U.S. State Privacy Law

Texas Data Privacy and Security Act Compliance: What Your Organization Needs to Know

Updated 2026-05-17
Key Takeaways: Priverion is a Swiss-hosted GRC platform that helps multi-entity organizations operationalize TDPSA compliance with cross-entity data mapping, automated DPIA workflows, and vendor management.

The TDPSA went into effect on July 1, 2024, making Texas one of the most significant state-level privacy laws in the U.S. If your organization processes the personal data of Texas residents, you need a clear compliance roadmap — especially if you're managing obligations across multiple entities or jurisdictions.

This guide breaks down who the TDPSA applies to, what it requires, how it compares to other state privacy laws, and the practical steps you need to take to operationalize compliance. Whether you're starting from scratch or extending an existing privacy program to cover Texas, you'll understand exactly where you stand.

Download the TDPSA Compliance Checklist Or keep reading for a full breakdown of the law

Trusted by privacy teams managing compliance across 50+ jurisdictions

Global Aerospace Manufacturer European Healthcare Provider Swiss MedTech Group Multi-Entity Transport Operator Regional Care Network
Trusted by 50+ privacy teams across 14 countries
Healthcare
Aviation
Energy
Legal
Technology
Zurzach logo
AXA logo
Open Medical logo
Glencore logo
Pilatus logo
Liferay logo
CareerFairy logo
Voicepoint logo
Kellerhals Carrard logo
Aclaris logo
Avantec logo
Diakonie Bethanien logo
Liferay logo
CareerFairy logo
Zurzach logo
Voicepoint logo
Open Medical logo
Kellerhals Carrard logo
AXA logo
Aclaris logo
Avantec logo
Diakonie Bethanien logo
Key Requirements

Key Requirements of the Texas Data Privacy and Security Act

The TDPSA creates obligations across six critical areas. Here is what your privacy program needs to cover — broken down so you can share this directly with your team.

Broad Applicability

Who Does the TDPSA Apply To?

Any person conducting business in Texas or producing products and services consumed by Texas residents who processes or sells personal data. Unlike many state privacy laws, the TDPSA sets no revenue threshold and no minimum data processing volume.

This means the scope is significantly broader than CCPA/CPRA or the Virginia VCDPA. If your organization touches Texas consumer data in any meaningful way, assume you are in scope.

Key exemptions include:

  • SBA-defined small businesses (with caveats on sensitive data sales)
  • GLBA-regulated financial institutions
  • HIPAA-covered entities (for PHI only)
  • Nonprofits and higher education institutions

Source: Texas Business & Commerce Code, Chapter 541, effective July 1, 2024

Consumer Rights

Six Rights Your Organization Must Honor

Texas residents gain a comprehensive set of data rights that your organization must operationalize with documented workflows and a 45-day response window.

  • Right to know and access personal data
  • Right to correct inaccurate data
  • Right to delete personal data
  • Right to data portability
  • Right to opt out of data sales, targeted advertising, and profiling
  • Universal opt-out mechanism recognition (required since Jan 1, 2025)

The 45-day response window is extendable by an additional 45 days with consumer notice — but your team needs a system to track and document every request consistently.

Response timeline per TDPSA §541.101–.105

Controller Duties

What Controllers Must Do — Beyond a Privacy Policy Update

The TDPSA places significant operational requirements on data controllers that go well beyond updating your privacy notice.

  • Data minimization — collect only what is adequate, relevant, and reasonably necessary
  • Purpose limitation and reasonable security practices
  • Explicit consent before processing sensitive data (biometrics, geolocation, children's data, health, race, religion)
  • Data Protection Assessments for targeted advertising, data sales, profiling, and sensitive data processing

For multi-entity organizations, every subsidiary processing Texas residents' data needs its own documented assessments — this is where group-wide coordination becomes essential.

Assessment requirements per TDPSA §541.151–.153

Processor Requirements

Processor Obligations and Contractual Requirements

If your organization uses third-party processors, the TDPSA requires formal contractual agreements that mirror the GDPR Article 28 structure many European privacy teams already know.

  • Processors must assist controllers in meeting their TDPSA obligations
  • Contractual confidentiality requirements
  • Deletion or return of data upon contract termination
  • Cooperation with audits and compliance verification

Organizations managing dozens of vendor relationships need a systematic way to assess, document, and recertify processor compliance — spreadsheets break down quickly at scale.

Processor contract requirements per TDPSA §541.201

Enforcement

AG Enforcement with Real Teeth

The Texas Attorney General holds exclusive enforcement authority — there is no private right of action. But do not let that create false comfort. Texas has already demonstrated its willingness to pursue aggressive data privacy enforcement.

$1.4 billion

Texas settlement with Meta over biometric data violations, 2024

  • 30-day cure period after AG notification
  • Civil penalties up to $7,500 per violation
  • Injunctive relief and recovery of investigative costs

The 30-day cure period only helps organizations that can demonstrate an existing, functioning compliance program. If you receive a complaint and have nothing documented, you are starting from a fundamentally weaker position.

Enforcement provisions per TDPSA §541.251; Meta settlement per Texas OAG, July 2024

Sensitive Data

Sensitive Data Gets Its Own Rules

The TDPSA defines sensitive data broadly and requires explicit opt-in consent before processing. This is not a "notice and proceed" situation — your organization needs affirmative consent mechanisms in place.

TDPSA sensitive data categories include:

  • Racial or ethnic origin
  • Religious beliefs
  • Health diagnosis or sex life data
  • Biometric data for identification
  • Precise geolocation data
  • Data of a known child
  • Citizenship or immigration status

Even SBA-defined small businesses — otherwise exempt from most TDPSA requirements — cannot sell sensitive data without explicit consent. The law draws a hard line here.

Sensitive data defined per TDPSA §541.001(29); small business exception per §541.002

Need to map these requirements across multiple entities and jurisdictions?

See How Priverion Handles Multi-Framework Compliance

200+

Hours saved on ROPA management

Medtec redirected 200+ hours from manual ROPA updates to ISO 27001 preparation — completing certification three months ahead of schedule.

60%

Lower cost vs. legacy enterprise platforms

Aircraft manufacturer achieved full group-wide compliance at a fraction of OneTrust's pricing — with predictable costs based on entities, not per-user expansion traps.

3 mo

Ahead of schedule on ISO 27001

Medtec used Priverion's audit-ready evidence packages to compress ISO 27001 preparation — finishing a full quarter earlier than their original timeline.

Book a 30-min walkthrough
Operationalize Compliance

Seven Steps to Operationalize TDPSA Compliance

Knowing the requirements is one thing. Building compliant workflows across your organization is another. Here is how privacy teams are turning TDPSA obligations into repeatable, auditable processes.

Step 1

Scope Your Texas Data Footprint

Identify every entity, business unit, and product that collects or processes personal data of Texas residents. For multi-entity organizations, this means mapping data flows across subsidiaries — not just at the parent level.

Priverion's cross-entity data mapping gives group-wide visibility into which entities are in scope, eliminating the guesswork that leads to compliance gaps.

Step 2

Update Your Privacy Notices

The TDPSA requires clear disclosure of data categories collected, processing purposes, consumer rights, and how to exercise them. If you already comply with CCPA or VCDPA, your notices likely need Texas-specific amendments rather than a full rewrite.

Review notice requirements against §541.051 to ensure you cover all mandated disclosures, including opt-out mechanisms for data sales and targeted advertising.

Step 3

Build Data Subject Request Workflows

Operationalize intake, identity verification, routing, fulfillment, and response tracking for all six consumer rights. The 45-day clock starts at receipt — not when someone on your team notices the email.

Priverion's DSR handling module tracks every request across entities with automated escalation, so nothing falls through the cracks during the statutory response period.

Step 4

Conduct Data Protection Assessments

The TDPSA mandates assessments for targeted advertising, data sales, profiling, and sensitive data processing. Each assessment must weigh benefits against potential risks to consumer rights — and must be documented for potential AG review.

Priverion's AI-assisted DPIA/TIA automation drafts assessments with risk scoring, while human reviewers retain final approval. Every assessment is stored as an audit-ready evidence package.

Step 5

Audit Your Vendor Contracts

Every processor relationship needs contractual terms covering data processing instructions, confidentiality, deletion obligations, and audit cooperation. Existing GDPR-style DPAs may cover most requirements, but review for Texas-specific gaps.

Priverion's vendor risk assessment module systematically evaluates every processor, flags contract gaps, and tracks recertification across your entire vendor portfolio.

Step 6

Implement Consent Mechanisms for Sensitive Data

If any entity in your group processes sensitive data categories — biometrics, health data, precise geolocation, children's data — you need affirmative opt-in consent mechanisms. This is not satisfied by a general privacy policy acknowledgment.

Map sensitive data categories across all entities using Priverion's cross-entity data mapping to identify where consent workflows are needed before enforcement action finds the gap first.

Step 7

Recognize Universal Opt-Out Mechanisms

Since January 1, 2025, the TDPSA requires controllers to recognize browser-based universal opt-out signals (like Global Privacy Control). This means your technology stack — not just your policies — must respond to these signals.

Note: Priverion does not provide cookie consent management. If you need universal opt-out signal recognition at the browser level, pair Priverion with a dedicated consent management platform.

Managing these steps across multiple subsidiaries and jurisdictions?

See how Aircraft manufacturer operationalized group-wide compliance
State Law Comparison

How the TDPSA Compares to Other U.S. State Privacy Laws

If your organization already manages CCPA, VCDPA, or CPA compliance, understanding where the TDPSA aligns — and where it diverges — helps you avoid duplicating work while closing Texas-specific gaps.

Requirement TDPSA (Texas) CCPA/CPRA (California) VCDPA (Virginia) CPA (Colorado)
Revenue/data threshold None — any business processing TX resident data $25M revenue, 50K+ consumers, or 50%+ revenue from data sales 100K consumers or 25K consumers + 50% revenue from data sales 100K consumers or 25K consumers + revenue from data sales
Sensitive data consent Opt-in required Opt-out (with opt-in for minors) Opt-in required Opt-in required
Universal opt-out signal Required (since Jan 1, 2025) Required Not required Required (since July 1, 2024)
Data protection assessments Required for targeted ads, data sales, profiling, sensitive data Required (CPRA risk assessments) Required Required
Cure period 30 days None (removed under CPRA) 60 days (sunsets 2026) 60 days (sunsetted Jan 2025)
Enforcement AG only — no private right of action AG + limited private right of action (data breaches) AG only AG only
Max penalty per violation $7,500 $7,500 $7,500 $20,000

Sources: Texas Business & Commerce Code Ch. 541; California Civil Code §1798.100 et seq.; Virginia Code §59.1-575 et seq.; Colorado Rev. Stat. §6-1-1301 et seq.

Managing compliance across multiple state laws? Priverion's multi-framework approach lets you map overlapping requirements once — not separately for each jurisdiction.

See Multi-Framework Compliance in Action
Priverion vs. OneTrust

Enterprise-grade compliance without enterprise complexity

Mid-market companies don't need 200 modules and a six-month implementation. They need a platform that works from week one — with pricing that doesn't punish growth.

Priverion

Swiss data sovereignty, guaranteed

Built and hosted entirely in Switzerland. All data processing stays within Swiss infrastructure — not just a European availability zone you have to request. In a post-Schrems II world, this isn't a preference. It's a legal safeguard.

Operational in weeks, not quarters

No implementation consultants. No six-month onboarding. Aircraft manufacturer went from kickoff to fully automated ROPA recertification in their first six months — and most of that time was spent customizing, not configuring.

Based on Aircraft manufacturer onboarding timeline

Pricing that makes sense

Based on number of companies and organizational size — not per-user seats or per-module add-ons. Add team members, expand to new subsidiaries, and your bill stays predictable. No procurement ambush at renewal.

All-in-one privacy platform

ROPA, DPIA/TIA, vendor risk, incident management, DSR handling, data mapping, AI Register — all in one platform. No bolting together five different products from the same vendor.

AI that assists, never decides

AI-assisted DPIA drafting, risk scoring, and regulatory mapping — all processed within Swiss infrastructure. Every AI output is reviewed by a human before becoming a compliance record. No customer data is used for model training.

Typical enterprise platforms

Data residency as an add-on

Most enterprise platforms are US-headquartered with US-default hosting. European data residency — if available — is an upgrade, a separate contract, or a best-effort promise. Your legal team gets to parse the distinction between "hosted in EU" and "processed in EU."

Months before you see value

Enterprise platforms often require dedicated implementation teams, professional services engagements, and 3-6 month timelines before your first workflow goes live. That's time your DPO spends in project meetings instead of doing privacy work.

Pricing designed for expansion

Per-user seats, per-module licensing, and annual true-ups mean your costs grow unpredictably. Add five users to handle a new subsidiary and your CFO gets a surprise invoice. The pricing model rewards vendor lock-in, not customer success.

Modules sold separately

Need vendor risk and DPIA together? That's two modules. Want incident management? Another module. Cookie consent? Another. What starts as a privacy tool becomes a sprawling platform covering ESG, ethics, and GRC — with complexity to match.

AI as a black box

Many platforms market "AI-powered" compliance without clarity on where data is processed, whether outputs are editable before they hit the record, or how models are trained. When your regulator asks how a risk score was generated, "the AI decided" isn't an answer.

Honest note: We don't cover ESG, ethics hotlines, or cookie consent. If you need those, we're not the right fit. But if you need group-wide privacy program management that works — we should talk.

Book a 30-min walkthrough Get a tailored offer
FAQ

Frequently Asked Questions About TDPSA Compliance

Does the TDPSA apply to companies outside of Texas?

Yes. The TDPSA applies to any person conducting business in Texas or producing products and services consumed by Texas residents. There is no requirement to be physically located in Texas.