WHY WALLA

Understanding the Texas Data Privacy and Security Act (TDPSA): What It Means for SaaS Companies Like Walla

Yuvin Kim

July 16, 2025

WHY WALLA

Understanding the Texas Data Privacy and Security Act (TDPSA): What It Means for SaaS Companies Like Walla

Yuvin Kim

July 16, 2025

As data privacy continues to gain traction across the U.S., Texas has joined the growing list of states with its own consumer privacy law. The Texas Data Privacy and Security Act (TDPSA) was signed into law in June 2023 and will take effect on July 1, 2024. As the second-largest state by population, Texas’s move significantly expands the footprint of U.S. data protection regulations.

For SaaS companies like Walla, TDPSA introduces both familiar and unique requirements, particularly around transparency, consumer rights, and data security—making early compliance preparation essential for teams targeting U.S. growth.

1. What is the TDPSA?

Category

Details

Law

Texas Data Privacy and Security Act (TDPSA)

Effective Date

July 1, 2024

Enforcement

Texas Attorney General

Scope

Applies to entities that:

① Conduct business in Texas or produce products/services consumed by Texas residents,


AND


② Process or sell personal data


(No revenue or processing threshold required)


Exemptions

State agencies, non-profits, higher ed institutions, GLBA- and HIPAA-covered entities

✅ Broad applicability: Unlike other state laws, the TDPSA applies to all entities, regardless of revenue size, if they process personal data of Texas residents.

2. Consumer Rights Under TDPSA

TDPSA provides Texas residents with rights similar to those under Colorado or Virginia laws:

  • Right to Know: ****The categories of personal data being collected and for what purposes.

  • Right to Access: Consumers can request a copy of their personal data.

  • Right to Delete: They can request deletion of personal data provided or obtained about them.

  • Right to Correct: Inaccurate data must be corrected upon request.

  • Right to Data Portability: Users can receive their data in a commonly used, machine-readable format.

  • Right to Opt Out of:

    • Targeted advertising

    • Sale of personal data

    • Profiling that produces legal or significant effects

Profiling includes automated decision-making processes that affect legal rights, financial decisions, etc.

3. Obligations for Businesses (Controllers)

Like other privacy laws, TDPSA defines responsibilities for companies that determine the "purpose and means" of data processing (i.e., data controllers):

3-1. Data Security

Implement “reasonable administrative, technical, and physical data security practices” to protect the integrity and confidentiality of data.

3-2. Privacy Notices

Clearly disclose:

  • Categories of personal data collected

  • Purpose of processing

  • How to exercise rights

  • Whether data is sold/shared for targeted ads

3-3. Data Protection Assessments (DPAs)

Required for processing activities that present a heightened risk, including:

  • Targeted advertising

  • Profiling

  • Sale of personal data

  • Processing sensitive data

3-4. Consent for Sensitive Data

Explicit opt-in consent is required before processing sensitive data, such as:

  • Health or biometric info

  • Precise geolocation

  • Children’s data (under 13)

  • Race, religion, or sexual orientation

4. Unique Aspects of the TDPSA
4-1. No Revenue Threshold

Unlike Utah’s UCPA or Virginia’s VCDPA, there is no $25 million threshold—small companies must comply if they process Texas data.

4-2. Universal Opt-Out Mechanism (2025)

By January 1, 2025, companies must comply with universal opt-out signals (like Global Privacy Control) from browsers or tools.

4-3. Annual Data Protection Reports

Large Data Controllers (defined in part by volume) may be required to generate annual reports detailing risk assessments.

5. How Walla is Preparing for TDPSA

At Walla, our product and infrastructure are designed with global compliance in mind. Here’s how we align with TDPSA requirements:

TDPSA Requirement

Walla’s Compliance Strategy

Privacy Notices

Clear disclosure via interface & docs

Consumer Rights Portal

User-facing tools for data access, deletion, and correction

Opt-Out Tools

Cookie banners and GPC integration (planned)

Data Protection Assessments

Internal DPIA templates used for high-risk features

Sensitive Data Controls

Encryption, access control, and explicit consent mechanisms

Vendor Management

DPAs with third-party services and subprocessors

Walla treats TDPSA not as a checkbox, but as an opportunity to deepen user trust—especially in high-growth U.S. markets like Texas.

6. Comparison with Other State Privacy Laws

Feature

TDPSA (TX)

CPRA (CA)

VCDPA (VA)

CPA (CO)

Opt-out of targeted ads

O

O

O

O

Opt-out of sale

O

O

O

O

Right to correct

O

O

O

O

DPIAs required

O

X

O

O

Universal opt-out required

O (by 2025)

O

Optional

O

Consent for sensitive data

O (opt-in)

O

O

O

Private right of action

X

X (limited)

X

X

7. Final Thoughts: TDPSA as a Signpost for Nationwide Strategy

Texas’s adoption of TDPSA demonstrates that even states historically less aggressive on tech regulation are now prioritizing data rights. This shift creates a clear message for global SaaS providers:

Build your compliance architecture once—and scale it everywhere.

For Walla and similar platforms, TDPSA readiness means:

  • Respecting user rights

  • Engineering for transparency

  • Designing composable, privacy-aware systems

  • Preparing for evolving U.S. standards (Oregon, Florida, New Jersey…)

+ TL;DR: Walla’s TDPSA Readiness Checklist
  • Region-based hosting with server transparency

  • Privacy notices & consent tracking built-in

  • Universal opt-out signal support (coming soon)

  • DPIA-ready workflows for profiling and targeting

  • Encryption, access controls, and vendor DPAs

Walla is committed to helping users build trust-first SaaS tools, no matter the jurisdiction. With TDPSA approaching, we’re ready to scale compliant infrastructure across the U.S.

https://home.walla.my

As data privacy continues to gain traction across the U.S., Texas has joined the growing list of states with its own consumer privacy law. The Texas Data Privacy and Security Act (TDPSA) was signed into law in June 2023 and will take effect on July 1, 2024. As the second-largest state by population, Texas’s move significantly expands the footprint of U.S. data protection regulations.

For SaaS companies like Walla, TDPSA introduces both familiar and unique requirements, particularly around transparency, consumer rights, and data security—making early compliance preparation essential for teams targeting U.S. growth.

1. What is the TDPSA?

Category

Details

Law

Texas Data Privacy and Security Act (TDPSA)

Effective Date

July 1, 2024

Enforcement

Texas Attorney General

Scope

Applies to entities that:

① Conduct business in Texas or produce products/services consumed by Texas residents,


AND


② Process or sell personal data


(No revenue or processing threshold required)


Exemptions

State agencies, non-profits, higher ed institutions, GLBA- and HIPAA-covered entities

✅ Broad applicability: Unlike other state laws, the TDPSA applies to all entities, regardless of revenue size, if they process personal data of Texas residents.

2. Consumer Rights Under TDPSA

TDPSA provides Texas residents with rights similar to those under Colorado or Virginia laws:

  • Right to Know: ****The categories of personal data being collected and for what purposes.

  • Right to Access: Consumers can request a copy of their personal data.

  • Right to Delete: They can request deletion of personal data provided or obtained about them.

  • Right to Correct: Inaccurate data must be corrected upon request.

  • Right to Data Portability: Users can receive their data in a commonly used, machine-readable format.

  • Right to Opt Out of:

    • Targeted advertising

    • Sale of personal data

    • Profiling that produces legal or significant effects

Profiling includes automated decision-making processes that affect legal rights, financial decisions, etc.

3. Obligations for Businesses (Controllers)

Like other privacy laws, TDPSA defines responsibilities for companies that determine the "purpose and means" of data processing (i.e., data controllers):

3-1. Data Security

Implement “reasonable administrative, technical, and physical data security practices” to protect the integrity and confidentiality of data.

3-2. Privacy Notices

Clearly disclose:

  • Categories of personal data collected

  • Purpose of processing

  • How to exercise rights

  • Whether data is sold/shared for targeted ads

3-3. Data Protection Assessments (DPAs)

Required for processing activities that present a heightened risk, including:

  • Targeted advertising

  • Profiling

  • Sale of personal data

  • Processing sensitive data

3-4. Consent for Sensitive Data

Explicit opt-in consent is required before processing sensitive data, such as:

  • Health or biometric info

  • Precise geolocation

  • Children’s data (under 13)

  • Race, religion, or sexual orientation

4. Unique Aspects of the TDPSA
4-1. No Revenue Threshold

Unlike Utah’s UCPA or Virginia’s VCDPA, there is no $25 million threshold—small companies must comply if they process Texas data.

4-2. Universal Opt-Out Mechanism (2025)

By January 1, 2025, companies must comply with universal opt-out signals (like Global Privacy Control) from browsers or tools.

4-3. Annual Data Protection Reports

Large Data Controllers (defined in part by volume) may be required to generate annual reports detailing risk assessments.

5. How Walla is Preparing for TDPSA

At Walla, our product and infrastructure are designed with global compliance in mind. Here’s how we align with TDPSA requirements:

TDPSA Requirement

Walla’s Compliance Strategy

Privacy Notices

Clear disclosure via interface & docs

Consumer Rights Portal

User-facing tools for data access, deletion, and correction

Opt-Out Tools

Cookie banners and GPC integration (planned)

Data Protection Assessments

Internal DPIA templates used for high-risk features

Sensitive Data Controls

Encryption, access control, and explicit consent mechanisms

Vendor Management

DPAs with third-party services and subprocessors

Walla treats TDPSA not as a checkbox, but as an opportunity to deepen user trust—especially in high-growth U.S. markets like Texas.

6. Comparison with Other State Privacy Laws

Feature

TDPSA (TX)

CPRA (CA)

VCDPA (VA)

CPA (CO)

Opt-out of targeted ads

O

O

O

O

Opt-out of sale

O

O

O

O

Right to correct

O

O

O

O

DPIAs required

O

X

O

O

Universal opt-out required

O (by 2025)

O

Optional

O

Consent for sensitive data

O (opt-in)

O

O

O

Private right of action

X

X (limited)

X

X

7. Final Thoughts: TDPSA as a Signpost for Nationwide Strategy

Texas’s adoption of TDPSA demonstrates that even states historically less aggressive on tech regulation are now prioritizing data rights. This shift creates a clear message for global SaaS providers:

Build your compliance architecture once—and scale it everywhere.

For Walla and similar platforms, TDPSA readiness means:

  • Respecting user rights

  • Engineering for transparency

  • Designing composable, privacy-aware systems

  • Preparing for evolving U.S. standards (Oregon, Florida, New Jersey…)

+ TL;DR: Walla’s TDPSA Readiness Checklist
  • Region-based hosting with server transparency

  • Privacy notices & consent tracking built-in

  • Universal opt-out signal support (coming soon)

  • DPIA-ready workflows for profiling and targeting

  • Encryption, access controls, and vendor DPAs

Walla is committed to helping users build trust-first SaaS tools, no matter the jurisdiction. With TDPSA approaching, we’re ready to scale compliant infrastructure across the U.S.

https://home.walla.my

As data privacy continues to gain traction across the U.S., Texas has joined the growing list of states with its own consumer privacy law. The Texas Data Privacy and Security Act (TDPSA) was signed into law in June 2023 and will take effect on July 1, 2024. As the second-largest state by population, Texas’s move significantly expands the footprint of U.S. data protection regulations.

For SaaS companies like Walla, TDPSA introduces both familiar and unique requirements, particularly around transparency, consumer rights, and data security—making early compliance preparation essential for teams targeting U.S. growth.

1. What is the TDPSA?

Category

Details

Law

Texas Data Privacy and Security Act (TDPSA)

Effective Date

July 1, 2024

Enforcement

Texas Attorney General

Scope

Applies to entities that:

① Conduct business in Texas or produce products/services consumed by Texas residents,


AND


② Process or sell personal data


(No revenue or processing threshold required)


Exemptions

State agencies, non-profits, higher ed institutions, GLBA- and HIPAA-covered entities

✅ Broad applicability: Unlike other state laws, the TDPSA applies to all entities, regardless of revenue size, if they process personal data of Texas residents.

2. Consumer Rights Under TDPSA

TDPSA provides Texas residents with rights similar to those under Colorado or Virginia laws:

  • Right to Know: ****The categories of personal data being collected and for what purposes.

  • Right to Access: Consumers can request a copy of their personal data.

  • Right to Delete: They can request deletion of personal data provided or obtained about them.

  • Right to Correct: Inaccurate data must be corrected upon request.

  • Right to Data Portability: Users can receive their data in a commonly used, machine-readable format.

  • Right to Opt Out of:

    • Targeted advertising

    • Sale of personal data

    • Profiling that produces legal or significant effects

Profiling includes automated decision-making processes that affect legal rights, financial decisions, etc.

3. Obligations for Businesses (Controllers)

Like other privacy laws, TDPSA defines responsibilities for companies that determine the "purpose and means" of data processing (i.e., data controllers):

3-1. Data Security

Implement “reasonable administrative, technical, and physical data security practices” to protect the integrity and confidentiality of data.

3-2. Privacy Notices

Clearly disclose:

  • Categories of personal data collected

  • Purpose of processing

  • How to exercise rights

  • Whether data is sold/shared for targeted ads

3-3. Data Protection Assessments (DPAs)

Required for processing activities that present a heightened risk, including:

  • Targeted advertising

  • Profiling

  • Sale of personal data

  • Processing sensitive data

3-4. Consent for Sensitive Data

Explicit opt-in consent is required before processing sensitive data, such as:

  • Health or biometric info

  • Precise geolocation

  • Children’s data (under 13)

  • Race, religion, or sexual orientation

4. Unique Aspects of the TDPSA
4-1. No Revenue Threshold

Unlike Utah’s UCPA or Virginia’s VCDPA, there is no $25 million threshold—small companies must comply if they process Texas data.

4-2. Universal Opt-Out Mechanism (2025)

By January 1, 2025, companies must comply with universal opt-out signals (like Global Privacy Control) from browsers or tools.

4-3. Annual Data Protection Reports

Large Data Controllers (defined in part by volume) may be required to generate annual reports detailing risk assessments.

5. How Walla is Preparing for TDPSA

At Walla, our product and infrastructure are designed with global compliance in mind. Here’s how we align with TDPSA requirements:

TDPSA Requirement

Walla’s Compliance Strategy

Privacy Notices

Clear disclosure via interface & docs

Consumer Rights Portal

User-facing tools for data access, deletion, and correction

Opt-Out Tools

Cookie banners and GPC integration (planned)

Data Protection Assessments

Internal DPIA templates used for high-risk features

Sensitive Data Controls

Encryption, access control, and explicit consent mechanisms

Vendor Management

DPAs with third-party services and subprocessors

Walla treats TDPSA not as a checkbox, but as an opportunity to deepen user trust—especially in high-growth U.S. markets like Texas.

6. Comparison with Other State Privacy Laws

Feature

TDPSA (TX)

CPRA (CA)

VCDPA (VA)

CPA (CO)

Opt-out of targeted ads

O

O

O

O

Opt-out of sale

O

O

O

O

Right to correct

O

O

O

O

DPIAs required

O

X

O

O

Universal opt-out required

O (by 2025)

O

Optional

O

Consent for sensitive data

O (opt-in)

O

O

O

Private right of action

X

X (limited)

X

X

7. Final Thoughts: TDPSA as a Signpost for Nationwide Strategy

Texas’s adoption of TDPSA demonstrates that even states historically less aggressive on tech regulation are now prioritizing data rights. This shift creates a clear message for global SaaS providers:

Build your compliance architecture once—and scale it everywhere.

For Walla and similar platforms, TDPSA readiness means:

  • Respecting user rights

  • Engineering for transparency

  • Designing composable, privacy-aware systems

  • Preparing for evolving U.S. standards (Oregon, Florida, New Jersey…)

+ TL;DR: Walla’s TDPSA Readiness Checklist
  • Region-based hosting with server transparency

  • Privacy notices & consent tracking built-in

  • Universal opt-out signal support (coming soon)

  • DPIA-ready workflows for profiling and targeting

  • Encryption, access controls, and vendor DPAs

Walla is committed to helping users build trust-first SaaS tools, no matter the jurisdiction. With TDPSA approaching, we’re ready to scale compliant infrastructure across the U.S.

https://home.walla.my

Continue Reading

The form you've been searching for?

Walla, Obviously.

Paprika Data Lab Inc.

557, Yeoksam-ro, Gangnam-gu, Seoul

The form you've been searching for?

Walla, Obviously.

Paprika Data Lab Inc.

557, Yeoksam-ro, Gangnam-gu, Seoul

The form you've been searching for?

Walla, Obviously.

Paprika Data Lab Inc.

557, Yeoksam-ro, Gangnam-gu, Seoul