Published: June 20, 2023

Texas Data Privacy and Security Act Compliance Guide

Co-founder and President of Termageddon

On June 18, 2023, the Governor of Texas signed the Texas Data Privacy and Security Act (TDPSA) into law, providing residents of Texas with privacy rights and imposing privacy requirements on businesses. This law will go into effect on July 1, 2024 so businesses that need to comply with this law should begin their compliance efforts now to avoid heavy fines.

In this Compliance Guide, we will discuss the following important aspects of the TDPSA:

Who needs to comply with this new Texas privacy law;
How the law defines personal data;
The privacy rights provided to residents of Texas;
The Privacy Policy disclosure requirements of the TDPSA;
The penalties for failure to comply; and
How Termageddon will handle Privacy Policy updates for this new law.

Table of Contents

Who needs to comply with this new Texas privacy law?

The Texas Data Privacy and Security Act is similar to other privacy laws in the sense that a business does not need to be located in the State for the law to apply. The TDPSA applies to any person that conducts business in Texas or produces a product or service consumed by residents of Texas and that processes or engages in the sale of personal data.

It is important to note that a few types of organizations will not be subject to this law, including:

Nonprofit organizations; and
Small businesses, as defined by the United States Small Business Administration. The Small Business Administration defines “small business” as either an independent business with less than 500 employees or a business that makes under a certain amount of gross revenue per year. While small businesses are exempt from most of the requirements of the TDPSA, according to the law, small businesses may not engage in the sale of sensitive personal data without receiving prior consent from the consumer.

How does Texas’ privacy law define personal data?

The TDPSA defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable individual.” This means that information that is commonly collected through websites such as names, emails, phone numbers, IP addresses or physical addresses would be considered “personal data” and thus would be covered under this privacy law.

What privacy rights are provided to residents of Texas by the TDPSA?

This Texas privacy law was passed to protect the privacy of residents of the State by providing them with the following privacy rights:

Confirm whether a controller is processing the consumer’s personal data and to access that personal data;
Correct inaccuracies in the consumer’s personal data;
Delete personal data provided by or obtained about the consumer;
If the data is in a digital format, obtain a copy of the consumer’s personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller;
Opt out of the processing of personal data for targeted advertising;
Opt out of the sale of personal data;
Opt out of the processing of personal data for profiling;
Right to not be discriminated against for exercising privacy rights;
Right to appeal a decision made with regard to privacy rights.

Businesses must respond to consumer privacy rights requests within 45 days after the receipt of the request, though this period can be extended by an additional 45 days if necessary.

Texas Data Privacy and Security Act Privacy Policy requirements

One of the obligations that the TDPSA places upon businesses is to provide consumers with a reasonably accessible and clear Privacy Policy that includes the following disclosures:

The categories of personal data processed;
The purpose for processing the personal data;
How consumers can exercise their consumer rights, including how to appeal a privacy rights decision;
The categories of personal data shared with third parties, if any;
The categories of third parties with whom the data is shared, if any;
If a controller engages in the sale of sensitive personal data: “NOTICE: We may sell your sensitive personal data”;
If a controller engages in the sale of biometric personal data: “NOTICE: We may sell your biometric personal data”;
If a controller sells personal data or processes personal data for targeted advertising, the Privacy Policy must state this fact and how a consumer may opt out of such use or sale.

Businesses that need to comply with this law will need to ensure that their Privacy Policy is updated to reflect these new disclosure requirements prior to the law’s effective date.

Penalties for not complying with Texas’ new privacy law

The TDPSA will be enforced by the Texas Attorney General who can issue a civil penalty of up to $7,500 per violation. In this case, “per violation” can mean per website visitor whose privacy rights were infringed upon, meaning that fines for non-compliance can add up very quickly.

Termageddon’s plan for the TDPSA

We will continue to track this new privacy law and any regulations and guidance released by the Texas legislature. If you have already created your Privacy Policy with Termageddon, we will send you an email and update your Privacy Policy accordingly prior to this law’s effective date. If you are not a customer of Termageddon or do not have a strategy to keep your Privacy Policy up to date with new privacy laws such as this one, check out the Termageddon Privacy Policy generator.

About the Author

Donata Stroink-Skillrud

Donata is the Co-founder and President of Termageddon and a licensed attorney and Certified Information Privacy Professional. She serves as the Vice-Chair of the American Bar Association's ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals.

Search the Site