TDPSA 2025: Texas Data Privacy Law Explained for Businesses & Consumers

✅ What is the Texas Data Privacy and Security Act (TDPSA)?
The Texas Data Privacy and Security Act (TDPSA) is a state law that protects the personal data of Texas residents by regulating how businesses collect, use, and store consumer information. Signed into law in 2023, it took effect on July 1, 2024, with additional provisions, including the universal opt-out, and went into effect on January 1, 2025.

Texas joins states like California, Virginia, and Colorado in implementing comprehensive privacy laws.

TDPSA grants consumers rights over their data and holds businesses accountable through transparency, security standards, and meaningful penalties.

🔐 Who Must Comply with the TDPSA?
The TDPSA applies to entities that:

– Conduct business in Texas or targets Texas residents,

– Process or sell personal data, and

– Are not classified as “small businesses” under SBA standards (unless they sell sensitive data).

Exemptions: State agencies, Non-profits, higher education institutions, and entities governed by federal data laws like HIPAA are exempt—except when selling sensitive data.

🔍 Key Consumer Rights Under the TDPSA

Texas residents gain the following rights:

– Right to Access — View what personal data a business holds.

– Right to Correct — Fix inaccurate or outdated information.

– Right to Delete — Request deletion of personal data.

– Right to Data Portability — Obtain a copy in usable format.

Right to Opt-Out — Of:
– Targeted advertising

– Sale of personal data

– Automated profiling

Starting Jan 1, 2025: Businesses must honor a universal opt-out mechanism (like browser signals).

🔒 Business Obligations Under the TDPSA
To comply, organizations must:

– Update Privacy Notices — Clearly list:

Categories of data collected

Processing purposes

Consumer rights and how to exercise them

– Implement Data Minimization — Only collect what’s needed for specific, disclosed purposes.

– Ensure Data Security — Apply administrative, technical, and physical safeguards.

– Obtain Consent for Sensitive Data — Especially for biometric, health, or precise geolocation data.

⚠️ Enforcement and Penalties
– Enforced only by the Texas Attorney General

– Businesses get 45 days to respond to requests

– Fines: Up to $7,500 per violation

– Enforcement actions began in mid-2024, targeting non-compliance with opt-outs and disclosures

🏋️ Impacts on Businesses
– Compliance Costs — Legal reviews, software upgrades, policy updates

– Better Security Standards — Required safeguards improve breach defense

– Trust & Reputation — Privacy-aligned brands gain a competitive edge

– Legal Risk — Non-compliance increases risk of audit and enforcement

🔄 Comparison of TDPSA with Other State Laws
Law

Opt-Out Rights

Private Right of Action

Penalties

TDPSA

Yes

No

Up to $7,500/violation

CCPA (CA)

Yes

Yes (limited)

Up to $7,500/violation

VDPA (VA)

Yes

No

Enforced by Attorney General

CPA (CO)

Yes

No

Enforced by Attorney General

🔧 How LightBeam Helps with TDPSA Compliance
LightBeam simplifies compliance by automating the most complex aspects of data governance:

– Identity-Aware Discovery — Detect personal and sensitive data across all systems

– Automated Privacy Workflows — Handle Data Subject Requests (DSR) with ease

– Consent Tracking — Maintain records of consent for sensitive data collection

– Real-Time Policy Enforcement — Instantly apply opt-outs and access controls

– Universal Opt-Out Integration — Honor GPC/browser-level signals automatically

❓ Frequently Asked Questions (FAQ)
Q: Does TDPSA let consumers sue companies?
A: No, there is no private right of action.

Q: What’s the universal opt-out signal?
A: A browser setting or privacy tool that signals a user’s choice to opt-out, businesses must honor it from Jan 2025.

Q: Is sensitive data treated differently?
A: Yes. Businesses must obtain explicit consent before collecting or using sensitive personal data.