Texas Data Privacy and Security Act

⚠️This article has been marked as incomplete. Sourcing or verifiability needs additional work.

In particular:

needs to use Template:Cite web

A moderator needs to check the page before this notice can be removed. Visit the noticeboard or the #appeals channel in either Zulip or Discord to request removal.

More info ▼

Articles must provide verifiable, credible evidence for their claims and avoid relying on forum posts, personal blogs, or other unverifiable sources. You can help by replacing weak citations with reputable reporting, corporate communications, receipts, repair logs, or independent investigative coverage that demonstrates the systemic relevance required by the Mission statement and Moderator Guidelines.

The Texas Data Privacy and Security Act ("TDPSA") is a law in the U.S State of Texas that establishes digital privacy rights for Texas state residents and enforces these rights against any company providing services to residents, rather they reside in Texas or not. The law was signed by Governor Greg Abbott on June 18th, 2023, with the majority of the law going into effect on July 1st, 2024, and the universal opt-out mechanisms going into effect January 1st, 2025.

Rights Codified

The TDPSA codified the following privacy rights for Texas residents^[1]:

Right to Access: Individuals have the right to confirm whether a controller is processing their personal data and to access such data.

Right to Correction: Individuals may request corrections to inaccuracies in their personal data held by a controller.

Right to Deletion: Individuals have the right to request the deletion of personal data collected by or provided to a controller.

Right to Data Portability: Individuals can obtain a copy of their personal data in a readily usable and transferable format.

Right to Opt-Out: Individuals may opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling that produces significant legal effects.

Controller and Processor Obligations

The TDPSA imposes various obligations on data controllers and processors^[2] ^[3], including:

Limiting data collection to what is adequate, relevant, and reasonably necessary for processing purposes.

Implementing reasonable administrative, technical, and physical data security practices.

Providing a clear and accessible privacy notice that outlines data collection and processing practices.

Conducting and documenting data protection assessments for high-risk processing activities.

Ensuring contracts between controllers and processors include specific provisions governing personal data handling.

Enforcement

The Texas Attorney General holds exclusive enforcement authority under the TDPSA. Entities found to be in violation are subject to civil penalties of up to $7,500 per violation. Prior to enforcement, the Attorney General may grant a 30-day cure period for organizations to remedy identified violations.^[4]

References

↑ "Texas Data Privacy And Security Act | Office of the Attorney General". Office of the Attorney General. Archived from the original on 2026-04-18. Retrieved 31 Mar 2026.
↑ "FAQs for Businesses as Texas Data Privacy Law Takes Effect July 1". Fisher Phillips LLP. Archived from the original on 2026-04-25. Retrieved 31 Mar 2026.
↑ Clifford Chance overview
↑ Consumer Privacy Act TDPSA overview

[1] "Texas Data Privacy And Security Act | Office of the Attorney General". Office of the Attorney General. Archived from the original on 2026-04-18. Retrieved 31 Mar 2026.

[2] "FAQs for Businesses as Texas Data Privacy Law Takes Effect July 1". Fisher Phillips LLP. Archived from the original on 2026-04-25. Retrieved 31 Mar 2026.

[3] Clifford Chance overview

[4] Consumer Privacy Act TDPSA overview

[1]

[2]

[3]

[4]