What is the Texas Data Privacy and Security Act (TDPSA)?
The Texas Data Privacy and Security Act (TDPSA) is a state law enacted in 2023 to strengthen the privacy rights of Texas residents and establish clear requirements for how businesses handle personal data. It takes effect on July 1, 2024, and aligns with the growing wave of U.S. state-level privacy legislation, similar to laws in California, Virginia, and Colorado.
The TDPSA defines consumer data rights, places obligations on entities that process personal data, and introduces enforcement mechanisms through the Texas Attorney General.
Who Must Comply with TDPSA?
The TDPSA applies to any entity conducting business in Texas or producing products or services consumed by Texas residents, and that:
Processes or engages in the sale of personal data
Is not a small business as defined by the U.S. Small Business Administration (unless it sells sensitive data)
Unlike some other state laws, TDPSA does not impose strict revenue or data volume thresholds, making it applicable to a broader range of organizations, especially those with an online presence or marketing footprint in Texas.
Key Consumer Rights Under TDPSA
Texas residents are granted the right to:
Access personal data a business has collected about them
Correct inaccuracies in their personal data
Delete personal data collected or obtained
Obtain a copy of their data in a portable format
Opt out of the sale of personal data, targeted advertising, and profiling
These rights empower individuals to take control of their personal information and how it is used by businesses.
Business Obligations Under TDPSA
Organizations must:
Limit data collection to what is necessary for disclosed purposes
Implement reasonable data security measures
Disclose privacy policies that explain how data is collected, used, and shared
Honor consumer requests in a timely and verifiable manner
Obtain consent before processing sensitive data (e.g., biometric data, health records, precise geolocation)
Additionally, data controllers must enter into contracts with data processors to ensure proper handling of personal information.
What is Considered Personal and Sensitive Data?
Under TDPSA, personal data includes any information that is linked or reasonably linkable to an identified or identifiable individual, such as:
Name, email, IP address
Account numbers
Browsing behavior
Location data
Sensitive data includes:
Social Security numbers
Biometric identifiers
Health data
Religious beliefs
Children’s personal data
Enforcement and Penalties
The Texas Attorney General enforces the TDPSA. There is a 30-day cure period for violations, after which businesses may face civil penalties of up to $7,500 per violation if noncompliance is not remedied.
Unlike California’s CCPA/CPRA, TDPSA does not provide a private right of action — only the state can bring enforcement actions.
How Fasoo Helps Organizations Comply with TDPSA
Fasoo’s data-centric security platform enables businesses to meet TDPSA obligations by helping them:
- Discover and classify personal and sensitive data across endpoints, cloud, and unstructured data with Fasoo Data Radar (FDR)
Encrypt and control access to regulated data using Fasoo Enterprise DRM (FED)
Track and log all file activity to demonstrate accountability and enable breach investigations
Block unauthorized sharing, printing, or screen capture attempts with Fasoo Smart Print (FSP) and Fasoo Smart Screen (FSS)
Gain complete visibility across cloud and on-premises environments and manage security vulnerabilities with Fasoo DSPM
Fasoo provides the tools necessary to protect personal data by design and by default, aligning with TDPSA’s core principles of transparency, security, and consumer control.
Resources
Product Overview
Blog
Use Case
Fasoo Enterprise DRM
Meet with a
Compliance Specialist
Brochure
Learn more about
Fasoo Enterprise DRM
