer
Nicholas's cybersecurity writing has been featured in G2.
Reviewed by
Kaushik Sen
Chief Marketing Officer
Kaushik has a background in software engineering, enterprise solution architecture, and data analytics. He brings a unique, data-driven perspective to cybersecurity education.
Table of contents

What is the Texas Data Privacy And Security Act (TDPSA)?

The Texas Data Privacy and Security Act (TDPSA) was enacted on June 18, 2023, making Texas the tenth U.S. state to authorize a comprehensive privacy law that protects resident consumers.

The TDPSA borrows many statutes from other state privacy laws, mainly the Virginia Consumer Data Protection Act (VCDPA) and the California Consumer Privacy Act (CCPA). Almost all provisions passed as a part of the TDPSA will go into effect on July 1, 2024, the same day the Florida Digital Bill of Rights (FDBR) becomes effective.

Entities that conduct business in Texas or produce a product that state residents consume will be the most affected by the TDPSA.

Learn how UpGuard’s all-in-one cybersecurity solution can help your business achieve compliance >

Texas Data Privacy and Security Act effective date

While most statutes of the TDPSA will go into effect on July 1, 2024, controllers have until January 1, 2025, to provide consumers with a process to opt out of the sale of their data, targeted advertising, or profiling. After the effective date, controllers must present consumers with an address (email, toll-free phone number, or link) where they can complete the opt-out process.

Does Your Business Need to Comply with the Texas Data Privacy and Security Act (TDPSA) in 2025?

Unlike other data privacy laws in the United States, the applicability of the TDPSA does not only include large businesses that process a significant amount of consumer data. Instead, the TDPSA applies broadly to a wide variety of organizations and individuals (outlined as controllers in the act) who meet ALL of the following criteria:

  • Conduct business in Texas or sell a product or service that Texas residents consume
  • Participate in the processing or sale of personal data
  • Are not defined as a small business by the United States Small Business Administration (SBA)

Important Note: The U.S. Small Business Administration defines a small business as an organization with fewer than 500 employees. However, the SBA also carries a variety of industry-level definitions of “small business,” which may include a gross income requirement.

Who is Exempt From the Texas Data Privacy Act?

Additional businesses, including some limited liability partnerships (LLP), may be exempt from the TDPSA if they fall into one of the following general exemption categories:

The TDPSA also does not apply to de-identified data, protected employee information, healthcare information (HIPAA), information regulated by the Fair Credit Reporting Act, or any of these types of information a business associate processes.

Consumer Rights Granted Under the TDPSA

The TDPSA provides residents of Texas with several rights regarding their sensitive personal data and data collection.

Consumer rights granted under the TDPSA include:

  • The right to know if a controller is collecting consumer data, what categories of personal data are being collected, and if the controller is participating in processing activities (all outlined in a privacy notice)
  • The right to correct and delete inaccuracies in data that has been collected
  • The right to receive a portable, digital report of the data that has been collected (data portability)
  • The right to opt out of the sale of personal data, advertising, or profiling that is the result of a legal concern on behalf of the consumer
  • The right to appeal the refusal of any other protection granted by the TDPSA

Personal Data vs. Sensitive Data (TDPSA)

The TDPSA broadly defines what constitutes personal data. According to the TDPSA, personal data includes any information, including sensitive data, that may be reasonably linked to an identifiable individual.

The TDPSA also explicitly states that pseudonymous data used alongside additional information is considered personal data.

The act defines sensitive data more narrowly as any personal data that falls into one of the following categories:

  • Reveals a person’s racial or ethnic origin, citizenship status, or immigration status
  • Indicates a person’s mental or physical health diagnosis
  • Describes a person’s religious beliefs
  • Genetic or biometric personal data used to identify an individual
  • Displays a person’s precise geolocation
  • Data collected from a known child

How Do Controllers Remain Compliant Under the Texas Privacy Law?

To remain compliant with the TDPSA, controllers must follow several data security regulations to protect a consumer’s personal data. Under the Senate’s privacy bill, controllers must:

  • Provide consumers with a privacy policy that explicitly states what types of data are being collected or processed and the data’s intended use,
  • Include a statement in their privacy policy that says, “NOTICE: We may sell your sensitive data” if they intend to sell biometric or other sensitive data
  • Practice data minimization, avoid secondary uses of data not listed in the public privacy notice, and conduct periodic data protection assessments
  • Take reasonable measures to ensure de-identified data cannot be retraced to any individual or data subject
  • Authenticate consumer requests promptly

How Can UpGuard Help Entities Achieve TDPSA Compliance?

As more and more states pass privacy legislation, businesses can expect compliance to become increasingly confusing. UpGuard offers organizations of all sizes a comprehensive cybersecurity solution to help combat this confusion, among other security concerns.

UpGuard’s Vendor Risk technology allows businesses to automate their vendor risk assessment process, receive real-time updates to their security posture, and manage compliance across all vendors in one central workflow.

UpGuard’s Breach Risk technology allows businesses to proactively monitor their attack surface around the clock, gain confidence in their cybersecurity protections, and protect their organization’s reputation.

Additionally, UpGuard offers security questionnaires that can allow organizations to take stock of their vendor’s security compliance and make a plan to remediate any critical risks and vulnerabilities.

Contract Requirements Between Controllers & Processors

The state of Texas has outlined the contract requirements controllers and processors must follow under the TDPSA.

The TDPSA states controllers must:

  • Outline clear instructions for the processing of personal data
  • Indicate the purpose of all processing activities
  • The types of data that are subject to processing
  • The duration in which processing will occur

The TDPSA states processors must:

  • Ensure confidentiality of all personal data
  • Delete and return all data to the controller after completing the service
  • Make available all information in their possession to demonstrate compliance
  • Cooperate with data assessments scheduled by the controller
  • Restrict subcontractors to the same regulations as themselves under the contract

Enforcing the Texas Data Privacy and Security Act

Governor Greg Abbott has tasked the Texas Attorney General (AG) with enforcing the TDPSA. The AG will carry out all regulatory action associated with the bill’s state laws. The TDPSA does not grant consumers the private right of action against covered entities.

If the AG’s office deems a controller is violating the TDPSA, the AG must provide a 30-day notice to the entity. Any entity that doesn’t cure a breach within the 30-day cure period may receive a civil penalty of up to US$7500.

Fines can add up quickly under the TDPSA; the AG tallies violations for every consumer affected. For example, if 100 consumers were affected by a particular breach, the civil penalty would be multiplied by 100.

Data Privacy Laws Around the United States

The data privacy movement currently circling the United States was primarily a response to the legislation set forth by the European Union. The EU’s General Data Protection Regulation (GDPR) set a precedent for how U.S. states would respond to controllers collecting personal data and other consumer privacy concerns.

The following states have passed comprehensive privacy protection legislation:

California (CCPA)

Colorado (CPA)

Connecticut (CTDPA)

Indiana (INCDPA)

Iowa (ICDPA)

Montana (MTCDPA)

Tennessee (TIPA)

Texas (TDPSA)

Utah (UCPA)

Virginia (CDPA)

Related posts

Learn more about the latest issues in cybersecurity.
Compliance and Regulations

NIST compliance in 2025: A complete implementation guide

NIST compliance ensures alignment with leading cybersecurity frameworks. Explore how the NIST standards can safeguard sensitive data and manage third-party
Edward Kost
Edward Kost
December 2, 2025
Compliance and Regulations

Introducing UpGuard’s DPDP Act Security Questionnaire

Discover the latest addition to UpGuard's industry-leading Questionnaire Library and learn how to achieve comprehensive DPDP compliance.
Nicholas Sollitto
Nicholas Sollitto
November 18, 2024
Compliance and Regulations

From NIS to NIS2: What Your Organization Needs to Know

Understanding the transition from NIS to NIS2 is crucial for protecting your organization. Explore the key changes and compliance steps in this blog.
Leah Sadoian
Leah Sadoian
July 3, 2025
Compliance and Regulations

How to Prepare for a Cyber Essentials Plus Audit

Learn more about the Cyber Essentials Plus independent assessment process, and steps your organization can take to prepare.
Leah Sadoian
Leah Sadoian
July 3, 2025
Compliance and Regulations

PSPF 001-2024: Safeguarding GovTech from Foreign Influence

Explore Australia’s new PSPF Direction, including key components and strategies to help government entities prevent foreign influence over tech assets.
Leah Sadoian
Leah Sadoian
July 3, 2025
Compliance and Regulations

GDPR's Influence on Indian Data Protection Practices

Explore the impact of the GDPR on India's cyber regulations, comparing pre-GDPR and post-GDPR data protection laws.
Leah Sadoian
Leah Sadoian
July 10, 2025
All posts