Texas Data Privacy and Security Act (TDPSA): Complete Guide (2025)

Quick Facts

Aspect	Details
Effective Date	July 1, 2024 (Universal opt-out: Jan 1, 2025)
Applies To	Nearly all businesses conducting business in Texas or serving Texas residents who process or sell personal data
Small Business Exception	Companies with <500 employees exempt (unless selling sensitive data)
Penalties	Up to $7,500 per violation
Enforcement	Texas Attorney General (exclusive)
Cure Period	30 days (never sunsets)
Private Right of Action	No
Consumer Rights	5 rights: know, access, correct, delete, opt-out

What is TDPSA?

The Texas Data Privacy and Security Act (TDPSA) is Texas's comprehensive consumer privacy law that regulates how businesses collect, process, and sell personal data of Texas residents.

Signed: June 18, 2023 Effective: July 1, 2024 Universal Opt-Out Requirement: January 1, 2025

Key Legislative Details

Bill: House Bill 4 (HB 4)
Model: Based on Virginia's CDPA and California's CCPA/CPRA
Scope: One of the broadest state privacy laws (no revenue thresholds)

What is Personal Data?

Personal data means information that is linked or reasonably linkable to an identified or identifiable individual. This includes:

Direct identifiers: Name, email, phone, address, SSN
Online identifiers: IP address, device ID, cookie ID, advertising ID
Pseudonymous data + other information: Hashed email + browsing history
Sensitive personal data: Health, biometric, precise geolocation, race, religion, etc.

Excludes:

De-identified data (cannot reasonably be linked to an individual)
Publicly available information (government records, news)
HIPAA-covered health information
Financial data under GLBA

What is Processing?

Processing means any operation performed on personal data, including:

Collection, recording, organization, storage
Use, disclosure, transmission, deletion
Automated or manual operations

What is a Sale?

Sale means exchanging personal data for monetary or other valuable consideration.

Examples of sales:

Selling customer lists to data brokers
Sharing data with advertising partners for payment
Providing data to third parties for their own use

Not a sale:

Sharing data with service providers/processors (who work on your behalf)
Disclosures to affiliates
Data shared with consumer consent
Data needed to complete transactions

Does TDPSA Apply to Your Startup?

TDPSA has one of the broadest scopes of any state privacy law. Unlike CCPA (which has revenue and data volume thresholds), TDPSA applies to nearly all businesses.

Applicability Test

Your startup is covered by TDPSA if:

You conduct business in Texas OR produce products/services consumed by Texas residents
AND you process or engage in the sale of personal data

No Revenue or Data Volume Thresholds

Unlike CCPA, TDPSA does not require that you:

Earn a certain amount of revenue
Process data of a certain number of consumers
Derive a certain percentage of revenue from data sales

Who is Exempt?

Small businesses (fewer than 500 employees)
- Exception: If you sell sensitive personal data, you must obtain consent regardless of size
Government entities
Nonprofit organizations
Covered entities under HIPAA (for PHI only)
Financial institutions under GLBA (for financial data only)
Higher education institutions (for student records)
National securities associations
Air carriers
Entities complying with federal laws (FCRA, FERPA, DPPA, etc.)

Common Scenarios

Scenario	TDPSA Applies?
Texas-based SaaS company with 20 employees	❌ No (small business exemption)
Same company sells health data to advertisers	✅ Yes (selling sensitive data)
California startup with Texas customers, 50 employees	❌ No (small business exemption)
Same startup reaches 500 employees	✅ Yes (no longer small business)
E-commerce company with 600 employees	✅ Yes (exceeds small business threshold)
Texas-based nonprofit processing donor data	❌ No (nonprofit exemption)

Small Business Exemption

TDPSA provides a unique small business exemption that is critical for most startups.

SBA Definition

TDPSA uses the Small Business Administration (SBA) definition of small business:

Generally, companies with fewer than 500 employees
Specific thresholds vary by industry (see SBA Size Standards)

Employee Count

Includes:

Full-time employees
Part-time employees
Contractors (if treated as employees for IRS purposes)
Employees at all locations (parent company + subsidiaries)

Typical industry thresholds:	Industry	Small Business Threshold
Software publishers	500 employees or $47M revenue
Data processing, hosting	500 employees or $47M revenue
E-commerce	500 employees or $47M revenue
Professional services	500 employees
Retail	500 employees or $8M-$47M revenue (varies)

Critical Exception: Selling Sensitive Data

Even if you qualify as a small business, you must obtain consumer consent before selling sensitive personal data.

Sensitive personal data includes:

Health information, genetic data, biometric data
Precise geolocation (within 1,750 feet)
Social Security number, driver's license, passport
Account credentials (username + password)
Race, ethnicity, religion, union membership
Sexual orientation, sex life
Citizenship or immigration status
Private communications (email, text, voicemail)
Child data (under 13)

Example:

Scenario: 50-person health tech startup sells anonymized health data to pharmaceutical companies
Analysis: Exempt from most TDPSA requirements due to small business exemption, BUT must obtain explicit consumer consent before selling health data (sensitive personal data)
Compliance: Add consent checkbox at signup: "I consent to the sale of my health information to pharmaceutical companies for research purposes"

When You Lose the Exemption

You lose the small business exemption when:

You exceed 500 employees (check annually)
You sell sensitive personal data (consent required immediately)

Planning tip: Track your employee count quarterly. When you approach 480-490 employees, begin TDPSA compliance preparation (6-12 months).

TDPSA Penalties & Enforcement

Enforcement Authority

The Texas Attorney General has exclusive enforcement authority. There is no private right of action (consumers cannot sue directly).

Violation Penalties

Violation Type	Penalty
Each violation	Up to $7,500
Multiple violations	Multiply by number of violations

Example calculation:

Scenario: Company fails to honor 1,000 deletion requests
Penalty: 1,000 violations × $7,500 = $7,500,000 maximum penalty

30-Day Cure Period (Never Sunsets)

TDPSA provides a unique cure period that never expires:

Notice: Texas AG notifies you of alleged violation
Cure period: You have 30 days to cure the violation
Certification: You must provide written certification that you've cured the violation
No penalty: If cured within 30 days, no penalty assessed
Enforcement: If not cured, AG can bring enforcement action

Unlike other states: This cure period never sunsets (it's permanent). In contrast:

Virginia's cure period expired after 1 year
Colorado's cure period expired Jan 1, 2025
California and Connecticut have no cure period

Strategic implication: Texas is more forgiving than other states, but don't rely on this—implement compliance proactively.

Enforcement Activity (2024-2025)

As of March 2025:

Enforcement actions: Limited (law only effective since July 2024)
Focus areas: Texas AG has prioritized:
- Companies selling sensitive data without consent
- Dark patterns in opt-out flows
- Failure to recognize universal opt-out mechanisms (GPC)
Notable actions: No major enforcement actions yet (watch this space)

Expectation: Enforcement will ramp up in 2025-2026 as AG office builds capacity.

Consumer Rights Under TDPSA

Texas consumers have five primary rights under TDPSA.

Right to Know

Consumers can confirm whether you're processing their personal data.

Implementation:

Privacy notice must disclose categories of personal data processed
Respond to consumer requests within 45 days
Provide clear yes/no answer

Example request: "Are you processing my personal data?" Response: "Yes, we process your name, email, purchase history, and browsing behavior."

Right to Access

Consumers can obtain a copy of their personal data in a portable and readable format.

Requirements:

Machine-readable format (JSON, CSV, PDF)
All personal data you've collected about the consumer
Provided free of charge (up to 2 requests per year)
Respond within 45 days

Example:

{
  "consumer_id": "12345",
  "name": "Jane Doe",
  "email": "[email protected]",
  "purchase_history": [
    ,

  ],
  "browsing_history": [
    ,

  ]
}

Right to Correct

Consumers can correct inaccuracies in their personal data.

Requirements:

Verify the consumer's identity
Make corrections within 45 days
Notify third parties if data was shared

Examples:

Correct misspelled name
Update outdated address
Fix incorrect phone number

Implementation tip: Build a self-service portal where consumers can update their own information (reduces request volume).

Right to Delete

Consumers can request deletion of personal data you've collected about them.

Scope of deletion:

Production databases
Backups (or mark for deletion when backup is rotated)
Analytics platforms (Google Analytics, Mixpanel)
Marketing tools (Mailchimp, HubSpot)
Third-party processors (notify vendors to delete)

Exceptions (you may refuse deletion if necessary for):

Completing a transaction or service the consumer requested
Detecting security incidents, protecting against fraud
Debugging to identify and repair errors
Complying with legal obligations (e.g., tax records for 7 years)
Internal uses reasonably aligned with consumer expectations
Otherwise lawful uses compatible with the context

Example workflow:

Consumer submits deletion request
Verify identity (email confirmation or account login)
Delete from production database
Notify third-party processors (AWS, Google, email provider)
Mark for deletion in backups
Respond to consumer within 45 days: "Your personal data has been deleted"

Right to Opt-Out

Consumers can opt out of:

Sale of personal data
Targeted advertising
Profiling in furtherance of decisions that produce legal or similarly significant effects

Implementation:

"Do Not Sell or Share My Personal Information" link in footer (if selling data)
Recognize universal opt-out mechanisms (GPC) as of Jan 1, 2025
No account required to opt out
Respect opt-out for at least 12 months (don't re-ask)

Profiling definition: Automated processing of personal data to evaluate, analyze, or predict personal aspects such as:

Economic situation, health, personal preferences
Interests, reliability, behavior, location, movements

Legal or similarly significant effects:

Denial of credit, employment, insurance
Pricing discrimination
Access to essential services

Business Obligations

TDPSA imposes several affirmative obligations on covered businesses.

1. Provide a Privacy Notice

You must maintain a clear and accessible privacy notice that discloses:

Required elements:

Categories of personal data you process
Purposes for processing
How consumers can exercise their rights (right to know, access, correct, delete, opt-out)
Categories of personal data you sell (if any)
Categories of third parties you share data with

Best practices:

Post on your website (footer link)
Write in plain language (avoid legalese)
Update annually or when practices change
Available in languages you do business in

2. Respond to Consumer Requests

Timeline: Within 45 days of receiving an authenticated request

Extensions: You may extend once by 45 additional days if reasonably necessary, provided you:

Notify the consumer within the initial 45-day period
Explain the reason for the extension

No charge: You must respond to consumer requests free of charge (up to 2 requests per year)

Excessive requests: You may charge a reasonable fee or refuse to act on requests that are:

Manifestly unfounded or excessive (e.g., 10+ requests per year)
Repetitive requests within 12 months

3. Authentication

You must establish a reasonable method to authenticate consumer requests to prevent fraudulent requests.

Methods:

Email confirmation (send link to email on file)
Account login (if consumer has an account)
Multi-factor authentication (for sensitive data)
Knowledge-based authentication (verify address, last purchase, etc.)

Balance: Sufficient to verify identity, but not overly burdensome (don't require 10 pieces of ID for a simple deletion request)

4. Contracts with Processors

If you share personal data with processors (vendors who process data on your behalf), you must have a written contract that requires the processor to:

Process data only on your instructions
Implement reasonable security measures
Assist with consumer rights requests
Delete or return data when services are complete
Prohibit processor from selling data or using it for their own purposes

Example processors:

Cloud hosting (AWS, Google Cloud, Azure)
Email service (SendGrid, Mailgun)
Payment processor (Stripe, PayPal)
Analytics (Google Analytics, Mixpanel)
Customer support (Zendesk, Intercom)

Template language:

Processor agrees to:
(a) Process Personal Data only on Controller's documented instructions;
(b) Implement appropriate technical and organizational security measures;
(c) Assist Controller in responding to consumer rights requests;
(d) Delete or return Personal Data upon termination of services;
(e) Not sell Personal Data or use it for Processor's own purposes.

5. Implement Reasonable Security

You must implement reasonable administrative, technical, and physical safeguards to protect personal data from unauthorized access, destruction, use, modification, or disclosure.

Reasonable security practices:

Encryption at rest and in transit (SSL/TLS, AES-256)
Access controls (role-based access, principle of least privilege)
Multi-factor authentication for employee access
Regular security testing (penetration tests, vulnerability scans)
Incident response plan
Employee training on data security

Risk-based approach: Security measures should be appropriate to:

Volume and sensitivity of personal data
Size and complexity of your business
Cost of implementation
Risk of harm to consumers

Sensitive Personal Data Requirements

TDPSA imposes special restrictions on the processing of sensitive personal data.

What is Sensitive Personal Data?

Sensitive personal data includes:

Health information: Medical records, prescriptions, diagnoses, health conditions
Genetic data: DNA test results, genetic predispositions
Biometric data: Fingerprints, facial recognition, iris scans, voiceprints
Precise geolocation: Location within 1,750 feet (535 meters)
Social Security number
Driver's license number, passport number, state ID
Account credentials: Username + password, security questions
Race, ethnicity, national origin
Religious beliefs, union membership
Sexual orientation, sex life
Citizenship or immigration status
Private communications: Email content, text messages, voicemail
Child data: Personal data of children under 13

Small Business Exception: Consent Required

Even if you qualify as a small business (fewer than 500 employees), you must obtain consent before selling sensitive personal data.

Consent requirements:

Clear and conspicuous: Prominent disclosure, not buried in terms
Specific: Explain what sensitive data and how it will be sold
Opt-in: Consumer must affirmatively consent (pre-checked boxes don't count)
Separate from other consents: Don't bundle with terms of service

Example consent language:

☐ I consent to the sale of my [health information / precise geolocation / biometric data]
to [pharmaceutical companies / advertising partners / data brokers] for the following
purposes: [research / targeted advertising / analytics].

Learn more about how we use your data: [Privacy Policy link]

Privacy Notice Disclosure (All Businesses)

If you process or sell sensitive personal data, you must include this verbatim disclosure in your privacy notice:

Required disclosure:

Notice: We process [or sell] the following categories of sensitive personal data: [list categories]. You have the right to opt out of the processing of sensitive personal data. To exercise this right, [describe method].

Example:

Notice: We process the following categories of sensitive personal data: precise geolocation (to provide location-based services), health information (to personalize wellness recommendations), and biometric data (for facial recognition login). You have the right to opt out of the processing of sensitive personal data. To exercise this right, visit Your Privacy Choices or email [email protected].

Special Considerations by Data Type

Data Type	Common Uses	Compliance Considerations
Health data	Fitness apps, telehealth, wellness	May also be subject to HIPAA (if PHI); obtain consent before selling; implement strong security
Precise geolocation	Maps, ride-sharing, delivery	Consumers are sensitive to tracking; allow opt-out; don't sell to data brokers
Biometric data	Facial recognition, fingerprint login	May trigger Illinois BIPA (biometric privacy laws); obtain consent; store securely
Account credentials	Authentication systems	Never sell; hash and salt passwords; implement MFA
Private communications	Email, messaging apps	Don't access without consent; end-to-end encryption; comply with wiretap laws
Child data	Educational apps, games	May trigger COPPA (federal children's privacy law); obtain parental consent

Universal Opt-Out Mechanism (2025)

As of January 1, 2025, TDPSA requires businesses to recognize universal opt-out mechanisms (also called "global privacy controls").

What is a Universal Opt-Out Mechanism?

A technical signal sent by a consumer's browser, device, or browser extension that communicates the consumer's opt-out preference to websites.

Most common: Global Privacy Control (GPC)

GPC: How It Works

Consumer enables GPC: User installs a browser extension (e.g., Privacy Badger, DuckDuckGo) or enables GPC in their browser settings (Safari, Firefox, Brave have built-in support)
GPC signal sent: Browser sends HTTP header Sec-GPC: 1 with every request
Website reads signal: Your website detects the GPC signal
Opt-out applied: Your website automatically opts the consumer out of:
- Sale of personal data
- Targeted advertising
- Profiling for decisions with legal/significant effects

Implementation Requirements

Effective date: January 1, 2025

You must:

Detect GPC signals (check for Sec-GPC: 1 HTTP header)
Honor GPC as a valid opt-out request (treat as if consumer clicked "Do Not Sell")
Apply opt-out across all data processing activities (don't just apply to one category)
Respect for at least 12 months (don't re-ask)

You cannot:

Charge a fee to consumers who use GPC
Discriminate against consumers who use GPC (e.g., deny service, different pricing)
Require consumers to disable GPC to use your service

Technical Implementation

Detection:

// JavaScript example
if (navigator.globalPrivacyControl === true) {
  // Consumer has enabled GPC
  // Opt them out of sale, targeted advertising, profiling
  disableDataSales();
  disableTargetedAdvertising();
  disableProfilingForSignificantDecisions();
}

Server-side detection:

# Python/Django example
def check_gpc(request):
    gpc_header = request.META.get('HTTP_SEC_GPC')
    if gpc_header == '1':
        # Consumer has enabled GPC
        # Apply opt-out
        disable_data_sales(request.user)
        disable_targeted_advertising(request.user)
        disable_profiling(request.user)

Alternative: Use a consent management platform (CMP) that supports GPC:

OneTrust
TrustArc
Cookiebot
Osano

Disclosures

You must disclose in your privacy notice:

That you recognize GPC signals
How consumers can enable GPC in their browser

Example disclosure:

Universal Opt-Out Mechanisms: We recognize the Global Privacy Control (GPC) as a valid opt-out request. If your browser sends a GPC signal, we will automatically opt you out of the sale of personal data, targeted advertising, and profiling. To enable GPC, visit https://globalprivacycontrol.org or install a GPC-enabled browser extension.

Data Protection Assessments

TDPSA requires businesses to conduct Data Protection Assessments (DPAs) for certain high-risk processing activities.

When DPAs Are Required

You must conduct a DPA when you engage in:

Targeted advertising
Sale of personal data
Profiling in furtherance of decisions that produce legal or similarly significant effects
Processing sensitive personal data
Processing that presents a heightened risk of harm to consumers

What to Include in a DPA

A DPA must identify and weigh the benefits of the processing activity against the potential risks to consumers, considering:

Benefits:

Purpose of the processing activity
Business benefits (revenue, efficiency, innovation)
Benefits to consumers (personalization, better service)
Benefits to society (research, public health)

Risks:

Type of personal data involved (sensitivity)
Volume of data and number of consumers affected
Potential harms to consumers (discrimination, identity theft, financial harm)
Likelihood and severity of harm
Safeguards in place to mitigate risks

Weighing test:

Do the benefits of processing outweigh the risks?
Can you achieve the same benefits with less risky processing methods?
Are additional safeguards needed to reduce risks?

DPA Template

Data Protection Assessment
Date: [Date]
Processing Activity: [e.g., Targeted advertising using health data]

1. Description of Processing Activity:
   - What: [Describe the processing]
   - Why: [Purpose and benefits]
   - How: [Technical details]

2. Data Involved:
   - Categories: [e.g., health data, browsing behavior]
   - Volume: [e.g., 100,000 consumers]
   - Sensitivity: [High / Medium / Low]

3. Benefits:
   - Business: [e.g., $500K annual ad revenue]
   - Consumers: [e.g., More relevant health product recommendations]
   - Society: [e.g., Funds free health content]

4. Risks:
   - Potential harms: [e.g., Discrimination by insurers if data breached]
   - Likelihood: [High / Medium / Low]
   - Severity: [High / Medium / Low]

5. Safeguards:
   - [e.g., De-identification of health data before sharing]
   - [e.g., Contractual restrictions on advertisers]
   - [e.g., Regular security audits]

6. Balancing:
   - Do benefits outweigh risks? [Yes / No]
   - Less risky alternatives considered? [Yes / No]
   - Additional safeguards needed? [Yes / No]

7. Conclusion:
   - [Proceed / Modify / Discontinue processing activity]

8. Approval:
   - Name: [Privacy Officer / Legal Counsel]
   - Date: [Date]

Frequency

Conduct DPAs:

Initially: Before beginning a new processing activity
Periodically: Review annually or when processing activities change
Ad hoc: When a new risk is identified (e.g., data breach at third-party vendor)

Retention

Maintain DPAs for at least 3 years after the processing activity ceases.

Why: Texas AG may request DPAs during an investigation. Having thorough documentation demonstrates good faith compliance.

Privacy Notice Requirements

TDPSA requires you to provide a clear, accessible, and meaningful privacy notice to consumers.

Required Disclosures

Your privacy notice must include:

Categories of personal data processed
- Example: "We collect name, email, phone number, billing address, credit card information, browsing history, and purchase history"
Purposes for processing
- Example: "We use your data to process orders, send marketing emails, improve our website, and show you targeted ads"
Categories of personal data shared with third parties
- Example: "We share billing information with payment processors, shipping addresses with delivery services, and behavioral data with advertising partners"
Categories of third parties
- Example: "We share data with service providers (hosting, email, payment processors), analytics companies, and advertising networks"
How consumers can exercise their rights
- Example: "To exercise your rights, visit Your Privacy Choices, email [email protected], or call 1-800-XXX-XXXX"
If you sell personal data
- Example: "We sell behavioral data to advertising partners. You can opt out at Do Not Sell"

Special Disclosure for Sensitive Data

If you process or sell sensitive personal data, include this verbatim disclosure:

Notice: We process [or sell] the following categories of sensitive personal data: [list categories]. You have the right to opt out of the processing of sensitive personal data. To exercise this right, [describe method].

Special Disclosure for Biometric Data

If you sell biometric data, include this verbatim disclosure:

Notice: We sell biometric data. You have the right to opt out of the sale of biometric data. To exercise this right, [describe method].

Accessibility Requirements

Your privacy notice must be:

Reasonably accessible: Posted on your website (usually in footer)
Clear language: Plain English, not legalese (8th-10th grade reading level)
Conspicuous: Not hidden in dense legal text
Available in languages: Provide in same languages you conduct business

Best practices:

Use headings, bullet points, tables (not walls of text)
Provide a short-form notice (1-2 pages) with link to full policy
Make it searchable (consumers should be able to quickly find specific topics)
Update date prominently displayed

Layered Approach

Consider a layered privacy notice:

Layer 1: Just-in-time notices

Brief pop-ups or banners at point of collection
Example: "We use cookies to personalize your experience. [Learn More]"

Layer 2: Short-form notice (1-2 pages)

Key highlights, consumer rights, contact info
Example: [Privacy Notice Summary]

Layer 3: Full privacy policy (10-20 pages)

Comprehensive disclosures, legal details
Example: [Full Privacy Policy]

Dark Patterns Prohibition

TDPSA prohibits dark patterns in the exercise of consumer rights.

What are Dark Patterns?

Dark patterns are user interfaces designed to subvert or impair user autonomy, decision-making, or choice.

Examples of prohibited dark patterns:

Dark Pattern	Example	Why Prohibited
Trick questions	"Don't you want to not opt out?" (double negative)	Confuses consumers
Obstruction	Requiring 10 clicks to opt out vs 1 click to opt in	Makes opt-out unreasonably difficult
Sneak into basket	Pre-checked "Share my data" box hidden in checkout	Tricks consumers into consenting
Confirmshaming	"No thanks, I don't care about my privacy" button	Guilts consumers into consenting
Forced action	"You must consent to targeted ads to use our service"	Coerces consent (discrimination)
Disguised ads	Opt-out link styled to look disabled or fake	Misleads consumers
False urgency	"Opt out now or lose your account in 24 hours!"	Pressures consumers
Bait and switch	"We don't sell your data" → sells to "partners"	Misleads consumers

Compliant Opt-Out Design

Good example:

[Your Privacy Choices]

We use your data for targeted advertising. You can opt out at any time.

[ ] Opt out of targeted advertising

[Save Preferences]

Questions? Contact [email protected]

Bad example (dark pattern):

[Privacy Settings - Page 7 of 10]

Don't you NOT want to continue receiving relevant offers
tailored to your interests? (Opting out may limit your
experience and we might be sad.)

[ ] No, I want to see irrelevant ads (opt out)
[X] Yes, I want to see relevant ads

[Previous] [Cancel] [Next]

(Opt-out button styled to look like disabled gray button,
hidden at bottom of page after 3 paragraphs of marketing copy)

Enforcement

Dark patterns are a per se violation of TDPSA. If the Texas AG finds you're using dark patterns:

No cure period defense
$7,500 penalty per violation
Reputational harm (public enforcement actions)

Recommendation: User-test your opt-out flows with real consumers. If they're confused or frustrated, you likely have a dark pattern problem.

TDPSA Compliance Checklist

Use this checklist to implement TDPSA compliance step by step.

Phase 1: Determine Applicability (Week 1)

[ ] Check if TDPSA applies to your business
- [ ] Do you conduct business in Texas or serve Texas residents?
- [ ] Do you process or sell personal data?
- [ ] Do you qualify for small business exemption (fewer than 500 employees)?
- [ ] Do you sell sensitive personal data? (If yes, consent required even if small business)

Phase 2: Create or Update Privacy Notice (Week 2)

[ ] Draft TDPSA-compliant privacy notice
- [ ] Disclose categories of personal data processed
- [ ] Disclose purposes for processing
- [ ] Disclose categories of personal data shared with third parties
- [ ] Disclose how consumers can exercise rights
- [ ] If selling data, disclose categories sold
- [ ] If processing/selling sensitive data, include verbatim notice
- [ ] If selling biometric data, include verbatim notice
- [ ] Disclose recognition of universal opt-out mechanisms (GPC)
[ ] Post privacy notice on website (footer link)
[ ] Ensure notice is accessible (clear language, mobile-friendly)

Phase 3: Implement Consumer Rights Infrastructure (Weeks 3-4)

[ ] Build consumer request portal or email system
- [ ] Consumers can submit requests to know, access, correct, delete, opt-out
- [ ] Authenticate consumer identity (email confirmation or account login)
- [ ] Respond within 45 days
[ ] Create intake form for consumer requests
- [ ] Fields: name, email, type of request, verification method
[ ] Document request handling process
- [ ] Workflow: receive → verify → process → respond → log
- [ ] Assign responsible team members
- [ ] Set calendar reminders (45-day deadline)

Phase 4: Implement Opt-Out Mechanisms (Week 5)

[ ] If selling data, create "Do Not Sell" link (website footer)
[ ] Implement opt-out functionality
- [ ] Stop selling consumer's data to third parties
- [ ] Update third-party contracts to honor opt-outs
- [ ] Respect opt-out for at least 12 months
[ ] Implement GPC support (by Jan 1, 2025)
- [ ] Detect Sec-GPC: 1 HTTP header or navigator.globalPrivacyControl
- [ ] Automatically apply opt-out for GPC users
- [ ] Test with GPC-enabled browser

Phase 5: Conduct Data Protection Assessments (Weeks 6-8)

[ ] Identify processing activities requiring DPAs
- [ ] Targeted advertising?
- [ ] Sale of personal data?
- [ ] Profiling for legal/significant decisions?
- [ ] Processing sensitive data?
[ ] Conduct DPAs (use template above)
- [ ] Weigh benefits vs. risks
- [ ] Document safeguards
- [ ] Conclude whether to proceed/modify/discontinue
[ ] Retain DPAs for 3+ years

Phase 6: Update Vendor Contracts (Weeks 9-10)

[ ] Review all vendor agreements (processors, third parties)
[ ] Add data processing clauses for processors:
- [ ] Process only on your instructions
- [ ] Implement security measures
- [ ] Assist with consumer requests
- [ ] Delete/return data when services end
- [ ] Prohibit selling or using data for processor's own purposes
[ ] Update third-party contracts (if selling/sharing data)
- [ ] Require third parties to honor opt-outs
- [ ] Prohibit further selling without consent

Phase 7: Implement Security Measures (Ongoing)

[ ] Encrypt data at rest (AES-256) and in transit (SSL/TLS)
[ ] Implement access controls (role-based, least privilege)
[ ] Enable multi-factor authentication (MFA) for employee access
[ ] Conduct security testing (quarterly vulnerability scans, annual penetration test)
[ ] Create incident response plan (data breach procedures)
[ ] Train employees on data security and privacy (annual training)

Phase 8: Monitor and Maintain Compliance (Ongoing)

[ ] Track employee count (quarterly) to ensure you remain below/above 500 threshold
[ ] Review and update privacy notice (annually or when practices change)
[ ] Review and update DPAs (annually)
[ ] Monitor consumer requests (track volume, types, response times)
[ ] Monitor regulatory updates (Texas AG guidance, case law)
[ ] Conduct annual compliance audit

Common Mistakes

Avoid these common TDPSA compliance mistakes:

1. Assuming Small Business Exemption Applies When Selling Sensitive Data

Mistake: "We only have 50 employees, so TDPSA doesn't apply to us."

Reality: If you sell sensitive personal data (health, biometric, geolocation, etc.), you must obtain consumer consent even if you're a small business.

Fix: Audit your data sales. If you sell sensitive data, implement consent mechanisms immediately.

2. Ignoring GPC Signals

Mistake: "GPC is too complicated to implement. We'll just ignore it."

Reality: As of January 1, 2025, ignoring GPC is a violation of TDPSA. Penalties up to $7,500 per consumer affected.

Fix: Implement GPC support before January 1, 2025. Use a consent management platform (CMP) if you lack technical resources.

3. Using Dark Patterns in Opt-Out Flows

Mistake: Making opt-out difficult (10 clicks, confusing language, hidden links) to reduce opt-out rates.

Reality: Dark patterns are prohibited. Per se violation with no cure period defense.

Fix: User-test your opt-out flow. It should be as easy to opt out as it is to opt in (1-2 clicks maximum).

4. Failing to Update Vendor Contracts

Mistake: Assuming your vendors are TDPSA-compliant without verification.

Reality: You're liable for vendor violations. If your processor sells consumer data without authorization, you're responsible.

Fix: Review all vendor contracts. Add data processing clauses (template above). Request vendor certifications of TDPSA compliance.

5. Not Conducting DPAs

Mistake: "DPAs are just paperwork. We'll skip them."

Reality: DPAs are required for high-risk processing (targeted advertising, sale of data, profiling, sensitive data). Texas AG may request them during investigations.

Fix: Conduct DPAs for all required processing activities. Use the template above. Retain for 3+ years.

6. Charging Fees for Consumer Requests

Mistake: Charging consumers $10 to access their data (to reduce request volume).

Reality: TDPSA requires you to respond to consumer requests free of charge (up to 2 requests per year). Charging fees is a violation.

Fix: Respond to the first 2 requests per consumer per year for free. Only charge for manifestly excessive requests (e.g., 10+ per year).

7. Missing 45-Day Deadline

Mistake: Taking 60-90 days to respond to consumer requests (treating as low priority).

Reality: TDPSA requires responses within 45 days (with one 45-day extension if needed). Missing the deadline is a violation.

Fix: Set calendar reminders. Assign responsible team members. Log all requests in a tracking system.

TDPSA vs CCPA vs GDPR

How does TDPSA compare to other major privacy laws?

Aspect	TDPSA (Texas)	CCPA/CPRA (California)	GDPR (EU)
Effective Date	July 1, 2024	Jan 1, 2020 (CCPA) / Jan 1, 2023 (CPRA)	May 25, 2018
Geographic Scope	Texas residents	California residents	EU residents (worldwide reach)
Applicability Threshold	Nearly all businesses (no revenue/data thresholds)	$26.6M revenue OR 100K consumers OR 50% revenue from selling data	Any business processing EU data
Small Business Exemption	Yes (<500 employees, unless selling sensitive data)	No	No (but data protection officer not required)
Consumer Rights	5 rights (know, access, correct, delete, opt-out)	8 rights (+ limit SPI, opt-in for minors, portability)	8 rights (+ restrict processing, object, withdraw consent)
Opt-In vs Opt-Out	Opt-out (can process unless consumer opts out)	Opt-out (but opt-in for minors under 16)	Opt-in (need legal basis before processing)
Consent for Sensitive Data	Required for small businesses selling sensitive data	Not required (opt-out model)	Required (opt-in model)
Universal Opt-Out (GPC)	Yes (Jan 1, 2025)	Yes (Jan 1, 2023)	No (but similar concept: consent signals)
Penalties	Up to $7,500 per violation	Up to $7,988 per intentional violation	Up to €20M or 4% global revenue
Cure Period	30 days (never sunsets)	No cure period	No cure period
Private Right of Action	No	Yes (data breaches only)	Varies by EU member state
Enforcement	Texas Attorney General	California Privacy Protection Agency + AG	Data Protection Authorities (EU)
Data Protection Assessments	Yes (for high-risk processing)	Yes (for high-risk processing)	Yes (Data Protection Impact Assessments)
Dark Patterns	Prohibited	Prohibited	Not explicitly mentioned (but consent must be freely given)

Multi-State Compliance Strategy

If you operate in multiple states, you likely need to comply with multiple privacy laws (TDPSA, CCPA, Virginia CDPA, Colorado CPA, Connecticut CTDPA, etc.).

Two approaches:

1. State-by-state compliance

Implement different privacy practices for each state
Geofence privacy notices and rights based on consumer location
Pros: Minimize compliance costs (only comply where required)
Cons: Complex, error-prone, poor user experience

2. Harmonized compliance (recommended)

Comply with the strictest privacy law across all states
Provide the most rights to all consumers (not just where required)
Pros: Simple, consistent, good user experience, future-proof
Cons: Higher compliance costs

Most startups choose harmonized compliance. Key principle: Comply with GDPR (strictest law) and you'll satisfy most other laws, including TDPSA.

Example harmonized approach:

Privacy notice: Comply with GDPR (most detailed)
Consumer rights: Provide all GDPR + CCPA + TDPSA rights to all consumers
Opt-out mechanisms: Implement GPC (satisfies TDPSA, CCPA, Colorado, Connecticut)
DPAs: Conduct GDPR-style Data Protection Impact Assessments (satisfies TDPSA DPA requirement)
Security: Implement GDPR-level security (satisfies TDPSA, CCPA, all other laws)

FAQ

1. Does TDPSA apply to my startup if I'm not based in Texas?

Yes, if you conduct business in Texas or produce products/services consumed by Texas residents. TDPSA has extraterritorial reach (like GDPR and CCPA).

Example: California-based SaaS company with 1,000 Texas customers → TDPSA applies (unless small business exemption).

2. How do I know if I qualify as a small business?

Check the SBA Size Standards. Generally, fewer than 500 employees.

Count:

Full-time + part-time employees
Contractors (if treated as employees for tax purposes)
Employees at all locations (parent + subsidiaries)

Important: If you sell sensitive data, the small business exemption does not apply (consent required).

3. What counts as "selling" personal data?

Selling = Exchanging personal data for monetary or other valuable consideration.

Examples of sales:

Selling customer lists to data brokers for $10,000
Sharing email addresses with advertising partners who pay per lead
Providing user data to third parties who use it for their own purposes

Not sales:

Sharing with service providers/processors (who work on your behalf)
Disclosures to affiliates (within same corporate family)
Data shared with consumer consent
Data needed to complete transactions

Gray area: Facebook Pixel, Google Analytics, retargeting pixels. Under CCPA, these may be considered "sharing" for targeted advertising (requires opt-out). TDPSA may treat similarly.

4. Do I need a Data Protection Officer (DPO)?

TDPSA does not require a Data Protection Officer (unlike GDPR).

However, you should designate a privacy contact (privacy officer, legal counsel, or founder) responsible for:

Handling consumer requests
Updating privacy notices
Conducting DPAs
Managing vendor contracts
Responding to Texas AG inquiries

List this contact in your privacy notice.

5. What is the difference between a processor and a third party?

Processor (also called "service provider"):

Processes data on your behalf and on your instructions
Example: AWS (hosting), Stripe (payment processing), SendGrid (email delivery)
Relationship: Vendor working for you (you control purposes/means of processing)
Contract: Data processing agreement required

Third party:

Processes data for their own purposes (not on your behalf)
Example: Facebook (where you share customer emails for ad targeting), data brokers
Relationship: Independent controller (they control purposes/means of processing)
Disclosure: Must disclose in privacy notice and allow opt-out

Key test: Who decides why and how to process the data?

If you decide → processor
If they decide → third party

6. How do I respond to a consumer deletion request if I need the data for tax purposes?

You may refuse deletion if necessary for:

Complying with legal obligations (e.g., IRS requires 7-year retention of tax records)
Completing a transaction or service the consumer requested
Detecting fraud or security incidents

Response to consumer:

"We have deleted your personal data from our active systems. However, we are retaining your transaction history for 7 years to comply with federal tax law (IRS requirements). This data will be securely stored and will not be used for any other purpose. It will be automatically deleted after 7 years."

7. Can I charge consumers to exercise their rights?

No, you must respond to consumer requests free of charge for up to 2 requests per consumer per year.

Exception: You may charge a reasonable fee or refuse requests that are:

Manifestly unfounded or excessive (e.g., consumer submits 10 access requests per month)
Repetitive (e.g., identical request within 6 months)

If charging a fee, you must explain why the request is excessive.

8. What happens if I don't comply with TDPSA?

Texas AG investigation: Consumer complaint or AG proactive investigation
Notice of violation: AG notifies you of alleged violation
30-day cure period: You have 30 days to cure and certify compliance
Enforcement action: If not cured, AG can bring enforcement action
Penalties: Up to $7,500 per violation
Public enforcement action: Reputational harm, negative press

Note: Unlike CCPA, there is no private right of action (consumers cannot sue directly). Only the Texas AG can enforce TDPSA.

Key Resources

Official Resources

Texas Attorney General - TDPSA Page: https://www.texasattorneygeneral.gov/consumer-protection/file-consumer-complaint/consumer-privacy-rights/texas-data-privacy-and-security-act
Texas State Law Library - TDPSA Overview: https://www.sll.texas.gov/spotlight/2024/07/texas-data-privacy-and-security-act/
Full Text of TDPSA (HB 4): Texas Legislature - HB 4
SBA Size Standards: https://www.sba.gov/document/support-table-size-standards

Templates & Tools

Global Privacy Control (GPC): https://globalprivacycontrol.org
Privacy Notice Generator: Termly Privacy Policy Generator
DPA Template: See template in Data Protection Assessments section above
Consent Management Platforms: OneTrust, TrustArc, Cookiebot, Osano

Legal Analysis & Guides

Osano - TDPSA Guide: https://www.osano.com/articles/texas-data-privacy-and-security-act-tdpsa
Davis Wright Tremaine - TDPSA Overview: https://www.dwt.com/blogs/privacy--security-law-blog/2023/07/texas-data-privacy-and-security-act-overview
IAPP - Texas Privacy Law: https://iapp.org/resources/article/state-comparison-table/

Related Guides

Need Help with TDPSA Compliance?

TDPSA compliance doesn't have to be overwhelming. Whether you're a small startup leveraging the small business exemption or a growing company navigating full compliance, we can help.

Schedule a Consultation to discuss:

Whether TDPSA applies to your business
Small business exemption analysis
Privacy notice drafting and review
Consumer rights infrastructure implementation
GPC technical implementation
Data protection assessments
Vendor contract updates
Multi-state privacy compliance strategy

Promise Legal helps startups navigate TDPSA and other privacy laws with practical, cost-effective solutions.

Related Compliance Topics:

← Back to Compliance Hub | View All Startup Legal Topics