WHY WALLA
Understanding the Texas Data Privacy and Security Act (TDPSA): What It Means for SaaS Companies Like Walla
Yuvin Kim
July 16, 2025
WHY WALLA
Understanding the Texas Data Privacy and Security Act (TDPSA): What It Means for SaaS Companies Like Walla
Yuvin Kim
July 16, 2025
As data privacy continues to gain traction across the U.S., Texas has joined the growing list of states with its own consumer privacy law. The Texas Data Privacy and Security Act (TDPSA) was signed into law in June 2023 and will take effect on July 1, 2024. As the second-largest state by population, Texas’s move significantly expands the footprint of U.S. data protection regulations.
For SaaS companies like Walla, TDPSA introduces both familiar and unique requirements, particularly around transparency, consumer rights, and data security—making early compliance preparation essential for teams targeting U.S. growth.
1. What is the TDPSA?
Category | Details |
|---|---|
Law | Texas Data Privacy and Security Act (TDPSA) |
Effective Date | July 1, 2024 |
Enforcement | Texas Attorney General |
Scope | Applies to entities that: |
① Conduct business in Texas or produce products/services consumed by Texas residents, | |
AND | |
② Process or sell personal data | |
(No revenue or processing threshold required) | |
Exemptions | State agencies, non-profits, higher ed institutions, GLBA- and HIPAA-covered entities |
✅ Broad applicability: Unlike other state laws, the TDPSA applies to all entities, regardless of revenue size, if they process personal data of Texas residents.
2. Consumer Rights Under TDPSA
TDPSA provides Texas residents with rights similar to those under Colorado or Virginia laws:
Right to Know: ****The categories of personal data being collected and for what purposes.
Right to Access: Consumers can request a copy of their personal data.
Right to Delete: They can request deletion of personal data provided or obtained about them.
Right to Correct: Inaccurate data must be corrected upon request.
Right to Data Portability: Users can receive their data in a commonly used, machine-readable format.
Right to Opt Out of:
Targeted advertising
Sale of personal data
Profiling that produces legal or significant effects
Profiling includes automated decision-making processes that affect legal rights, financial decisions, etc.
3. Obligations for Businesses (Controllers)
Like other privacy laws, TDPSA defines responsibilities for companies that determine the "purpose and means" of data processing (i.e., data controllers):
3-1. Data Security
Implement “reasonable administrative, technical, and physical data security practices” to protect the integrity and confidentiality of data.
3-2. Privacy Notices
Clearly disclose:
Categories of personal data collected
Purpose of processing
How to exercise rights
Whether data is sold/shared for targeted ads
3-3. Data Protection Assessments (DPAs)
Required for processing activities that present a heightened risk, including:
Targeted advertising
Profiling
Sale of personal data
Processing sensitive data
3-4. Consent for Sensitive Data
Explicit opt-in consent is required before processing sensitive data, such as:
Health or biometric info
Precise geolocation
Children’s data (under 13)
Race, religion, or sexual orientation
4. Unique Aspects of the TDPSA
4-1. No Revenue Threshold
Unlike Utah’s UCPA or Virginia’s VCDPA, there is no $25 million threshold—small companies must comply if they process Texas data.
4-2. Universal Opt-Out Mechanism (2025)
By January 1, 2025, companies must comply with universal opt-out signals (like Global Privacy Control) from browsers or tools.
4-3. Annual Data Protection Reports
Large Data Controllers (defined in part by volume) may be required to generate annual reports detailing risk assessments.
5. How Walla is Preparing for TDPSA
At Walla, our product and infrastructure are designed with global compliance in mind. Here’s how we align with TDPSA requirements:
TDPSA Requirement | Walla’s Compliance Strategy |
|---|---|
Privacy Notices | Clear disclosure via interface & docs |
Consumer Rights Portal | User-facing tools for data access, deletion, and correction |
Opt-Out Tools | Cookie banners and GPC integration (planned) |
Data Protection Assessments | Internal DPIA templates used for high-risk features |
Sensitive Data Controls | Encryption, access control, and explicit consent mechanisms |
Vendor Management | DPAs with third-party services and subprocessors |
Walla treats TDPSA not as a checkbox, but as an opportunity to deepen user trust—especially in high-growth U.S. markets like Texas.
6. Comparison with Other State Privacy Laws
Feature | TDPSA (TX) | CPRA (CA) | VCDPA (VA) | CPA (CO) |
|---|---|---|---|---|
Opt-out of targeted ads | O | O | O | O |
Opt-out of sale | O | O | O | O |
Right to correct | O | O | O | O |
DPIAs required | O | X | O | O |
Universal opt-out required | O (by 2025) | O | Optional | O |
Consent for sensitive data | O (opt-in) | O | O | O |
Private right of action | X | X (limited) | X | X |
7. Final Thoughts: TDPSA as a Signpost for Nationwide Strategy
Texas’s adoption of TDPSA demonstrates that even states historically less aggressive on tech regulation are now prioritizing data rights. This shift creates a clear message for global SaaS providers:
Build your compliance architecture once—and scale it everywhere.
For Walla and similar platforms, TDPSA readiness means:
Respecting user rights
Engineering for transparency
Designing composable, privacy-aware systems
Preparing for evolving U.S. standards (Oregon, Florida, New Jersey…)
+ TL;DR: Walla’s TDPSA Readiness Checklist
Region-based hosting with server transparency
Privacy notices & consent tracking built-in
Universal opt-out signal support (coming soon)
DPIA-ready workflows for profiling and targeting
Encryption, access controls, and vendor DPAs
Walla is committed to helping users build trust-first SaaS tools, no matter the jurisdiction. With TDPSA approaching, we’re ready to scale compliant infrastructure across the U.S.
As data privacy continues to gain traction across the U.S., Texas has joined the growing list of states with its own consumer privacy law. The Texas Data Privacy and Security Act (TDPSA) was signed into law in June 2023 and will take effect on July 1, 2024. As the second-largest state by population, Texas’s move significantly expands the footprint of U.S. data protection regulations.
For SaaS companies like Walla, TDPSA introduces both familiar and unique requirements, particularly around transparency, consumer rights, and data security—making early compliance preparation essential for teams targeting U.S. growth.
1. What is the TDPSA?
Category | Details |
|---|---|
Law | Texas Data Privacy and Security Act (TDPSA) |
Effective Date | July 1, 2024 |
Enforcement | Texas Attorney General |
Scope | Applies to entities that: |
① Conduct business in Texas or produce products/services consumed by Texas residents, | |
AND | |
② Process or sell personal data | |
(No revenue or processing threshold required) | |
Exemptions | State agencies, non-profits, higher ed institutions, GLBA- and HIPAA-covered entities |
✅ Broad applicability: Unlike other state laws, the TDPSA applies to all entities, regardless of revenue size, if they process personal data of Texas residents.
2. Consumer Rights Under TDPSA
TDPSA provides Texas residents with rights similar to those under Colorado or Virginia laws:
Right to Know: ****The categories of personal data being collected and for what purposes.
Right to Access: Consumers can request a copy of their personal data.
Right to Delete: They can request deletion of personal data provided or obtained about them.
Right to Correct: Inaccurate data must be corrected upon request.
Right to Data Portability: Users can receive their data in a commonly used, machine-readable format.
Right to Opt Out of:
Targeted advertising
Sale of personal data
Profiling that produces legal or significant effects
Profiling includes automated decision-making processes that affect legal rights, financial decisions, etc.
3. Obligations for Businesses (Controllers)
Like other privacy laws, TDPSA defines responsibilities for companies that determine the "purpose and means" of data processing (i.e., data controllers):
3-1. Data Security
Implement “reasonable administrative, technical, and physical data security practices” to protect the integrity and confidentiality of data.
3-2. Privacy Notices
Clearly disclose:
Categories of personal data collected
Purpose of processing
How to exercise rights
Whether data is sold/shared for targeted ads
3-3. Data Protection Assessments (DPAs)
Required for processing activities that present a heightened risk, including:
Targeted advertising
Profiling
Sale of personal data
Processing sensitive data
3-4. Consent for Sensitive Data
Explicit opt-in consent is required before processing sensitive data, such as:
Health or biometric info
Precise geolocation
Children’s data (under 13)
Race, religion, or sexual orientation
4. Unique Aspects of the TDPSA
4-1. No Revenue Threshold
Unlike Utah’s UCPA or Virginia’s VCDPA, there is no $25 million threshold—small companies must comply if they process Texas data.
4-2. Universal Opt-Out Mechanism (2025)
By January 1, 2025, companies must comply with universal opt-out signals (like Global Privacy Control) from browsers or tools.
4-3. Annual Data Protection Reports
Large Data Controllers (defined in part by volume) may be required to generate annual reports detailing risk assessments.
5. How Walla is Preparing for TDPSA
At Walla, our product and infrastructure are designed with global compliance in mind. Here’s how we align with TDPSA requirements:
TDPSA Requirement | Walla’s Compliance Strategy |
|---|---|
Privacy Notices | Clear disclosure via interface & docs |
Consumer Rights Portal | User-facing tools for data access, deletion, and correction |
Opt-Out Tools | Cookie banners and GPC integration (planned) |
Data Protection Assessments | Internal DPIA templates used for high-risk features |
Sensitive Data Controls | Encryption, access control, and explicit consent mechanisms |
Vendor Management | DPAs with third-party services and subprocessors |
Walla treats TDPSA not as a checkbox, but as an opportunity to deepen user trust—especially in high-growth U.S. markets like Texas.
6. Comparison with Other State Privacy Laws
Feature | TDPSA (TX) | CPRA (CA) | VCDPA (VA) | CPA (CO) |
|---|---|---|---|---|
Opt-out of targeted ads | O | O | O | O |
Opt-out of sale | O | O | O | O |
Right to correct | O | O | O | O |
DPIAs required | O | X | O | O |
Universal opt-out required | O (by 2025) | O | Optional | O |
Consent for sensitive data | O (opt-in) | O | O | O |
Private right of action | X | X (limited) | X | X |
7. Final Thoughts: TDPSA as a Signpost for Nationwide Strategy
Texas’s adoption of TDPSA demonstrates that even states historically less aggressive on tech regulation are now prioritizing data rights. This shift creates a clear message for global SaaS providers:
Build your compliance architecture once—and scale it everywhere.
For Walla and similar platforms, TDPSA readiness means:
Respecting user rights
Engineering for transparency
Designing composable, privacy-aware systems
Preparing for evolving U.S. standards (Oregon, Florida, New Jersey…)
+ TL;DR: Walla’s TDPSA Readiness Checklist
Region-based hosting with server transparency
Privacy notices & consent tracking built-in
Universal opt-out signal support (coming soon)
DPIA-ready workflows for profiling and targeting
Encryption, access controls, and vendor DPAs
Walla is committed to helping users build trust-first SaaS tools, no matter the jurisdiction. With TDPSA approaching, we’re ready to scale compliant infrastructure across the U.S.
As data privacy continues to gain traction across the U.S., Texas has joined the growing list of states with its own consumer privacy law. The Texas Data Privacy and Security Act (TDPSA) was signed into law in June 2023 and will take effect on July 1, 2024. As the second-largest state by population, Texas’s move significantly expands the footprint of U.S. data protection regulations.
For SaaS companies like Walla, TDPSA introduces both familiar and unique requirements, particularly around transparency, consumer rights, and data security—making early compliance preparation essential for teams targeting U.S. growth.
1. What is the TDPSA?
Category | Details |
|---|---|
Law | Texas Data Privacy and Security Act (TDPSA) |
Effective Date | July 1, 2024 |
Enforcement | Texas Attorney General |
Scope | Applies to entities that: |
① Conduct business in Texas or produce products/services consumed by Texas residents, | |
AND | |
② Process or sell personal data | |
(No revenue or processing threshold required) | |
Exemptions | State agencies, non-profits, higher ed institutions, GLBA- and HIPAA-covered entities |
✅ Broad applicability: Unlike other state laws, the TDPSA applies to all entities, regardless of revenue size, if they process personal data of Texas residents.
2. Consumer Rights Under TDPSA
TDPSA provides Texas residents with rights similar to those under Colorado or Virginia laws:
Right to Know: ****The categories of personal data being collected and for what purposes.
Right to Access: Consumers can request a copy of their personal data.
Right to Delete: They can request deletion of personal data provided or obtained about them.
Right to Correct: Inaccurate data must be corrected upon request.
Right to Data Portability: Users can receive their data in a commonly used, machine-readable format.
Right to Opt Out of:
Targeted advertising
Sale of personal data
Profiling that produces legal or significant effects
Profiling includes automated decision-making processes that affect legal rights, financial decisions, etc.
3. Obligations for Businesses (Controllers)
Like other privacy laws, TDPSA defines responsibilities for companies that determine the "purpose and means" of data processing (i.e., data controllers):
3-1. Data Security
Implement “reasonable administrative, technical, and physical data security practices” to protect the integrity and confidentiality of data.
3-2. Privacy Notices
Clearly disclose:
Categories of personal data collected
Purpose of processing
How to exercise rights
Whether data is sold/shared for targeted ads
3-3. Data Protection Assessments (DPAs)
Required for processing activities that present a heightened risk, including:
Targeted advertising
Profiling
Sale of personal data
Processing sensitive data
3-4. Consent for Sensitive Data
Explicit opt-in consent is required before processing sensitive data, such as:
Health or biometric info
Precise geolocation
Children’s data (under 13)
Race, religion, or sexual orientation
4. Unique Aspects of the TDPSA
4-1. No Revenue Threshold
Unlike Utah’s UCPA or Virginia’s VCDPA, there is no $25 million threshold—small companies must comply if they process Texas data.
4-2. Universal Opt-Out Mechanism (2025)
By January 1, 2025, companies must comply with universal opt-out signals (like Global Privacy Control) from browsers or tools.
4-3. Annual Data Protection Reports
Large Data Controllers (defined in part by volume) may be required to generate annual reports detailing risk assessments.
5. How Walla is Preparing for TDPSA
At Walla, our product and infrastructure are designed with global compliance in mind. Here’s how we align with TDPSA requirements:
TDPSA Requirement | Walla’s Compliance Strategy |
|---|---|
Privacy Notices | Clear disclosure via interface & docs |
Consumer Rights Portal | User-facing tools for data access, deletion, and correction |
Opt-Out Tools | Cookie banners and GPC integration (planned) |
Data Protection Assessments | Internal DPIA templates used for high-risk features |
Sensitive Data Controls | Encryption, access control, and explicit consent mechanisms |
Vendor Management | DPAs with third-party services and subprocessors |
Walla treats TDPSA not as a checkbox, but as an opportunity to deepen user trust—especially in high-growth U.S. markets like Texas.
6. Comparison with Other State Privacy Laws
Feature | TDPSA (TX) | CPRA (CA) | VCDPA (VA) | CPA (CO) |
|---|---|---|---|---|
Opt-out of targeted ads | O | O | O | O |
Opt-out of sale | O | O | O | O |
Right to correct | O | O | O | O |
DPIAs required | O | X | O | O |
Universal opt-out required | O (by 2025) | O | Optional | O |
Consent for sensitive data | O (opt-in) | O | O | O |
Private right of action | X | X (limited) | X | X |
7. Final Thoughts: TDPSA as a Signpost for Nationwide Strategy
Texas’s adoption of TDPSA demonstrates that even states historically less aggressive on tech regulation are now prioritizing data rights. This shift creates a clear message for global SaaS providers:
Build your compliance architecture once—and scale it everywhere.
For Walla and similar platforms, TDPSA readiness means:
Respecting user rights
Engineering for transparency
Designing composable, privacy-aware systems
Preparing for evolving U.S. standards (Oregon, Florida, New Jersey…)
+ TL;DR: Walla’s TDPSA Readiness Checklist
Region-based hosting with server transparency
Privacy notices & consent tracking built-in
Universal opt-out signal support (coming soon)
DPIA-ready workflows for profiling and targeting
Encryption, access controls, and vendor DPAs
Walla is committed to helping users build trust-first SaaS tools, no matter the jurisdiction. With TDPSA approaching, we’re ready to scale compliant infrastructure across the U.S.
Continue Reading
WHY WALLA
Conformité à la Loi 25 du Québec : Pourquoi tous les créateurs de formulaires ne sont pas égaux
Cómo Walla cumple con la Ley de Protección de Datos Personales en Argentina (Ley N° 25.326)
Yuvin Kim
July 28, 2025
WHY WALLA
A Guide to Nova Scotia's FOIPOP: Secure Data Collection for Public Bodies
Cómo Walla cumple con la Ley de Protección de Datos Personales en Argentina (Ley N° 25.326)
Yuvin Kim
July 28, 2025
The form you've been searching for?
Walla, Obviously.
Paprika Data Lab Inc.
557, Yeoksam-ro, Gangnam-gu, Seoul
Services
The form you've been searching for?
Walla, Obviously.
Paprika Data Lab Inc.
557, Yeoksam-ro, Gangnam-gu, Seoul
Services
The form you've been searching for?
Walla, Obviously.
Paprika Data Lab Inc.
557, Yeoksam-ro, Gangnam-gu, Seoul
Services
