GLOBAL
The Texas Data Privacy and Security Act (TDPSA): 5 Key Points Your Business Must Know
Yuvin Kim
September 8, 2025
GLOBAL
The Texas Data Privacy and Security Act (TDPSA): 5 Key Points Your Business Must Know
Yuvin Kim
September 8, 2025
Everything's bigger in Texas—and that now includes data privacy regulations. As of July 1, 2024, the Texas Data Privacy and Security Act (TDPSA) is in full effect, establishing a new set of rights for consumers and significant responsibilities for businesses operating in the Lone Star State.
Having been in force for over a year, compliance is no longer a future goal; it's a present-day necessity. Whether your business is based in Texas or targets Texan consumers, understanding the core tenets of this law is critical.
Here are the five essential points of the TDPSA that every business must know.
1. Broad Scope, But a Unique Small Business Exception
Unlike many other state privacy laws that use revenue thresholds, the TDPSA applies more broadly to any organization that:
Conducts business in Texas or produces a product or service consumed by Texas residents.
Processes or engages in the sale of personal data.
However, the TDPSA includes a very specific and helpful exception for small businesses as defined by the U.S. Small Business Administration (SBA). This is a unique feature that exempts many smaller entities, so it's crucial to check if your business qualifies.
2. GDPR-Style Consumer Rights Are Here
The TDPSA grants Texans a comprehensive set of rights over their personal data, similar to those found in other major privacy laws like the GDPR. As a business, you must be prepared to facilitate these rights:
The Right to Access: Consumers can confirm if you are processing their data and can access that data.
The Right to Correct: They can correct inaccuracies in their personal data.
The Right to Delete: They can request the deletion of their personal data.
The Right to Portability: They can obtain a copy of their data in a portable and readily usable format.
3. The Crucial "Right to Opt-Out"
This is a cornerstone of U.S. privacy laws. Under the TDPSA, consumers have the absolute right to opt out of their personal data being used for three specific purposes:
Targeted Advertising: Using data to predict consumer interests and show them specific ads.
The "Sale" of Personal Data: Exchanging personal data for money or other valuable consideration.
Profiling: Automated decision-making that produces legal or other similarly significant effects concerning the consumer.
Your business must provide a clear, conspicuous, and easily accessible method for consumers to exercise this right.
4. "Opt-In" Consent is Required for Sensitive Data
This is one of the most critical action items for businesses. The TDPSA creates a special category for "sensitive data" and requires a much higher standard of consent to process it.
Sensitive Data Includes: Data revealing racial or ethnic origin, religious beliefs, health diagnoses, genetic or biometric data, precise geolocation data, and a known child's personal data.
The Requirement: You must obtain the consumer’s clear and affirmative consent (i.e., "opt-in") before you can collect or process any of this sensitive data. This is a much stricter standard than the "opt-out" model for other data uses.
5. The Duty to Conduct Data Protection Assessments (DPAs)
For data processing activities that present a heightened risk of harm to a consumer, the TDPSA requires businesses to conduct and document a Data Protection Assessment (DPA).
A DPA is a formal risk assessment that identifies and weighs the benefits of the processing against the potential risks to the consumer's rights. Activities that require a DPA include:
Processing data for targeted advertising.
Selling personal data.
Processing sensitive data.
Any profiling that presents a reasonably foreseeable risk of harm.
How Walla Helps You Stay Aligned with the TDPSA
Navigating these requirements demands a robust data governance strategy supported by the right technology.
A platform like Walla provides the technical foundation for your TDPSA compliance program:
Managing Consumer Rights: Our centralized platform makes it easy to locate, manage, and act upon consumer data, so you can efficiently respond to access, correction, or deletion requests.
Capturing Valid Consent: Walla’s secure and auditable consent management tools are ideal for capturing the explicit, opt-in consent required for sensitive data, providing you with a clear record of compliance.
A Secure Foundation for DPAs: Walla provides the secure, auditable environment you need to conduct your DPAs with confidence. With built-in end-to-end encryption and granular access controls, you can demonstrate to regulators that you have the strong technical measures in place to protect the data you hold.
The TDPSA has firmly established a new standard for data privacy in Texas. By understanding these five key points and implementing a proactive compliance strategy, you can not only mitigate legal risks but also build deeper trust with your Texan customers.
Everything's bigger in Texas—and that now includes data privacy regulations. As of July 1, 2024, the Texas Data Privacy and Security Act (TDPSA) is in full effect, establishing a new set of rights for consumers and significant responsibilities for businesses operating in the Lone Star State.
Having been in force for over a year, compliance is no longer a future goal; it's a present-day necessity. Whether your business is based in Texas or targets Texan consumers, understanding the core tenets of this law is critical.
Here are the five essential points of the TDPSA that every business must know.
1. Broad Scope, But a Unique Small Business Exception
Unlike many other state privacy laws that use revenue thresholds, the TDPSA applies more broadly to any organization that:
Conducts business in Texas or produces a product or service consumed by Texas residents.
Processes or engages in the sale of personal data.
However, the TDPSA includes a very specific and helpful exception for small businesses as defined by the U.S. Small Business Administration (SBA). This is a unique feature that exempts many smaller entities, so it's crucial to check if your business qualifies.
2. GDPR-Style Consumer Rights Are Here
The TDPSA grants Texans a comprehensive set of rights over their personal data, similar to those found in other major privacy laws like the GDPR. As a business, you must be prepared to facilitate these rights:
The Right to Access: Consumers can confirm if you are processing their data and can access that data.
The Right to Correct: They can correct inaccuracies in their personal data.
The Right to Delete: They can request the deletion of their personal data.
The Right to Portability: They can obtain a copy of their data in a portable and readily usable format.
3. The Crucial "Right to Opt-Out"
This is a cornerstone of U.S. privacy laws. Under the TDPSA, consumers have the absolute right to opt out of their personal data being used for three specific purposes:
Targeted Advertising: Using data to predict consumer interests and show them specific ads.
The "Sale" of Personal Data: Exchanging personal data for money or other valuable consideration.
Profiling: Automated decision-making that produces legal or other similarly significant effects concerning the consumer.
Your business must provide a clear, conspicuous, and easily accessible method for consumers to exercise this right.
4. "Opt-In" Consent is Required for Sensitive Data
This is one of the most critical action items for businesses. The TDPSA creates a special category for "sensitive data" and requires a much higher standard of consent to process it.
Sensitive Data Includes: Data revealing racial or ethnic origin, religious beliefs, health diagnoses, genetic or biometric data, precise geolocation data, and a known child's personal data.
The Requirement: You must obtain the consumer’s clear and affirmative consent (i.e., "opt-in") before you can collect or process any of this sensitive data. This is a much stricter standard than the "opt-out" model for other data uses.
5. The Duty to Conduct Data Protection Assessments (DPAs)
For data processing activities that present a heightened risk of harm to a consumer, the TDPSA requires businesses to conduct and document a Data Protection Assessment (DPA).
A DPA is a formal risk assessment that identifies and weighs the benefits of the processing against the potential risks to the consumer's rights. Activities that require a DPA include:
Processing data for targeted advertising.
Selling personal data.
Processing sensitive data.
Any profiling that presents a reasonably foreseeable risk of harm.
How Walla Helps You Stay Aligned with the TDPSA
Navigating these requirements demands a robust data governance strategy supported by the right technology.
A platform like Walla provides the technical foundation for your TDPSA compliance program:
Managing Consumer Rights: Our centralized platform makes it easy to locate, manage, and act upon consumer data, so you can efficiently respond to access, correction, or deletion requests.
Capturing Valid Consent: Walla’s secure and auditable consent management tools are ideal for capturing the explicit, opt-in consent required for sensitive data, providing you with a clear record of compliance.
A Secure Foundation for DPAs: Walla provides the secure, auditable environment you need to conduct your DPAs with confidence. With built-in end-to-end encryption and granular access controls, you can demonstrate to regulators that you have the strong technical measures in place to protect the data you hold.
The TDPSA has firmly established a new standard for data privacy in Texas. By understanding these five key points and implementing a proactive compliance strategy, you can not only mitigate legal risks but also build deeper trust with your Texan customers.
Everything's bigger in Texas—and that now includes data privacy regulations. As of July 1, 2024, the Texas Data Privacy and Security Act (TDPSA) is in full effect, establishing a new set of rights for consumers and significant responsibilities for businesses operating in the Lone Star State.
Having been in force for over a year, compliance is no longer a future goal; it's a present-day necessity. Whether your business is based in Texas or targets Texan consumers, understanding the core tenets of this law is critical.
Here are the five essential points of the TDPSA that every business must know.
1. Broad Scope, But a Unique Small Business Exception
Unlike many other state privacy laws that use revenue thresholds, the TDPSA applies more broadly to any organization that:
Conducts business in Texas or produces a product or service consumed by Texas residents.
Processes or engages in the sale of personal data.
However, the TDPSA includes a very specific and helpful exception for small businesses as defined by the U.S. Small Business Administration (SBA). This is a unique feature that exempts many smaller entities, so it's crucial to check if your business qualifies.
2. GDPR-Style Consumer Rights Are Here
The TDPSA grants Texans a comprehensive set of rights over their personal data, similar to those found in other major privacy laws like the GDPR. As a business, you must be prepared to facilitate these rights:
The Right to Access: Consumers can confirm if you are processing their data and can access that data.
The Right to Correct: They can correct inaccuracies in their personal data.
The Right to Delete: They can request the deletion of their personal data.
The Right to Portability: They can obtain a copy of their data in a portable and readily usable format.
3. The Crucial "Right to Opt-Out"
This is a cornerstone of U.S. privacy laws. Under the TDPSA, consumers have the absolute right to opt out of their personal data being used for three specific purposes:
Targeted Advertising: Using data to predict consumer interests and show them specific ads.
The "Sale" of Personal Data: Exchanging personal data for money or other valuable consideration.
Profiling: Automated decision-making that produces legal or other similarly significant effects concerning the consumer.
Your business must provide a clear, conspicuous, and easily accessible method for consumers to exercise this right.
4. "Opt-In" Consent is Required for Sensitive Data
This is one of the most critical action items for businesses. The TDPSA creates a special category for "sensitive data" and requires a much higher standard of consent to process it.
Sensitive Data Includes: Data revealing racial or ethnic origin, religious beliefs, health diagnoses, genetic or biometric data, precise geolocation data, and a known child's personal data.
The Requirement: You must obtain the consumer’s clear and affirmative consent (i.e., "opt-in") before you can collect or process any of this sensitive data. This is a much stricter standard than the "opt-out" model for other data uses.
5. The Duty to Conduct Data Protection Assessments (DPAs)
For data processing activities that present a heightened risk of harm to a consumer, the TDPSA requires businesses to conduct and document a Data Protection Assessment (DPA).
A DPA is a formal risk assessment that identifies and weighs the benefits of the processing against the potential risks to the consumer's rights. Activities that require a DPA include:
Processing data for targeted advertising.
Selling personal data.
Processing sensitive data.
Any profiling that presents a reasonably foreseeable risk of harm.
How Walla Helps You Stay Aligned with the TDPSA
Navigating these requirements demands a robust data governance strategy supported by the right technology.
A platform like Walla provides the technical foundation for your TDPSA compliance program:
Managing Consumer Rights: Our centralized platform makes it easy to locate, manage, and act upon consumer data, so you can efficiently respond to access, correction, or deletion requests.
Capturing Valid Consent: Walla’s secure and auditable consent management tools are ideal for capturing the explicit, opt-in consent required for sensitive data, providing you with a clear record of compliance.
A Secure Foundation for DPAs: Walla provides the secure, auditable environment you need to conduct your DPAs with confidence. With built-in end-to-end encryption and granular access controls, you can demonstrate to regulators that you have the strong technical measures in place to protect the data you hold.
The TDPSA has firmly established a new standard for data privacy in Texas. By understanding these five key points and implementing a proactive compliance strategy, you can not only mitigate legal risks but also build deeper trust with your Texan customers.
Continue Reading
