After years of watching other states enact privacy legislation, Texas has finally joined the movement with its own approach. The Texas Data Privacy and Security Act (TDPSA), signed into law in June 2024, takes effect July 1, 2025. Unlike the complex patchwork of requirements we've seen elsewhere, Texas crafted legislation that acknowledges the reality of running a business while still protecting consumer privacy.
If your business processes personal data of Texas residents, you have less than six months to prepare. The clock is ticking, but the good news is that TDPSA offers clearer guidance and more reasonable compliance pathways than many other state laws.
Introduction: Texas Takes a Business-First Approach
TDPSA represents a pragmatic middle ground in the privacy law landscape. While states like California created expansive regulations that often feel punitive toward businesses, Texas designed its law with input from the business community. The result is legislation that protects consumers without creating impossible compliance burdens.
The law officially takes effect July 1, 2025, with enforcement beginning January 1, 2026. This six-month grace period isn't an accident—it gives businesses time to implement necessary changes and demonstrates Texas's commitment to reasonable implementation timelines.
Unlike some state laws that seem designed to generate lawsuits, TDPSA focuses on actual privacy protection. There's no private right of action, meaning consumers can't sue you directly for violations. Only the Texas Attorney General can enforce the law, and they must give you 30 days to cure violations before taking action.
Who Must Comply: Understanding the Thresholds
TDPSA uses a two-pronged test to determine which businesses must comply. Your business falls under the law if you conduct business in Texas and meet either threshold:
Revenue threshold: Annual revenues of $25 million or more
Data processing threshold: Process personal data of 100,000 or more consumers annually, OR process personal data of 25,000 or more consumers while deriving over 50% of gross revenue from selling personal data
These thresholds are more reasonable than many other states. California's CCPA, for comparison, kicks in at just $25 million in revenue with much lower data processing requirements.
Common business types that typically need to comply include e-commerce retailers with significant Texas customer bases, SaaS companies processing substantial user data, healthcare organizations, financial services firms, and marketing agencies handling large datasets.
The law includes several important exemptions. Small businesses under the thresholds are exempt, as are certain regulated entities like banks and healthcare providers already subject to federal privacy requirements under HIPAA or GLBA.
Consumer Rights Under TDPSA
TDPSA grants Texas consumers six core rights regarding their personal data. Your business must be prepared to honor these rights through verifiable consumer requests:
Right to know: Consumers can request information about what personal data you collect, how you use it, and who you share it with.
Right to access: Consumers can request copies of the specific personal data you maintain about them.
Right to delete: Consumers can request deletion of their personal data, subject to certain business and legal exceptions.
Right to correct: Consumers can request correction of inaccurate personal data you maintain about them.
Right to data portability: Consumers can request their personal data in a portable, readable format.
Right to opt-out: Consumers can opt-out of the sale of their personal data and certain types of targeted advertising.
You have 45 days to respond to consumer requests, with a possible 45-day extension if needed. The law requires you to provide at least two methods for submitting requests, and you cannot charge fees for processing most requests.
Business Obligations: What You Must Do
Beyond responding to consumer requests, TDPSA creates several ongoing obligations for your business. These requirements focus on transparency and responsible data handling rather than prescriptive technical mandates.
Your privacy policy must clearly describe what personal data you collect, your purposes for processing it, the categories of third parties you share it with, and how consumers can exercise their rights. The policy must be reasonably accessible and written in plain language.
You must limit your data collection and processing to what's reasonably necessary for your disclosed purposes. This "data minimization" principle prevents the hoarding of unnecessary personal information.
When working with service providers who process personal data on your behalf, you need written contracts that restrict how they can use the data and require them to assist with consumer requests and security measures.
The law also requires reasonable security measures appropriate to the volume and nature of personal data you process. While it doesn't mandate specific technologies, you need documented practices that protect against unauthorized access, destruction, or modification of personal data.
How TDPSA Differs from Other State Laws
TDPSA's business-friendly approach creates meaningful differences from other state privacy laws. Most notably, the compliance thresholds are more reasonable, and the law includes more practical exceptions for legitimate business needs.
Unlike California's CCPA, TDPSA doesn't create a broad "sale" definition that captures most data sharing arrangements. The Texas law focuses on actual commercial transactions involving personal data, not routine business relationships with service providers.
The enforcement mechanism is also more balanced. While California allows consumer lawsuits for data breaches and creates significant financial penalties, Texas focuses on Attorney General enforcement with mandatory cure periods. This approach encourages compliance rather than punishment.
TDPSA also provides clearer guidance on key concepts like "personal data" and "processing," reducing the legal ambiguity that has plagued businesses trying to comply with other state laws.
For businesses already complying with other state privacy laws, TDPSA generally won't require wholesale changes to your privacy program. However, you'll need to review specific requirements around consumer request processes and privacy policy disclosures to ensure full compliance.
Compliance Roadmap: Your Next Steps
With less than six months until TDPSA takes effect, you need a focused compliance plan. Start with these priority actions:
Immediate actions (complete by March 2025): Determine if your business meets the compliance thresholds. Conduct a data inventory to understand what personal data you collect and process. Review your current privacy policy against TDPSA requirements.
Implementation phase (March-June 2025): Update your privacy policy to include required TDPSA disclosures. Establish processes for receiving and responding to consumer requests. Review and update contracts with service providers who process personal data on your behalf. Implement reasonable security measures for personal data protection.
Final preparation (June 2025): Train relevant staff on TDPSA requirements and your new processes. Test your consumer request system to ensure it works properly. Document your compliance efforts for potential regulatory inquiries.
Don't wait until the last minute. Privacy compliance isn't something you can implement overnight, and rushing through the process increases the risk of gaps that could create problems later.
The Texas Data Privacy and Security Act represents a reasonable approach to consumer privacy protection, but compliance still requires careful planning and implementation. Your business needs to start preparing now to meet the July 2025 deadline.
Ready to ensure your business complies with TDPSA? Contact North Privacy Advisors today for a free privacy assessment. We'll review your current practices, identify compliance gaps, and provide a clear roadmap for meeting Texas's new privacy requirements. Don't let privacy compliance become a business risk—let's build a plan that protects both your customers and your company.