Texas Data Privacy and Security Act: What businesses need to know in 2025

Overview of the TDPSA

The Texas Data Privacy and Security Act (TDPSA) officially became law on July 1, 2024, marking a significant step forward in the ongoing push for stronger personal data protections across the United States. This legislation is designed to provide Texans with more control over their personal information by establishing clear, enforceable rules for businesses that collect, use, and store such data. The TDPSA emphasizes transparency, consumer rights, and robust security measures, setting a new standard for data privacy. In this guide, we’ll outline the law’s key provisions, who it applies to, and actionable steps businesses should take to ensure compliance.

Key rules of the TDPSA

The TDPSA outlines a comprehensive framework for how businesses must handle personal information. Here are the primary provisions:

• Broad Data Coverage: The law applies to any personal information linked to an individual, including names, addresses, email addresses, or biometric data. This wide scope ensures most identifiable data is protected.
• Prohibition of Deceptive Practices: The use of “dark patterns”—manipulative techniques that trick people into sharing data unknowingly—is strictly banned. Businesses must obtain consumer consent ethically and transparently.
• Explicit Consent for Sensitive Data: Companies are required to obtain explicit consent before collecting or using sensitive information, such as health records, genetic data, or biometric identifiers. This provision guarantees consumers retain full control over their most private details.

Who must comply?

The TDPSA applies to a broad range of businesses operating in Texas or targeting Texas residents. Specific criteria include:

• Companies with annual revenue exceeding $25 million.
• Businesses processing personal data for at least 50,000 Texas residents annually.
• Companies deriving over 50% of their revenue from selling personal data.

Exemptions for Small Businesses: The TDPSA includes exemptions for small businesses, as defined by federal size standards. These exemptions reduce compliance burdens for smaller enterprises, distinguishing the TDPSA from more stringent privacy laws like the California Consumer Privacy Act (CCPA).

Consumer rights under the TDPSA

The TDPSA grants Texans new rights to manage their personal data effectively. Key consumer rights include:

• Data access: Consumers can request a detailed report of the personal information a business holds about them.
• Correction of errors: Individuals can request corrections to inaccurate or outdated data.
• Data deletion: Texans have the right to ask businesses to delete their personal data, enhancing their ability to protect their privacy.
• Opt-out options: Consumers can opt out of having their data sold or used for targeted advertising, giving them greater control over its use.

Compliance requirements for businesses

To adhere to the TDPSA, businesses must implement several measures:

1. Conduct risk assessments: Regularly evaluate risks associated with handling sensitive data and ensure adequate safeguards are in place.
2. Obtain informed consent: Clearly and explicitly request permission from consumers before collecting or using sensitive information.
3. Maintain transparency: Publish straightforward privacy notices detailing how personal data is collected, stored, and shared.
4. Enhance security protocols: Implement strong data protection measures, such as encryption and cybersecurity systems, to prevent breaches and unauthorized access.

Penalties for non-compliance

The Texas Attorney General’s office oversees the enforcement of the TDPSA. Businesses that fail to comply face significant consequences:

• Resolution period: Companies are granted a 30-day window to address and resolve violations after receiving notification. This grace period allows businesses to correct errors without immediate penalties.
• Fines: If violations remain unresolved, businesses can face fines of up to $7,500 per infraction. For companies mishandling large amounts of data, these fines can escalate rapidly.

Unique features of the TDPSA

While similar to other state privacy laws, the TDPSA includes several distinct provisions:

• Small business exemptions: Clear exemptions for small businesses reduce compliance challenges for smaller enterprises.
• Ban on dark patterns: The strict prohibition of manipulative tactics ensures consumers are fully aware of their data rights.
• Focus on explicit consent: The law emphasizes obtaining clear permission before handling sensitive data, offering stronger consumer protections.

Steps businesses can take to prepare

Preparation is key to complying with the TDPSA and avoiding penalties. Businesses should consider these steps:

1. Revise privacy policies: Update privacy notices to reflect the rights granted under the TDPSA and clarify data practices.
2. Audit data management: Conduct a comprehensive review of how personal data is collected, stored, and shared to identify compliance gaps.
3. Bolster security measures: Invest in cutting-edge cybersecurity tools to protect sensitive data against breaches and unauthorized access.
4. Educate employees: Train staff on TDPSA requirements, emphasizing their role in maintaining compliance across departments.

Why the TDPSA matters

The TDPSA represents a significant milestone in data privacy, prioritizing transparency and empowering consumers to control their personal information. For businesses, compliance is not just about avoiding penalties—it’s an opportunity to build trust and demonstrate a commitment to ethical data practices. As privacy laws evolve nationwide, staying informed and proactive will be critical for maintaining compliance and fostering long-term customer loyalty.

Helpful resources

• Texas Attorney General’s Office TDPSA Page
• U.S. Small Business Administration Size Standards