Educational Information Only
This page provides general educational information about cybersecurity laws and regulations. It does not constitute legal advice, legal interpretation, or a substitute for professional legal counsel. Laws change frequently. Always consult a qualified attorney and verify current requirements directly from official government sources before making compliance decisions. DecipherU is not a law firm and does not provide legal services.
Texas Data Privacy and Security Act
The Texas Data Privacy and Security Act (TDPSA) was enacted as House Bill 4 in the 88th Regular Session of the Texas Legislature and took effect on July 1, 2024. It is codified at Texas Business and Commerce Code Chapter 541. The statute is the seventh state consumer privacy law in the United States and the second largest by state population after California. Texas Attorney General Ken Paxton has exclusive enforcement authority under Section 541.155 and has stood up a dedicated Data Privacy and Security Initiative inside the Consumer Protection Division. The statute is unusual because it does not use a numeric threshold based on revenue or consumer count to define who is covered. Under Section 541.002, the TDPSA applies to a person who conducts business in Texas or produces a product or service consumed by Texas residents, processes or engages in the sale of personal data, and is not a small business as defined by the United States Small Business Administration. That structure pulls in vendors, processors, and out-of-state companies that touch Texas resident data, even when the company has no physical presence in Texas. The small business carve-out is narrow because Section 541.107 still requires those entities to obtain consent before selling sensitive data. The consumer rights model tracks the Virginia Consumer Data Protection Act. Texas residents have rights to confirm, access, correct, delete, obtain a portable copy, and opt out of sale, targeted advertising, and profiling for decisions that produce legal or similarly significant effects. Texas added a notable wrinkle in Section 541.052: any controller that sells sensitive personal data must post a specific consumer notice that says, in those words, 'NOTICE: We may sell your sensitive personal data.' Controllers selling biometric data must post a parallel notice. Sensitive data under Section 541.001 includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data processed to uniquely identify a person, precise geolocation, and data of a known child. Processing any sensitive category requires opt-in consent. The statute also requires data protection assessments under Section 541.105 for targeted advertising, sale of personal data, profiling that creates a heightened risk of harm, and any processing of sensitive data. Violations carry civil penalties up to $7,500 per violation under Section 541.155. The Attorney General must provide a 30-day cure notice before filing suit, and the cure period has no sunset, unlike the Connecticut Data Privacy Act. Texas filed its first public TDPSA enforcement action in 2025 against Allstate's data broker subsidiary Arity for selling driver location data without disclosure. The case signals that Texas will read 'sale' and 'sensitive data' broadly. The TDPSA's no-threshold design changes the compliance posture for mid-market companies. A 50-person SaaS company that previously sat below the California and Virginia thresholds may still owe a privacy notice, consent flows, data subject request handling, vendor data processing agreements, and a data protection assessment program if it touches Texas customer data. That makes the TDPSA the practical floor for any company selling into the United States.
Quick Reference
Key Requirements
Tex. Bus. & Com. Code § 541.002 (Scope)
Determine TDPSA applicability by checking three conditions: business activity tied to Texas residents, processing or sale of personal data, and SBA non-small-business status. Maintain a written scoping memo refreshed annually.
Tex. Bus. & Com. Code § 541.051 (Data minimization)
Limit personal data collection to what is adequate, relevant, and reasonably necessary for the disclosed purpose. Map each collected field to a stated purpose in the privacy notice.
Tex. Bus. & Com. Code § 541.052 (Privacy notice)
Publish a privacy notice that lists categories of personal data processed, processing purposes, categories shared with third parties, consumer rights, and the appeal process. Include the verbatim sale-of-sensitive-data notice when applicable.
Tex. Bus. & Com. Code § 541.101 (Consumer rights)
Build intake and fulfillment for the right to confirm processing, access, correct, delete, obtain a portable copy, and opt out of sale, targeted advertising, and profiling. Respond within 45 days, extendable by 45 days with notice.
Tex. Bus. & Com. Code § 541.054 (Appeals)
Provide an internal appeal process for denied consumer requests. Respond to appeals within 60 days and tell the consumer how to file a complaint with the Texas Attorney General.
Tex. Bus. & Com. Code § 541.107 (Sensitive data consent)
Obtain opt-in consent before processing sensitive data, including biometric, health, precise geolocation, sexual orientation, citizenship status, and data of known children. Document the consent record for each consumer.
Tex. Bus. & Com. Code § 541.105 (Data protection assessments)
Conduct a written data protection assessment for targeted advertising, sale of personal data, profiling with heightened risk, and sensitive data processing. Make the assessment available to the Attorney General on request.
Tex. Bus. & Com. Code § 541.104 (Processor contracts)
Execute a written contract with every processor that specifies processing instructions, confidentiality, deletion or return at end of services, audit rights, sub-processor approval, and assistance with consumer requests.
Tex. Bus. & Com. Code § 541.108 (Universal opt-out)
Recognize a universal opt-out mechanism such as Global Privacy Control by January 1, 2025 for sale and targeted advertising opt-outs.
Tex. Bus. & Com. Code § 541.102 (Security)
Establish, implement, and maintain reasonable administrative, technical, and physical security practices that protect the confidentiality, integrity, and accessibility of personal data, appropriate to the volume and nature of the data.
Tex. Bus. & Com. Code § 541.106 (Non-discrimination)
Do not discriminate against consumers who exercise privacy rights by denying goods or services, charging different prices, or providing a different level of quality.
Tex. Bus. & Com. Code § 541.001 (Biometric notice)
Post the verbatim biometric sale notice when a controller sells biometric data. Coordinate this disclosure with the separate Texas Capture or Use of Biometric Identifier Act (CUBI) under Bus. & Com. Code § 503.001.
Tex. Bus. & Com. Code § 541.155 (Enforcement readiness)
Track Texas Attorney General enforcement letters and public actions. Maintain a 30-day cure playbook with named owners for legal, security, and product so the company can respond inside the statutory window.
How Does TDPSA Affect Cybersecurity Careers?
The TDPSA pulls mid-market and even smaller companies into a state privacy program for the first time because the statute uses no revenue or consumer-count threshold. GRC analysts at companies that previously sat under California and Virginia thresholds now own scoping memos, privacy notices, data subject request workflows, vendor inventories, and Texas-specific sensitive-data consent flows. Privacy engineers build the consent capture, the universal opt-out signal handling, and the data subject request portal. Compared to California's CCPA/CPRA, Texas has no California Privacy Protection Agency analog, so all enforcement risk concentrates at the Office of the Attorney General, which makes attorney-general relationship management part of the senior privacy role. Compared to GDPR, Texas is narrower (no lawful basis taxonomy, no DPO mandate, smaller consumer rights set) but applies to more domestic vendors because of the no-threshold design. Compared to NIST CSF 2.0, the TDPSA is enforceable and prescriptive on rights and disclosures while NIST CSF 2.0 is voluntary risk guidance, so a Texas privacy program uses NIST CSF 2.0 as the security control backbone and TDPSA as the legal floor. Career paths affected include /careers/grc-analyst and /careers/privacy-engineer. The GRC and Compliance Fundamentals course covers TDPSA scoping, data protection assessments, and Texas Attorney General enforcement readiness as part of the state privacy law module.
How Does TDPSA Affect Cybersecurity Sales?
Texas Attorney General Ken Paxton sued Arity (Allstate subsidiary) in 2025 for sale of driver location data, which signals the office reads 'sale' and 'sensitive data' broadly. That enforcement creates buyer urgency for consent management platforms, universal opt-out (Global Privacy Control) handlers, data subject request automation, vendor risk software, and data protection assessment tooling. Vendors selling into Texas-based companies should map their products to specific TDPSA sections in pre-sales collateral. Sellers in healthcare, biometrics, geolocation analytics, and ad-tech face the sharpest demand because those categories trigger sensitive-data consent and the verbatim sale notices under Section 541.052.
Cybersecurity Roles That Work With TDPSA
Related Cybersecurity Certifications
Related Cybersecurity Laws
Read the full text of TDPSA at the official source: https://capitol.texas.gov/BillLookup/History.aspx?LegSess=88R&Bill=HB4
Frequently Asked Questions
What is TDPSA in cybersecurity?
The Texas Data Privacy and Security Act (TDPSA) was enacted as House Bill 4 in the 88th Regular Session of the Texas Legislature and took effect on July 1, 2024. It is codified at Texas Business and Commerce Code Chapter 541. The statute is the seventh state consumer privacy law in the United States and the second largest by state population after California. Texas Attorney General Ken Paxton has exclusive enforcement authority under Section 541.155 and has stood up a dedicated Data Privacy and Security Initiative inside the Consumer Protection Division. The statute is unusual because it does not use a numeric threshold based on revenue or consumer count to define who is covered. Under Section 541.002, the TDPSA applies to a person who conducts business in Texas or produces a product or service consumed by Texas residents, processes or engages in the sale of personal data, and is not a small business as defined by the United States Small Business Administration. That structure pulls in vendors, processors, and out-of-state companies that touch Texas resident data, even when the company has no physical presence in Texas. The small business carve-out is narrow because Section 541.107 still requires those entities to obtain consent before selling sensitive data. The consumer rights model tracks the Virginia Consumer Data Protection Act. Texas residents have rights to confirm, access, correct, delete, obtain a portable copy, and opt out of sale, targeted advertising, and profiling for decisions that produce legal or similarly significant effects. Texas added a notable wrinkle in Section 541.052: any controller that sells sensitive personal data must post a specific consumer notice that says, in those words, 'NOTICE: We may sell your sensitive personal data.' Controllers selling biometric data must post a parallel notice. Sensitive data under Section 541.001 includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data processed to uniquely identify a person, precise geolocation, and data of a known child. Processing any sensitive category requires opt-in consent. The statute also requires data protection assessments under Section 541.105 for targeted advertising, sale of personal data, profiling that creates a heightened risk of harm, and any processing of sensitive data. Violations carry civil penalties up to $7,500 per violation under Section 541.155. The Attorney General must provide a 30-day cure notice before filing suit, and the cure period has no sunset, unlike the Connecticut Data Privacy Act. Texas filed its first public TDPSA enforcement action in 2025 against Allstate's data broker subsidiary Arity for selling driver location data without disclosure. The case signals that Texas will read 'sale' and 'sensitive data' broadly. The TDPSA's no-threshold design changes the compliance posture for mid-market companies. A 50-person SaaS company that previously sat below the California and Virginia thresholds may still owe a privacy notice, consent flows, data subject request handling, vendor data processing agreements, and a data protection assessment program if it touches Texas customer data. That makes the TDPSA the practical floor for any company selling into the United States.
How does TDPSA affect cybersecurity careers?
The TDPSA pulls mid-market and even smaller companies into a state privacy program for the first time because the statute uses no revenue or consumer-count threshold. GRC analysts at companies that previously sat under California and Virginia thresholds now own scoping memos, privacy notices, data subject request workflows, vendor inventories, and Texas-specific sensitive-data consent flows. Privacy engineers build the consent capture, the universal opt-out signal handling, and the data subject request portal. Compared to California's CCPA/CPRA, Texas has no California Privacy Protection Agency analog, so all enforcement risk concentrates at the Office of the Attorney General, which makes attorney-general relationship management part of the senior privacy role. Compared to GDPR, Texas is narrower (no lawful basis taxonomy, no DPO mandate, smaller consumer rights set) but applies to more domestic vendors because of the no-threshold design. Compared to NIST CSF 2.0, the TDPSA is enforceable and prescriptive on rights and disclosures while NIST CSF 2.0 is voluntary risk guidance, so a Texas privacy program uses NIST CSF 2.0 as the security control backbone and TDPSA as the legal floor. Career paths affected include /careers/grc-analyst and /careers/privacy-engineer. The GRC and Compliance Fundamentals course covers TDPSA scoping, data protection assessments, and Texas Attorney General enforcement readiness as part of the state privacy law module.
What are the penalties for TDPSA non-compliance?
Civil penalties up to $7,500 per violation under Section 541.155; 30-day cure period before suit; injunctive relief and recovery of reasonable attorney fees and investigative costs; no private right of action
Educational Information Only
This page provides general educational information about cybersecurity laws and regulations. It does not constitute legal advice, legal interpretation, or a substitute for professional legal counsel. Laws change frequently. Always consult a qualified attorney and verify current requirements directly from official government sources before making compliance decisions. DecipherU is not a law firm and does not provide legal services.
Sources
Explore Related Cybersecurity Resources
Was this page helpful?
Cybersecurity law and regulation summaries are educational plain-language descriptions, not legal advice. Statutes, regulations, and enforcement guidance change frequently. Consult qualified legal counsel and verify against the official published text before relying on any summary for compliance or career decisions.
Get cybersecurity career insights delivered weekly
Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.
By subscribing you agree to our privacy policy. Unsubscribe anytime.