Texas Data Privacy and Security Act (TDPSA)

Overview

The Texas Data Privacy and Security Act (TDPSA), codified as Tex. Bus. & Com. Code §541.001 through §541.203, was signed into law on June 18, 2023 (HB 4), and became effective July 1, 2024. Texas is the largest state by population to enact comprehensive consumer privacy legislation and is notable for having no revenue threshold for applicability — the TDPSA applies to any person that conducts business in Texas or produces products or services consumed by Texas residents, regardless of company size.

The TDPSA also interacts with the existing Texas Capture or Use of Biometric Identifier Act (CUBI), Tex. Bus. & Com. Code §503.001, which provides separate biometric data protections.

Applicability (§541.002)

The TDPSA applies to a person that:

1. Conducts business in Texas or produces a product or service consumed by Texas residents
2. Processes or engages in the sale of personal data
3. Is not a small business as defined by the U.S. Small Business Administration (SBA)

Key feature: No revenue or consumer count threshold. Unlike California ($25M revenue), Virginia (100,000 consumers), or Colorado (100,000 consumers), the TDPSA applies broadly to any non-small business processing personal data of Texas residents.

Small business exemption: Small businesses as defined by SBA size standards are exempt from most provisions but are NOT exempt from the prohibition on selling sensitive data without consent (§541.107(b)).