EDITORIAL
The TDPSA's Impact on Small Businesses: A Guide to a Key Exception and Hidden Risks
Yuvin Kim
September 8, 2025
EDITORIAL
The TDPSA's Impact on Small Businesses: A Guide to a Key Exception and Hidden Risks
Yuvin Kim
September 8, 2025
When a major new privacy law like the Texas Data Privacy and Security Act (TDPSA) comes into effect, the first reaction for many small business owners is anxiety about new costs and complex rules.
The good news is that the TDPSA includes one of the most generous small business exceptions in the United States. The bad news? It’s not a complete get-out-of-jail-free card. A critical hidden requirement could still place unprepared small businesses at significant legal risk.
As the TDPSA has been in force since July 2024, here’s what every small business in Texas needs to know to operate with confidence.
1. The Big Question: Does the TDPSA's Main Exemption Apply to You?
First, the good news. The TDPSA provides a broad exemption from most of its major requirements for businesses that qualify as a "small business" under the standards set by the U.S. Small Business Administration (SBA).
This means if your business meets the SBA's size standards for your industry (based on revenue or number of employees), you are generally exempt from duties such as:
Responding to consumer rights requests (like access, correction, or deletion).
Conducting Data Protection Assessments (DPAs) for high-risk activities.
Action Step: Your first step is to visit the SBA's website and use their Size Standards Tool to determine if your business officially qualifies. For many small businesses in Texas, this will be a significant relief.
2. The Critical Trap: The Exception to the Exception
This is the most important point for every small business owner in Texas to understand. Even if you qualify for the general small business exemption, the law states you are NOT exempt from one crucial rule:
You must obtain a consumer's prior, affirmative consent (i.e., opt-in) before engaging in the "sale" of sensitive personal data.
Let's break that down:
"Sale": This means sharing personal data with a third party for monetary or other valuable consideration.
"Sensitive Data": This includes information revealing racial or ethnic origin, religious beliefs, health diagnoses, precise geolocation data, biometric data, or a known child's data.
Example Scenario: Imagine a small local wellness blog that uses a web form to collect readers' health interests and precise location data to sell targeted marketing lists to local gyms. Even though the blog is a small business, this activity constitutes the "sale of sensitive personal data." Under the TDPSA, the blog must get clear, opt-in consent from every reader before collecting and selling this information.
3. A Practical Compliance Strategy for Small Businesses
Navigating this landscape doesn't have to be complicated. Here is a clear, three-step strategy:
Step 1: Determine Your Status
First and foremost, use the SBA's official tools to confirm if you are a "small business." This defines your path forward.
Step 2: Scrutinize Your Data Practices
Next, ask the critical question: Do we sell sensitive personal data? Be honest and thorough. Review all your data collection forms and business partnerships. If the answer is yes, or even maybe, you must proceed to Step 3.
Step 3: Implement a Reliable Consent Mechanism
If you engage in the sale of sensitive data, you are legally required to have a system for obtaining and recording user consent. A simple checkbox on an insecure form may not be enough to prove compliance.
The Walla Solution: This is where a scalable, secure platform becomes invaluable. Walla provides an easy-to-implement and auditable solution for managing explicit, opt-in consent. Our secure forms create a clear record that you have met your legal duty, protecting your business without requiring a complex and expensive enterprise software suite.
4. What If You Don't Qualify as a Small Business?
If your business has grown beyond the SBA's size standards, you must comply with the full TDPSA. This means having systems in place to handle consumer rights requests, conduct DPAs for high-risk activities, and meet all other obligations of the Act.
The Walla Solution: For growing enterprises needing full compliance, a data governance platform like Walla is the most efficient path. It provides the centralized infrastructure to manage rights requests, secure data with end-to-end encryption, and maintain the audit trails needed to demonstrate compliance to regulators.
Conclusion
The TDPSA's small business exception offers significant relief, but the carve-out for the sale of sensitive data is a critical detail that cannot be overlooked. By assessing your status, analyzing your data practices, and implementing the right tools to close any gaps, small businesses in Texas can avoid hidden risks and build a trustworthy brand.
When a major new privacy law like the Texas Data Privacy and Security Act (TDPSA) comes into effect, the first reaction for many small business owners is anxiety about new costs and complex rules.
The good news is that the TDPSA includes one of the most generous small business exceptions in the United States. The bad news? It’s not a complete get-out-of-jail-free card. A critical hidden requirement could still place unprepared small businesses at significant legal risk.
As the TDPSA has been in force since July 2024, here’s what every small business in Texas needs to know to operate with confidence.
1. The Big Question: Does the TDPSA's Main Exemption Apply to You?
First, the good news. The TDPSA provides a broad exemption from most of its major requirements for businesses that qualify as a "small business" under the standards set by the U.S. Small Business Administration (SBA).
This means if your business meets the SBA's size standards for your industry (based on revenue or number of employees), you are generally exempt from duties such as:
Responding to consumer rights requests (like access, correction, or deletion).
Conducting Data Protection Assessments (DPAs) for high-risk activities.
Action Step: Your first step is to visit the SBA's website and use their Size Standards Tool to determine if your business officially qualifies. For many small businesses in Texas, this will be a significant relief.
2. The Critical Trap: The Exception to the Exception
This is the most important point for every small business owner in Texas to understand. Even if you qualify for the general small business exemption, the law states you are NOT exempt from one crucial rule:
You must obtain a consumer's prior, affirmative consent (i.e., opt-in) before engaging in the "sale" of sensitive personal data.
Let's break that down:
"Sale": This means sharing personal data with a third party for monetary or other valuable consideration.
"Sensitive Data": This includes information revealing racial or ethnic origin, religious beliefs, health diagnoses, precise geolocation data, biometric data, or a known child's data.
Example Scenario: Imagine a small local wellness blog that uses a web form to collect readers' health interests and precise location data to sell targeted marketing lists to local gyms. Even though the blog is a small business, this activity constitutes the "sale of sensitive personal data." Under the TDPSA, the blog must get clear, opt-in consent from every reader before collecting and selling this information.
3. A Practical Compliance Strategy for Small Businesses
Navigating this landscape doesn't have to be complicated. Here is a clear, three-step strategy:
Step 1: Determine Your Status
First and foremost, use the SBA's official tools to confirm if you are a "small business." This defines your path forward.
Step 2: Scrutinize Your Data Practices
Next, ask the critical question: Do we sell sensitive personal data? Be honest and thorough. Review all your data collection forms and business partnerships. If the answer is yes, or even maybe, you must proceed to Step 3.
Step 3: Implement a Reliable Consent Mechanism
If you engage in the sale of sensitive data, you are legally required to have a system for obtaining and recording user consent. A simple checkbox on an insecure form may not be enough to prove compliance.
The Walla Solution: This is where a scalable, secure platform becomes invaluable. Walla provides an easy-to-implement and auditable solution for managing explicit, opt-in consent. Our secure forms create a clear record that you have met your legal duty, protecting your business without requiring a complex and expensive enterprise software suite.
4. What If You Don't Qualify as a Small Business?
If your business has grown beyond the SBA's size standards, you must comply with the full TDPSA. This means having systems in place to handle consumer rights requests, conduct DPAs for high-risk activities, and meet all other obligations of the Act.
The Walla Solution: For growing enterprises needing full compliance, a data governance platform like Walla is the most efficient path. It provides the centralized infrastructure to manage rights requests, secure data with end-to-end encryption, and maintain the audit trails needed to demonstrate compliance to regulators.
Conclusion
The TDPSA's small business exception offers significant relief, but the carve-out for the sale of sensitive data is a critical detail that cannot be overlooked. By assessing your status, analyzing your data practices, and implementing the right tools to close any gaps, small businesses in Texas can avoid hidden risks and build a trustworthy brand.
When a major new privacy law like the Texas Data Privacy and Security Act (TDPSA) comes into effect, the first reaction for many small business owners is anxiety about new costs and complex rules.
The good news is that the TDPSA includes one of the most generous small business exceptions in the United States. The bad news? It’s not a complete get-out-of-jail-free card. A critical hidden requirement could still place unprepared small businesses at significant legal risk.
As the TDPSA has been in force since July 2024, here’s what every small business in Texas needs to know to operate with confidence.
1. The Big Question: Does the TDPSA's Main Exemption Apply to You?
First, the good news. The TDPSA provides a broad exemption from most of its major requirements for businesses that qualify as a "small business" under the standards set by the U.S. Small Business Administration (SBA).
This means if your business meets the SBA's size standards for your industry (based on revenue or number of employees), you are generally exempt from duties such as:
Responding to consumer rights requests (like access, correction, or deletion).
Conducting Data Protection Assessments (DPAs) for high-risk activities.
Action Step: Your first step is to visit the SBA's website and use their Size Standards Tool to determine if your business officially qualifies. For many small businesses in Texas, this will be a significant relief.
2. The Critical Trap: The Exception to the Exception
This is the most important point for every small business owner in Texas to understand. Even if you qualify for the general small business exemption, the law states you are NOT exempt from one crucial rule:
You must obtain a consumer's prior, affirmative consent (i.e., opt-in) before engaging in the "sale" of sensitive personal data.
Let's break that down:
"Sale": This means sharing personal data with a third party for monetary or other valuable consideration.
"Sensitive Data": This includes information revealing racial or ethnic origin, religious beliefs, health diagnoses, precise geolocation data, biometric data, or a known child's data.
Example Scenario: Imagine a small local wellness blog that uses a web form to collect readers' health interests and precise location data to sell targeted marketing lists to local gyms. Even though the blog is a small business, this activity constitutes the "sale of sensitive personal data." Under the TDPSA, the blog must get clear, opt-in consent from every reader before collecting and selling this information.
3. A Practical Compliance Strategy for Small Businesses
Navigating this landscape doesn't have to be complicated. Here is a clear, three-step strategy:
Step 1: Determine Your Status
First and foremost, use the SBA's official tools to confirm if you are a "small business." This defines your path forward.
Step 2: Scrutinize Your Data Practices
Next, ask the critical question: Do we sell sensitive personal data? Be honest and thorough. Review all your data collection forms and business partnerships. If the answer is yes, or even maybe, you must proceed to Step 3.
Step 3: Implement a Reliable Consent Mechanism
If you engage in the sale of sensitive data, you are legally required to have a system for obtaining and recording user consent. A simple checkbox on an insecure form may not be enough to prove compliance.
The Walla Solution: This is where a scalable, secure platform becomes invaluable. Walla provides an easy-to-implement and auditable solution for managing explicit, opt-in consent. Our secure forms create a clear record that you have met your legal duty, protecting your business without requiring a complex and expensive enterprise software suite.
4. What If You Don't Qualify as a Small Business?
If your business has grown beyond the SBA's size standards, you must comply with the full TDPSA. This means having systems in place to handle consumer rights requests, conduct DPAs for high-risk activities, and meet all other obligations of the Act.
The Walla Solution: For growing enterprises needing full compliance, a data governance platform like Walla is the most efficient path. It provides the centralized infrastructure to manage rights requests, secure data with end-to-end encryption, and maintain the audit trails needed to demonstrate compliance to regulators.
Conclusion
The TDPSA's small business exception offers significant relief, but the carve-out for the sale of sensitive data is a critical detail that cannot be overlooked. By assessing your status, analyzing your data practices, and implementing the right tools to close any gaps, small businesses in Texas can avoid hidden risks and build a trustworthy brand.
Continue Reading
