List
compliance@complytexas.com
Follow Us :
Get Compliant
X
About Us

ComplyTexas is specifically centered around regulatory compliance connected directly to your business's operating license and consumer-facing requirements.

Social Account

Don’t Mess with Texans’ Data: The New Law Putting Consumers First

In Texas, consumer protection isn’t just a promise—it’s a priority backed by law. The Texas Data Privacy and Security Act (TDPSA) dramatically shifts how businesses must handle personal information, requiring explicit transparency about what data is collected, why it’s collected, and exactly how it’s used and shared. With tough enforcement, significant fines, and a clear consumer-first approach, the TDPSA sends a message to every business operating in Texas: Mishandling Texans’ data isn’t just bad business—it’s now against the law.

What is TDPSA Compliance, and Does It Apply to Your Business?

The Texas Data Privacy and Security Act (TDPSA) (H.B. No. 4) is a state law that regulates how businesses collect, use, share, and process personal data belonging to Texas consumers. It requires clear, accessible privacy notices explaining what personal data is collected, how it is used, and with whom it is shared or sold. It also gives consumers enforceable rights to access, correct, delete, and restrict the use of their personal information—including the right to opt out of data sales, targeted advertising, and profiling.

Signed into law on June 18, 2023, the TDPSA took effect July 1, 2024, with a mandatory universal opt‑out mechanism required by January 1, 2025. Non‑compliance carries civil penalties of up to $7,500 per violation, enforced exclusively by the Texas Attorney General. For businesses handling consumer data, every disclosure, omission, or misstep could carry a financial cost—and regulatory exposure that multiplies fast.

Applicability: Who Must Comply?

Unlike other state regulations, the TDPSA doesn’t have a minimum revenue threshold. This means businesses of any size can fall under its jurisdiction based solely on how much consumer data they handle.

 In practice, virtually all businesses, including small or medium-sized businesses, must assume full compliance obligations if they:

  • Operate in Texas or offer products or services consumed by Texas residents—regardless of the company’s physical location or size.
  • Receive, collect, process or engages in the sale of personal data; and
  • Engage in online operations, including websites, social media platforms, Customer Relationship Management (CRM) systems, email marketing tools, payment processors, and analytics platforms, or any third-party platform that involves the collection, use, or sharing of personal data.
  • Share, sell, transfer or receive personal data for monetary or other valuable consideration (such as marketing partnerships or ad networks), with affiliates or third-party service providers
  • Engage in any form of advertising, analytics, or marketing partnerships that involve sharing, transferring, or selling personal information.
  • Maintain online operations or digital services involving cookies, tracking pixels, IP address collection, device identifiers, or customer data analysis.
  • Collect or maintain any sensitive personal data, particularly information related to children, health, biometric identifiers, or precise geolocation.

Practically speaking, if your business has any form of digital or physical presence that touches consumer data—whether via websites, social media, apps, email marketing tools, customer relationship management (CRM) systems, advertising networks, analytics platforms, or third-party integrations—the TDPSA applies directly to you.

Even small businesses and sole proprietors, who may initially assume exemption based on their size, often face full compliance requirements. While the law provides limited carve-outs, these apply only in very narrow circumstances and rarely relieve businesses from the Act’s core duties.

Essential Compliance Requirements

By January 1, 2025, businesses must provide an accessible universal opt-out mechanism, such as a clear online “Do Not Sell or Share My Data” tool.

Under TDPSA, covered businesses must:

1. Clearly Inform Consumers: Provide clear, accessible privacy notices detailing all data collection activities, purposes, third-party sharing or sales, and instructions for consumers to exercise their privacy rights (§541.102).

  • What categories of personal data are collected (including sensitive data),
  • The purposes behind collecting and processing data,
  • Third-party sharing or sales activities, and
  • Consumers must give informed consent before processing sensitive data, such as biometric information, health records, minors’ information, and precise geolocation data.
  • How consumers can exercise their data rights and appeal business decisions related to their requests.

2. Notice and Consent

Businesses must offer clear, accessible privacy notices explaining precisely:

  • Secure consumer consent for processing or selling sensitive personal data and adhere to data minimization principles, collecting only data adequate and relevant for stated purposes (§541.101).
  • Access personal data held about them,
  • Correct inaccuracies,
  • Delete their data upon request,
  • Obtain their data in a portable format (if digitally available),
  • Opt out of data sales, targeted advertising, and profiling.

3. Adopt Transparent Opt-Out Mechanisms: By January 1, 2025, businesses must offer consumers a clear, universal method to opt out of data sales, targeted ads, and profiling.

4. Limit Data Collection and Use

Under the TDPSA, businesses are required to:

  • Collect only the data necessary, relevant, and adequate for clearly disclosed purposes—and nothing more.
  • Obtain additional explicit consent if data collected for one purpose will be used for another.

5. Secure Consumer Data:

The TDPSA requires implementation of reasonable security measures, including:

  • Implement reasonable administrative, technical, and physical data security measures, calibrated to the sensitivity and volume of personal data managed.
  • Detailed record-keeping that documents all protective measures and practices implemented.

6. Data Protection Assessments (DPAs)

If your business engages in high-risk data practices—such as targeted advertising, selling personal data, or consumer profiling—you must regularly conduct and document formal Data Protection Assessments (DPAs). These assessments must clearly outline potential privacy risks and steps taken to mitigate them.

Controllers must respond to authenticated consumer requests within 45 days, with one allowable 45-day extension for complexity, provided notice is given (§541.052(b)). Denial of requests mandates written justification and clear instructions for appeal (§541.052(c)-(d)).

7. Respond to consumer rights requests within 45 days, with one allowable 45-day extension for complexity, provided notice is given (§541.052(b)). Denial of requests mandates written justification and clear instructions for appeal (§541.052(c)-(d)).

Consumer Rights under TDPSA

Compliance involves several critical areas, all rigorously enforced by Texas regulators. Under TDPSA, covered businesses must:

  • Right to Know & Access: Confirm data processing and access their personal data. (§541.051(b)(1)).
  • Right to Correct: Consumers can demand correction of inaccuracies in their data. (§541.051(b)(2)).
  • Right to Delete (§541.051(b)(3)): Consumers may request deletion of their personal data.
  • Right to obtain a portable copy of personal data in digital usable format (§541.051(b)(4)).

Right to Opt-Out of ((§541.051(b)(5)):

  • The sale of personal data
  • Targeted advertising
  • Certain profiling activities
  • Respond to consumer rights requests (such as data access, correction, deletion, portability, or opting out) within 45 days, extendable by an additional 45 days only if complexity warrants (§541.052).
  • Appeal controller decisions that deny consumer requests (§541.051 through §541.053).

Businesses must inform consumers how to exercise these rights and must not discriminate against consumers for exercising their rights (§541.101(b)(3)).

Prohibited Practices

The TDPSA prohibits several practices, including:

  • Requiring consumer account creation for rights exercise requests (§541.055(b)).
  • Discrimination against consumers exercising statutory rights, except under explicitly defined loyalty or rewards programs (§541.101(b)(3)).
  • Processing sensitive data or known child data without explicit consent or verifiable parental consent, respectively (§541.101(b)(4)).
  • Processing personal data for purposes incompatible with disclosed purposes without consumer consent (§541.101(b)(1)).
  • Using dark patterns or ambiguous consent methods, such as hovering or pausing over content (§ 541.001(6)).

Strict Consent and Anti-Discrimination Measures

The TDPSA expressly prohibits businesses from discriminating against consumers who exercise their data privacy rights. Any differential pricing, denial of goods or services, or reduction in service quality based on consumers asserting their privacy rights is illegal, except under narrowly defined loyalty or discount programs clearly disclosed to consumers.

Clear and Transparent Privacy Notices Required

Transparency is non-negotiable under TDPSA. Businesses acting as controllers (entities determining data processing purposes) must deliver concise, easily accessible privacy notices detailing:

  • The categories of personal and sensitive data processed.
  • Specific purposes of data processing.
  • Categories of third-party recipients, if applicable.
  • Clear instructions on how consumers can exercise their rights and appeal any company decision.
  • Special disclosure statements if sensitive or biometric data is sold.

Enforcement, Penalties, and Cure Period

TDPSA enforcement is serious business—and the Attorney General has the exclusive authority to enforce it (§ 541.151). Here’s what that means practically:

 

  • Before initiating formal action, the AG must provide a 30-day written notice, clearly detailing violations. Businesses can cure violations within this period by documenting corrections and updated compliance practices (§ 541.154).
  • Civil penalties can reach $7,500 per violation, with each affected consumer or data set potentially constituting a separate violation (§ 541.155).
  • Enforcement actions can also include injunctive relief, attorney’s fees, and investigation costs recoverable by the AG (§ 541.155).
  • TDPSA does not permit private rights of action (§ 541.156).

Companies engaging in targeted advertising or selling data to third parties must provide conspicuous opt-out methods directly within these privacy notices.

Identifying Noncompliance:

The Attorney General identifies noncompliant businesses through:

  • Consumer-submitted complaints via an online mechanism established by the Attorney General;
  • Investigations initiated based on “reasonable cause” to suspect violations;
  • Issuance of civil investigative demands (similar to subpoenas) to request relevant compliance documents, including mandatory Data Protection Assessments.

Cure Period and Enforcement Actions:

Before pursuing enforcement action, the Attorney General must issue written notice to the noncompliant entity, specifying alleged violations. Businesses then have a 30-day period to cure identified violations. To properly “cure,” businesses must:

  • Address the violation comprehensively;
  • Notify affected consumers, if applicable;
  • Provide the Attorney General with documented evidence demonstrating compliance corrections and modifications to internal policies preventing future breaches.

If a violation persists after the cure period, or if the entity breaches assurances provided to the Attorney General, enforcement actions may be initiated.

Penalties and Consequences of Non-Compliance

TDPSA enforcement is serious business—and the Attorney General has the exclusive authority to enforce it. Here’s what that means practically:

 

Entities failing to comply after the allotted cure period, or violating assurances given to the Attorney General, face:

  • Civil penalties of up to $7,500 per violation;
  • Potential injunctive relief preventing further noncompliant behavior;
  • Liability for attorney’s fees and associated investigation and litigation expenses incurred by the Attorney General.

Given these severe penalties, TDPSA enforcement actions could be financially devastating and even existential threats for businesses—particularly for those with repeated or systemic non-compliance.

 

Example (typical small business scenario):

A small Texas-based retailer uses a third-party CRM to store customer email addresses and purchase histories, advertises via targeted ads on Facebook or Instagram, and uses Google Analytics on its website. Even if it never directly “sells” this data, it must still comply with TDPSA. Why?

 

  • The CRM provider is a data processor handling personal information, requiring contractual safeguards per TDPSA.
  • Targeted ads via Facebook/Instagram meet TDPSA’s definition of data processing for targeted advertising, triggering required consumer disclosures and opt-out rights.
  • Google Analytics’ use of cookies and tracking constitutes a data-processing activity regulated explicitly under TDPSA, demanding privacy notices and opt-out mechanisms.

Therefore, small businesses are almost always subject to TDPSA’s stringent data protection and compliance requirements due to common tools, integrations, and modern digital business practices.

Third-Party Exposures and Shared Compliance Risks

The TDPSA explicitly acknowledges affiliate and third-party risks. Businesses that engage with third-party services, affiliates, vendors, or partners must ensure their contractual agreements reflect clear TDPSA compliance obligations. Failure of a processor or third party can expose the primary business to significant legal and financial liability if the controller knew or should have reasonably known about potential non-compliance (§541.203).

Businesses must therefore:

  • Conduct regular due diligence reviews of third-party data handlers.
  • Maintain TDPSA-compliant contractual terms in all third-party agreements.
  • Actively monitor third-party compliance and promptly address any violations or breaches.

Critical Reminder for Small Businesses

**Given the TDPSA’s broad conditions, small businesses that believe they may qualify for exemption are strongly advised to directly consult with the Texas Attorney General’s Office to confirm their compliance obligations. Virtually any online presence, customer management software usage, or sharing consumer data with third parties likely triggers full compliance obligations. Misinterpretation of the law’s scope can lead to severe regulatory penalties.

Conclusion: Immediate Compliance Action is Required

The passage of TDPSA represents a profound recalibration of business obligations toward consumer data protection in Texas. It mandates that businesses rethink their data practices, placing transparency, consumer control, and robust security at the forefront. With stringent oversight from the Attorney General’s office, Texans can look forward to greater empowerment and stronger assurances that their data will no longer be mishandled, commodified, or processed without clear consent.

To avoid regulatory actions, businesses must immediately evaluate their data practices, update privacy disclosures, ensure consumer rights mechanisms are operational, and verify third-party compliance. Compliance is no longer a best practice—it’s Texas law.

Businesses that prioritize compliance will not only protect their customers—they’ll protect their bottom line and reputation as well.

 

 

Tag:
Share Article:

ComplyTexas