The Texas Data Privacy and Security Act (TDPSA) takes effect on 1 July. So far, around 20 US states have passed comprehensive privacy legislation, but only five such laws have taken effect.  

Like most other states, Texas has adopted a law similar to the Virginia Consumer Data Protection Act (VCPDA)—but the “Lone Star State” has modified Virginia’s framework in some novel and significant ways. 

The broadest application yet? 

Most US privacy laws only apply to larger businesses—sometimes targeting companies with substantial annual revenues or those that process large amounts of personal data. 

The TDPSA applies to any organisation conducting business in Texas or targeting its residents with products and services (subject to exemptions).  

But despite this broad application, the TDPSA only imposes one obligation on small businesses (defined according to the US Small Business Administration as those with 500 or fewer employees): Get consent before selling sensitive data. 

Larger businesses operating in Texas face a range of other requirements exceeding those imposed by most other states. 

The full suite of consumer privacy obligations 

When drafting a comprehensive privacy law, state lawmakers choose from an increasingly extensive menu of compliance obligations.  

Some states, notably Utah and Iowa, omit certain requirements such as requiring businesses to undertake a “data protection assessment” before certain activities. Others draft their laws with narrower definitions, or spare controllers from facilitating certain privacy rights requests. 

Texas has implemented practical privacy compliance measures currently present across other US states, including: 

  • Data protection assessments 
  • A requirement to obtain consent before processing sensitive data 
  • The full range of consumer rights, including the right to access, delete, correct, and export their personal data, and to opt out of targeted advertising, the sale of personal data, and certain profiling activities 

This means that the TDPSA sits towards the “stricter” end of the comprehensive privacy law spectrum. Many companies covered by this law will need to rethink how they do business in certain areas. 

New transparency requirements 

Just like in several other states, Texan lawmakers decided to add some novel provisions to their comprehensive privacy law that are not present elsewhere in the US. In the TDPSA’s case, these unique obligations include a requirement for certain companies to add prominent statements to their privacy notices. 

Any TDPSA-covered entity that sells sensitive data or biometric data must make this clear to the consumer via one or both of the following disclaimers: 

  • NOTICE: We may sell your sensitive personal data 
  • NOTICE: We may sell your biometric personal data 

Given the law’s broad definitions of “sensitive data” and “selling, this obligation could impact many businesses. 

Complying with the TDPSA 

In the absence of federal privacy legislation, complying with America’s patchwork of privacy laws will continue to grow more demanding and complex. Speak to HewardMills about how our US privacy experts can help your company thrive in this new landscape. 


If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at