Overview
The Texas Data Privacy and Security Act (TDPSA) is significant as it applies to the second most populous U.S. state and uniquely has no revenue threshold, potentially affecting small businesses that process sufficient consumer data.
Full Name and Description
Texas Data Privacy and Security Act (TDPSA): Also known as HB 4, the TDPSA was signed into law on June 18, 2023, and becomes effective July 1, 2024. It provides comprehensive data protection rights to Texas consumers while establishing obligations for businesses processing their personal data.
Enforcement Date
- Effective Date: July 1, 2024
- Cure Period: 30 days (no sunset provision currently specified)
Governing Body
- Texas Attorney General: Exclusive enforcement authority
- Consumer Protection Division: Primary enforcement unit
- No Private Right of Action: Consumers cannot sue directly
Primary Purpose
The TDPSA aims to:
- Extend comprehensive privacy protections to Texas's 30+ million residents
- Establish clear data processing and consent requirements
- Require data protection assessments for high-risk processing
- Create accountability for businesses handling Texan consumer data
Applicability
Who Needs to Comply?
The TDPSA applies to persons that:
- Conduct business in Texas or produce products/services consumed by Texas residents, AND
- Process or engage in the sale of personal data, AND
- Are not a "small business" as defined by the U.S. Small Business Administration
UNLESS the person is a small business AND:
- Sells sensitive personal data, OR
- Does not comply with federal small business data security requirements
No Revenue Threshold - Key Difference
Unlike California ($25M), Utah ($25M), and others, Texas has no explicit revenue threshold. The small business exemption references SBA definitions, which vary by industry (typically based on employee count or revenue depending on NAICS code).
Key Exemptions
Entity-Level Exemptions:
- State agencies and political subdivisions
- Financial institutions subject to GLBA
- HIPAA-covered entities
- Nonprofit organizations
- Higher education institutions
- Electric utilities (with specific provisions)
Data-Level Exemptions:
- Employee and B2B data (processing in employment/commercial context)
- Data subject to HIPAA, GLBA, FCRA, DPPA
- Data processed for public health, safety, or life protection
- Data processed for legal claims or professional services
What the TDPSA Governs
Types of Data Covered
Personal Data - Information linked or reasonably linkable to an identified or identifiable individual.
Sensitive Data (requires opt-in consent):
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sexual orientation
- Citizenship or immigration status
- Genetic data processed for identification
- Biometric data processed for identification
- Personal data of a known child
- Precise geolocation data
Consumer Rights Under TDPSA
Texas residents have five core rights:
- Right to Access: Confirm whether a controller processes their data and access it
- Right to Correct: Request correction of inaccurate personal data
- Right to Delete: Request deletion of personal data
- Right to Portability: Obtain data in a portable, usable format
- Right to Opt-Out: Decline:
- Sale of personal data
- Targeted advertising
- Profiling for decisions producing legal or similarly significant effects
Definition of "Sale"
Texas defines "sale" broadly as exchange of personal data for monetary or other valuable consideration. This may capture data sharing arrangements that don't involve direct payment.
Compliance Requirements
Key Obligations for Controllers
1. Privacy Notice Requirements
Controllers must provide reasonably accessible privacy notices that include:
- Categories of personal data processed
- Purpose of processing
- How to exercise consumer rights
- Categories of data shared with third parties
- Categories of third parties receiving data
- Description of opt-out procedures
- Limit collection to what is adequate, relevant, and reasonably necessary
- Process only for disclosed purposes or compatible purposes
- Do not process for incompatible purposes without consent
3. Security Requirements
- Implement reasonable administrative, technical, and physical security practices
- Practices must be appropriate to volume and sensitivity of data
4. Consumer Request Handling
| Requirement | Timeframe |
|---|---|
| Initial Response | 45 days |
| Extension (reasonably necessary) | Additional 45 days |
| Notice of Extension | Within initial 45 days |
| Cost | Free (1 request per year guaranteed) |
5. Appeals Process
Controllers must:
- Establish an internal appeals mechanism
- Inform consumers how to submit appeals
- Respond to appeals within 60 days
- Provide explanation for denials
- Inform consumers how to file complaints with AG
Data Protection Assessments
Required for:
- Processing for targeted advertising
- Sale of personal data
- Processing for profiling with significant effects
- Processing sensitive data
- Any processing with heightened risk of harm
Assessment must include:
- Benefits of processing to controller, consumer, and public
- Potential risks to consumers
- Whether risks are mitigated by safeguards
- Consideration of de-identification and consumer expectations
Controller-Processor Contracts
Data processing agreements must specify:
- Clear instructions for processing
- Nature and purpose of processing
- Type of data being processed
- Duration of processing
- Rights and obligations of each party
Small Business Provisions
The SBA Definition Complication
Texas's use of SBA definitions for "small business" creates complexity:
| Industry | SBA Small Business Standard |
|---|---|
| Retail | < $8M - $41.5M (varies) |
| Professional Services | < $8M - $41.5M (varies) |
| Software Publishers | < $41.5M annual revenue |
| Data Processing | < $35M annual revenue |
| Web Publishers | < $1000 employees |
Check the SBA Size Standards Table for your specific NAICS code.
Small Business Obligations
Even small businesses must comply if they:
- Sell sensitive personal data to third parties
- Fail to comply with FTC data security guidelines
Implications
A small business selling email lists or providing data to advertising partners may lose its exemption, even without meeting traditional revenue thresholds.
Consequences of Non-Compliance
Enforcement Process
- Notice of Violation: AG provides written notice of alleged violation
- Cure Period: 30 days to cure the violation
- Enforcement: Civil action if not cured
Penalties and Fines
- Up to $7,500 per violation
- Civil penalties for intentional violations
- Attorney fees and investigative costs
- Injunctive relief available
Cure Period
Texas provides a 30-day cure period with no specified sunset date, making it similar to Utah's permanent cure approach.
Why the TDPSA Exists
Historical Background
- 2023 Legislative Session: Texas legislature passes HB 4
- June 18, 2023: Governor Abbott signs TDPSA into law
- July 1, 2024: TDPSA takes effect
Scale and Impact
Texas is the second most populous state (29+ million residents), making the TDPSA one of the most impactful state privacy laws by population covered. Combined with no revenue threshold, this significantly expands the universe of affected businesses.
Distinctive Features
- No explicit revenue threshold: Unlike most states
- SBA small business definition: Industry-specific exemptions
- Sensitive data sale exception: Small businesses lose exemption if selling sensitive data
- 60-day appeal response: Extended timeline
- Large population coverage: 29+ million residents
Implementation & Best Practices
How to Become Compliant
Step 1: Exemption Analysis
- Determine your NAICS code
- Check SBA size standards for your industry
- Verify you don't sell sensitive data (which removes small business exemption)
- Document exemption determination if applicable
Step 2: Data Mapping
- Inventory personal data from Texas consumers
- Identify sensitive data categories
- Map processing purposes
- Document third-party sharing
Step 3: Privacy Notice Development
- Create comprehensive privacy notice with all required disclosures
- Include clear opt-out procedures
- Describe consumer rights and how to exercise them
Step 4: Consumer Rights Infrastructure
- Build request intake mechanisms
- Implement 45-day response workflow
- Create 60-day appeals process
- Train staff on procedures
Step 5: Data Protection Assessments
- Identify processing activities requiring DPAs
- Conduct assessments weighing benefits vs. risks
- Document mitigation strategies
- Maintain records for AG review
Step 6: Processor Agreements
- Update contracts with data processors
- Include required terms
- Establish processor oversight procedures
Special Considerations for Small Businesses
If you're near SBA thresholds:
- Monitor revenue/employee count against industry standards
- Avoid selling sensitive data to maintain exemption
- Implement basic FTC-recommended security practices
- Document compliance with federal small business security requirements
Ongoing Compliance Maintenance
- Annual DPA Reviews: Update risk assessments
- Consumer Request Tracking: Monitor response times and outcomes
- Privacy Notice Updates: Reflect processing changes
- SBA Threshold Monitoring: Verify continued small business status
- Staff Training: Keep team current on requirements
Additional Resources
Official Documentation
- Texas Data Privacy and Security Act (HB 4)
- Texas Attorney General Consumer Protection
- SBA Size Standards
Industry Guidance
- IAPP Texas Privacy Law Analysis
- Small Business Privacy Compliance Guide
- Multi-State Privacy Law Comparison
Related Regulations
- CCPA/CPRA Compliance Guide - California's privacy framework
- Virginia VCDPA Compliance - Virginia's privacy law
- Colorado CPA Compliance - Colorado's privacy law
- Utah UCPA Compliance - Utah's business-friendly approach
- FTC Safeguards Rule - Federal data security requirements
Conclusion
The Texas Data Privacy and Security Act is notable for its combination of broad population coverage and lack of explicit revenue thresholds. The reliance on SBA small business definitions creates complexity, as exemption status varies by industry.
Organizations should carefully analyze their industry classification and ensure they don't inadvertently lose small business exemption by selling sensitive data. For larger businesses, the TDPSA largely mirrors the Virginia model with data protection assessments and standard consumer rights frameworks.
With 29+ million Texas residents covered, this law significantly expands the reach of comprehensive U.S. state privacy regulation.