Texas residents now have more rights over their personal data. The Texas Data Privacy and Security Act (TDPSA) establishes new laws for collecting, storing, processing, and selling consumer information linked to a specific individual.

TDPSA was passed as House Bill 4 during the regular session of the 88th Texas Legislature. The law became effective July 1, 2024. Section 541.055(e), will go into effect January 1, 2025.

You can read the text of TDPSA in Chapter 541 of the Texas Business and Commerce Code. Additionally, the Texas Attorney General’s Consumer Protection department has a brief explanation of the new law on their website.

What types of data are protected?

The new law provides some protections for consumers’ personal and sensitive data.

"Personal data" is defined in Section 541.001(19). It refers to any information that can be tracked to a specific individual. Publicly available information or information that can’t be linked to a specific individual is not considered personal data.

"Sensitive data" is defined in Section 541.001(23). It includes personal information about the individual’s race, ethnicity, religion, sexuality, health condition, immigration status, genetic data, and precise geolocation data. Personal data of a child under 13 is also considered sensitive data.

Not all personal data is protected under the new law. Some types of consumer information is governed by other acts such as the Fair Credit Reporting Act (FCRA), Health Insurance Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA), and Farm Credit Act.

For more information on these laws, see our Privacy and Personal Information guide.

Consumer Rights

The new law gives Texas consumers certain rights over their data, including the right to:

• know if the company is processing their personal data;
• obtain personal data about themselves in a readily usable format;
• opt out from personal data processing for the purpose of targeted ads, selling of personal data, and certain types of profiling;
• correct errors in their personal data;
• delete their personal data;
• submit data-related requests without creating an account; and
• be penalized for exercising their legal rights.

Business Requirements

Qualifying businesses must:

• provide an accessible privacy notice, including required disclosures related to use of consumer personal data per Section 541.02;
• limit collection of personal data to the purposes disclosed to the consumer;
• provide a method for consumers to submit requests related to their personal data;
• respond to consumer requests in a timely manner;
• provide justification for denial of any requests and a method of appeal;
• maintain reasonable data security practices; and
• implement other practices related to protecting consumer confidentiality.

Certain Businesses Exempt

Small businesses are generally exempt from the TDPSA. However, they must have the consumer’s consent to sell sensitive personal data. Section 541.002 clarifies that this chapter is using the Small Business Administration's (SBA) definition for what qualifies as a small business. Business size standards are summarized on the SBA’s website.

The section exempts several other types of businesses from TDPSA, including:

• state government agencies;
• nonprofit organizations;
• public and private institutions of higher education;
• financial organizations regulated by the Gramm-Leach-Bliley Act (GLB); and
• organizations regulated by the Health Insurance Portability and Accountability Act (HIPAA).

There is no restriction on individuals processing personal data for personal or household use.

Violations

Violations of TDPSA and other privacy complaints may be reported to the Texas Attorney General.

The law does not provide a method for an individual to sue a business directly for TDPSA violations. If you want to pursue legal action, a lawyer can help you determine how the law applies in a specific situation.

For information on finding an attorney, see the library's Legal Help page.