Texas Data Privacy and Security Act (TDPSA)

The Texas Data Privacy and Security Act (TDPSA), Tex. Bus. & Com. Code § 541.001 et seq., took effect July 1, 2024. The TDPSA applies to entities that conduct business in Texas or produce products or services consumed by Texas residents, process or sell personal data, and are not a "small business" as defined by the U.S. Small Business Administration. This structure — using SBA size standards rather than a fixed consumer threshold — means large enterprises with any Texas-resident customers are covered regardless of data volume, a broader reach than most state laws. The TDPSA grants the five standard consumer rights: access, correction, deletion, portability, and opt-out of targeted advertising, data sales, and certain profiling.

The TDPSA's most distinctive engineering dimension is its security requirement: controllers must implement and maintain reasonable security practices "appropriate to the volume and nature of the personal data processed" (§ 541.201(a)(1)). This risk-calibrated standard demands documented security assessments aligned to data sensitivity and volume — not a one-size-fits-all control set. Sensitive data categories requiring opt-in consent include racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship status, precise geolocation, genetic data, biometric data used for identification purposes, and data of known minors under 13. Like other state laws, processors must enter written DPAs with controllers specifying instructions, confidentiality, subprocessors, audit rights, and deletion obligations. Controllers must respond to consumer requests within 45 days, extendable by 45 days.

Texas enforcement is exclusively AG-driven with a 30-day cure period — one of the shortest cure windows among state laws, demanding rapid incident response readiness. The TDPSA explicitly prohibits controllers from processing sensitive data without obtaining consent, and from processing any personal data in ways inconsistent with a consumer's opt-out request. A notable provision: the TDPSA requires that opt-out of "profiling in furtherance of decisions that produce legal or similarly significant effects" be honored, mirroring GDPR Article 22 language and requiring systems to suppress profiling pipelines — not just targeted advertising segments — when this opt-out is exercised. Universal Opt-Out Mechanisms must be honored beginning January 1, 2025.

We scope TDPSA coverage analysis against SBA size classifications rather than consumer thresholds, ensuring large-enterprise clients do not underestimate applicability. Our data security assessment tooling calibrates control recommendations to data volume and sensitivity tiers, and our opt-out pipelines distinguish profiling suppression from advertising suppression to satisfy the TDPSA's profiling opt-out language specifically.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.