The TDPSA: A New Sheriff in Town for Texas Data Controllers and Processors

The TDPSA outlines consumer rights, duties of controllers and processors and prohibitions on such parties, and enforcement related to the treatment of personal and sensitive data. Personal data is any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual, but does not include deidentified data or publicly available information.³ Sensitive data is a category of personal data that includes data revealing:

• Race;
• Ethnicity;
• Religious beliefs;
• Mental or physical health diagnosis;
• Sexuality;
• Citizenship or immigration status;
• Genetic or biometric data processed for the purpose of identification;
• Personal data from a known child;⁴ or
• Precise geolocation data.⁵

Although the TDPSA covers broad categories of data, it also explicitly excludes several categories, including:

• A variety of healthcare-related data, including health records, patient identifying information, and other information subject to HIPAA;
• Data covered by the Fair Credit Reporting Act, Driver’s Privacy Protection Act of 1995, and the Farm Credit Act of 1971;
• Data processed or maintained in the course of an individual’s applying for employment by, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent such data is collected and used within the context of that role;
• Necessary data that is processed or maintained to administer benefits to an employee or independent contractor that falls under the exemption described above and is used for the purpose of administering those benefits;
• Data processed or maintained as emergency contact information used for emergency contact purposes; and
• Data processed in the course of purely personal or household activities.⁶

The TDPSA also includes various customary exceptions. For example, the TDPSA does not restrict an entity’s ability to comply with laws, investigate legal claims, or respond to security incidents.⁷

Compliance Checklist

It is important for organizations operating in Texas or selling products or services to Texas residents to realize that achieving compliance with the TDPSA may be costly and time intensive. Organizations that fall within the Act’s scope should work quickly to finalize compliance in light of the July 1, 2024 effective date.

The following checklist provides a helpful starting place for covered organizations seeking to tie up loose ends:

1. Consider Completing a Data Inventory. A privacy audit allows a company to review its handling of personal or business-critical information, including what data is collected, how it is processed, and the security measures in place to protect it. Audits allow companies to understand deficiencies, such as a failure to capture necessary consents.
2. Conduct a Data Protection Assessment. The TDPSA requires a data protection assessment before data is processed for the purposes of targeted advertising, sold, or subject to a processing activity that presents a heightened risk of harm to consumers.⁸ Processing sensitive data also necessitates a data protection assessment. A single data protection assessment can be used across a set of similar processing activities, and an assessment produced to follow a different jurisdiction’s laws may fulfill this requirement if the assessment has a reasonably comparable scope and effect.
3. Segregate Sensitive Data. A covered organization must obtain consent before processing certain “sensitive” data.⁹ Separating the sensitive data from other personal data will assist in meeting TDPSA requirements.
4. Update Privacy Policies. The TDPSA imposes notice requirements, including notice of categories of personal data processed by the controller, the purpose for processing the data, how consumers can exercise their rights, any categories of personal data shared with third parties, categories of third parties with whom the controller shares personal data, notice of potential sale of personal data, and notice of potential sale of biometric personal data.¹⁰ If a controller sells personal data to third parties or processes personal data for targeted advertising, it must also disclose the process and manner in which a consumer may opt out.¹¹ Companies should confirm that privacy policies, statements and other notices meet these requirements.

5. Develop Systems to Cooperate with Consumers Exercising Their Rights. Consumers have certain rights under the TDPSA.¹² Controllers must establish two or more methods for customers to submit a request to exercise their rights,¹³ which may include methods such as offering a form on your website, providing an email address to submit requests to, and/or adding a consent banner to your website. Companies should also prepare to get consent from consumers before processing sensitive data — and in the case of a sale of sensitive data, even small businesses that are otherwise outside the scope of the TDPSA must get consent. In creating consent systems, companies should ensure that their interfaces do not include dark patterns, meaning user interfaces designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision-making, or choice.

6. Update Contracts Governing Sharing of Data with Third-Party Processors. Controllers must contract with processors of data, and the contracts must include certain terms.¹⁴ Companies should review contracts between controllers and processors, such as services or licensing agreements, to ensure that they include the required terms, and amend the contracts as needed. Companies should also discuss data treatment with vendors and service providers to determine whether they need processing agreements with those entities — such a determination will likely depend on whether the vendor or service provider qualifies as a controller.

7. Bolster Security Measures. In our present landscape, cybersecurity should remain top of mind for all businesses. The TDPSA imposes a duty to take reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of certain personal data. Common cybersecurity measures like encryption and limited access can help companies keep consumer data secure.

V&E assists clients in identifying, managing, and mitigating cybersecurity and data privacy risks, from early planning and assessment to drafting and revising policies and notices to comply with applicable laws, including the TDPSA, and managing incident response and resulting investigations and litigation.

¹ Tex. Bus. & Com. Code § 541.002. “Small business” is as defined by the United States Small Business Administration, except as otherwise noted. Small businesses still may not engage in the sale of sensitive personal data without receiving prior consent from the consumer. Tex. Bus. & Com. Code §§ 541.107.002; 541.107.

² Tex. Bus. & Com. Code § 541.002.

³ Tex. Bus. & Com. Code § 541.001(19).

⁴ A known child is a child under circumstances where a controller has actual knowledge of, or willfully disregards, the child’s age. Tex. Bus. & Com. Code § 541.001(17).

⁵ Tex. Bus. & Com. Code § 541.002(29).

⁶ Tex. Bus. & Com. Code §§ 541.003; 541.004.

⁷ Tex. Bus. & Com. Code §§ 541.201; 541.202.

⁸ Tex. Bus. & Com. Code § 541.105.

⁹ Tex. Bus. & Com. Code § 541.101(b)(4).

¹⁰ Tex. Bus. & Com. Code § 541.102.

¹¹ Tex. Bus. & Com. Code § 541.103.

¹² Tex. Bus. & Com. Code § 541.051.

¹³ Tex. Bus. & Com. Code § 541.055.

¹⁴ Tex. Bus. & Com. Code § 541.104(b).