Skip to Main Content
  • Professionals
  • Practices
  • Industries
  • Experience
  • News & Events





Quick Results
View More Results
Search
  • Home
  • U.S. Consumer Data Privacy Law Guide: Texas
U.S. Consumer Data Privacy Law Guide: Texas

This state-specific guide covers data privacy law, rules, and regulations that professionals and clients often encounter or have questions about in Texas.

Last updated: January 2025

Please note this is a highlighted overview and not a complete overview of privacy laws for this state. If you would like a complete review of this state's privacy laws or a multi-state privacy compliance cheat sheet on specific topics, please contact Vivien Peaden at vpeaden@bakerdonelson.com.

Disclaimer: These materials do not constitute legal advice and should not be substituted for the advice of legal counsel.

The Texas Data Privacy and Security Act (TXDPSA)

Effective Date: July 1, 2024

1. Applicability Thresholds:

Subject to certain entity-level and data-level exemptions, the TXDPSA applies to a person conducting business in Texas or producing products or services that are targeted to residents of Texas that meet the below thresholds:

  • Processes personal data or engages in the sale of personal data; and
  • Is not a small business as defined under the federal Small Business Act.

Notably, the Texas Data Privacy and Security Act (TXDPSA) does not provide for a minimum threshold of consumers' personal information a business must process or a percentage of revenue to be derived from the sale of personal data in order for the law to apply. Small businesses exempted from the TXDPSA are still prohibited from selling sensitive data without the consumers' prior consent.

2. Key Definitions:

Personal Data: Is defined "as any information that is linked to or reasonably linkable to an identified or identifiable individual" and expressly includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.

Excludes de-identified data and publicly available information, as specifically defined under the TXDPSA.

Sales of Personal Data: Like California, Texas has opted for a broader definition of the "sale of personal data," including both the exchange of personal data for monetary consideration and other valuable consideration by the controller to a third party (subject to some exceptions).

3. Business Obligations:

The TXDPSA imposes additional obligations on individuals or legal entities that determine the purpose and means of processing personal information (Controller):

  • Data Processing Agreement (DPA): Processing activities by a supplier (known as Processor) shall be governed by a DPA between the Controller and Processor.
  • Data Protection Assessment: Controllers must conduct and document a data protection assessment for certain processing activities that present a higher risk of harm to consumers.
  • Privacy Notice: Yes, a Controller must provide consumers with a privacy notice. If a Controller sells sensitive personal data or biometric data, additional disclosure and posting requirements will apply.
  • Universal Opt-out Mechanism: Effective January 1, 2025, Controllers must recognize a consumer's opt-out signal, including "a link to an internet website, an internet browser setting or extension, or a global setting on an electronic device, which allows the consumer to opt out of target advertising, sales of personal data, or profiling.

4. Consumer Rights:

Under the TXDPSA, Texas consumers have the right to:

  • Confirm whether a Controller is processing their personal data and access such personal data;
  • Correct inaccuracies in their personal data;
  • Delete personal data provided by or obtained about the consumer;
  • Obtain a copy of or summary of certain categories of personal data that the consumer previously provided to the Controller in a readily usable format only if the data is available in a digital format;
  • Opt-out of targeted advertising, sales of personal data, and "profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer"; and
  • Appeal the Controller's decision to refuse to take action on a request.

5. Enforcement and Penalties:

Private Right of Action: None.

Penalties: The state attorney general has sole authority to enforce the statute, at a maximum of $7,500 per violation.

Cure Period: There is a 30-day cure period; unlike some states, this is a permanent cure period that does not have a cutoff date.

U.S. Consumer Data Privacy Law Guides

Key Contact

 
Vivien F. Peaden, AIGP, CIPP/US, CIPP/E, CIPM, PLS
T: 678.406.8722
  Email Professional

Related Practices

Resources

Have Questions?
Let's Talk!

To contact a Baker Donelson Privacy Professional, click above to email us.

Search By Last Name

ABCDEFGHIJKLMNOPQRSTUVWXYZ
The Howard Baker Forum The Daschle Group
Instagram LinkedIn
Baker Donelson is a national law firm with more than 650 attorneys and public policy advisors representing more than 30 practice areas to serve a wide range of legal needs. Clients receive knowledgeable guidance from experienced, multi-disciplined industry and client service teams, all seamlessly connected across 24 offices in Alabama, Florida, Georgia, Louisiana, Maryland, Mississippi, North Carolina, South Carolina, Tennessee, Texas, Virginia, and Washington, D.C.
©2025 Baker, Donelson, Bearman, Caldwell & Berkowitz, PC

Email Disclaimer

NOTICE: The mailing of this email is not intended to create, and receipt of it does not constitute an attorney-client relationship. Anything that you send to anyone at our Firm will not be confidential or privileged unless we have agreed to represent you. If you send this email, you confirm that you have read and understand this notice.
Cancel Accept