Free online guide

Mastering TDPSA: Your definitive guide to the Texas Data Privacy and Security Act

Discover what lies ahead for your business

Access the guide now

  • By clicking 'Read now' you agree to processing of personal data according to the Privacy Policy.

Are you ready for the Texas Data Privacy and Security Act (TDPSA)? This e-book is your comprehensive guide to understanding and navigating the TDPSA, ensuring your business meets the evolving data privacy standards in the Lone Star State.

Read Online


What's included:

  • Deep dive into the TDPSA
  • Compliance strategies
  • Data subject rights
  • Business implications
  • Essential definitions and much more

Stay ahead of the curve and protect your business against data privacy challenges. Explore TDPSA compliance with expert insights and actionable advice.



In an era defined by the rapid digitization of information, data privacy and security have become paramount concerns for individuals, businesses, and governments alike. The ever-growing volume of personal and sensitive data circulating in the digital realm has necessitated the establishment of robust legal frameworks to protect this invaluable asset. In this e-book, we'll explore the Texas Data Privacy and Security Act (TDPSA) and the pivotal role it plays in safeguarding personal data within the state of Texas.

Brief overview of data privacy and security laws

Data privacy and security laws are legislative measures designed to safeguard the confidentiality, integrity, and availability of personal and sensitive information. These laws exist at various levels, including international, national, and state, and they provide a framework for how organizations collect, store, process, and share data. They dictate how businesses and institutions must handle data, ensuring that it is used responsibly and securely.

At the international level, regulations like the European Union's General Data Protection Regulation (GDPR) have set a global standard for data protection. On the national front, the United States has laws such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA), which address data privacy and security concerns in specific sectors and regions.

Next Understanding TDPSA

Understanding TDPSA

What is the TDPSA?

The TDPSA, also known as H.B. 4, is a data privacy law that was passed by Texas legislature on May 28, 2023. This makes Texas the 11th state to enact a comprehensive consumer data privacy law, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, and Florida. The TDPSA is said to take effect on July 1st, 2024, however, the provisions on universal opt-out mechanisms come into effect six months later, on January 1st, 2025.

Importance of the TDPSA in the context of Texas

Texas, as one of the largest and most economically vibrant states in the United States, is a hub of digital activity. With countless businesses, government agencies, and individuals relying on digital systems to conduct their daily affairs, the need for robust data protection laws within the state is more pressing than ever. This is where the TDPSA steps in.

The TDPSA is a crucial piece of legislation aimed at ensuring that the personal and sensitive data of Texans is handled with the utmost care and security. It is a response to the growing threats of data breaches, identity theft, and cybercrimes that can have devastating consequences for individuals and organizations. By enforcing stringent data protection standards, the TDPSA seeks to maintain trust in digital transactions and enhance the competitiveness of Texas-based businesses in the global market.

Previous Introduction Next Key definitions under the TDPSA

Key definitions under the TDPSA

The TDPSA defines a number of key terms, including:

  • Personal data: Any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household. This includes sensitive personal data.
  • Sensitive personal data: Personal data that reveals a consumer's racial or ethnic origin, citizenship or immigration status, mental or physical health diagnosis, sexual orientation, or gender identity.
  • Biometric data: Any information produced through automated measurements of an individual's biological traits, such as fingerprints, voiceprints, eye retinas or irises, or any distinctive biological pattern or characteristic utilized for the purpose of identifying a particular person.
  • Controller: A business that determines the purposes and means of processing personal data.
  • Processor: A business that processes personal data on behalf of a controller.
  • Consent: The clear and unambiguous agreement by a data subject to the processing of their personal data for specific purposes. The TDPSA outlines requirements for obtaining and documenting consent.
  • Consumer: A person who resides in Texas and is engaged solely in activities within an individual or household context, with the exception of individuals engaged in commercial or employment-related activities.
  • Sale: The transfer of personal data to another business for monetary consideration.
  • Sharing: The disclosure of personal data to another business for a non-monetary purpose.
  • Cross-border data transfer: If an organization transfers personal data outside of Texas, the TDPSA may regulate such transfers. Understanding the rules and safeguards for cross-border data transfers is crucial for compliance.
Previous Understanding TDPSA Next Complying with the TDPSA

Complying with the TDPSA

The TDPSA has a significant reach, affecting various businesses and organizations that process personal data. Understanding whether your organization falls under the scope of the TDPSA is the first step towards being compliant. This chapter provides a comprehensive explanation of the entities and scenarios that necessitate compliance with the TDPSA.

Understanding the scope

To understand whether your business needs to comply with the TDPSA, it is essential to consider the following:

  • The types of personal data you collect and process.
  • The volume of data and the extent of processing activities.
  • Your geographical location and the location of data subjects.
  • Your annual revenue derived from data processing activities on Texas residents.

Keep in mind that the TDPSA is designed to protect the privacy rights of Texas residents, so any business or entity that handles the personal data of these residents must comply with its provisions. Compliance often involves implementing robust data protection measures, appointing a data protection officer (DPO), and ensuring transparency and accountability in data processing practices.

Who should comply with the TDPSA?

The TDPSA specifically pertains to individuals or entities who:

  • Operate within Texas or provide products or services used by Texas residents.
  • Engage in personal data processing or its sale.
  • Do not fall within the small business category as defined by the United States Small Business Administration (SBA), which means they are not independent businesses with fewer than 500 employees.

Businesses affected by the TDPSA

The TDPSA applies to a broad spectrum of entities, including but not limited to:

Texas-based businesses:

Any business or organization based in Texas that collects, processes, or stores personal data must comply with the TDPSA. This includes small businesses, large corporations, nonprofits, and government agencies.

Out-of-state businesses:

Even if your business is not physically located in Texas, you may still need to comply with the TDPSA if you collect or process the personal data of Texas residents. This extraterritorial reach ensures that businesses outside Texas cannot evade compliance simply by being located elsewhere.

Service providers:

Businesses that provide services to other organizations that deal with Texas' residents and have access to their personal data may also need to comply with certain provisions of the TDPSA.

Previous Key definitions under the TDPSA Next Exemptions


While the TDPSA imposes strict data protection requirements on businesses and organizations, it also includes certain exemptions and exceptions. These exemptions may apply to specific situations, types of data, or businesses of a certain size. Understanding these exemptions is essential for organizations seeking to determine their compliance obligations under the TDPSA.

What are the notable exemptions?

Small businesses:

The TDPSA may include exemptions for small businesses based on criteria, such as revenue, number of employees, or data processing volume, or as defined by the SBA. Small businesses that fall below these thresholds may have reduced compliance requirements or may be exempt from specific provisions of the law.


Non-profit organizations may have specific exemptions or reduced compliance requirements under the TDPSA, recognizing their distinct nature and objectives. The extent of exemptions may vary, so it's essential for non-profit organizations to assess their obligations carefully.

Certain data types:

The TDPSA may exempt specific categories of data or data processing activities. For example, certain types of publicly available information or data related to national security or law enforcement investigations may be exempt.

Healthcare providers:

Healthcare providers, including hospitals and clinics, are often subject to federal regulations like the Health Insurance Portability and Accountability Act (HIPAA). The TDPSA includes exemptions or aligns its requirements with existing federal regulations to avoid duplicative compliance efforts.

Financial institutions:

Similarly, financial institutions may have their own federal regulations, such as the GLBA. The TDPSA may provide exemptions or align its requirements with these federal laws to avoid redundancy.

Exemption assessment

To determine whether your organization qualifies for exemptions under the TDPSA, you should conduct a thorough assessment of your business operations, data processing activities, and compliance obligations. This assessment may involve:

Reviewing business metrics:

Assess your annual revenue, number of employees, and data processing volume to see if any of these fall within any exemption thresholds defined by the TDPSA.

Analyzing data types:

Identify the types of personal data you handle and determine if any categories are exempt from TDPSA requirements.

Consulting legal counsel:

Seek legal advice to ensure a thorough understanding of how the TDPSA applies to your specific circumstances. Legal experts can provide guidance on exemption criteria and compliance obligations.

Monitoring regulatory updates:

Keep abreast of any changes or updates to the TDPSA and related regulations, as exemption criteria may evolve over time.

It's important to note that even if your organization qualifies for exemptions under the TDPSA, you may still be subject to other data privacy and security regulations at the federal or international level. Compliance with these regulations should also be a priority to ensure comprehensive data protection practices.

Previous Complying with the TDPSA Next Business implications of the TDPSA

Business implications of the TDPSA

The TDPSA has significant implications for businesses operating in Texas. Compliance with the TDPSA is not just a legal requirement; it also has far-reaching business consequences. This chapter explores the practical implications that the TDPSA brings for organizations, including both challenges and opportunities.

1. Compliance costs

Complying with the TDPSA requires a financial commitment. Businesses must allocate resources for activities like data mapping, implementing security measures, conducting data protection impact assessments (DPIAs), and potentially hiring or designating a DPO. It's important to budget for compliance costs, which can vary depending on the size and complexity of the organization.

2. Data mapping and inventory

The TDPSA mandates that businesses understand what personal data they collect, process, and store. This requires thorough data mapping and inventory processes. While this can be a significant undertaking, it also provides organizations with a clearer picture of their data assets, which can lead to improved data management and efficiency.

3. Data security enhancement

To comply with the TDPSA, businesses must enhance their data security measures. This may involve implementing encryption, access controls, regular security audits, and employee training on data security practices. Strengthening data security not only helps with compliance but also reduces the risk of data breaches.

4. Reputation and trust

Demonstrating commitment to data privacy and security can enhance an organization's reputation and build trust with customers. Businesses that prioritize data protection are more likely to retain customer trust and loyalty, which can have a direct impact on brand reputation and customer retention rates.

5. Competitive advantage

Being TDPSA-compliant can provide a competitive advantage. Organizations that can assure customers of their commitment to data privacy may attract more customers concerned about their personal information's security. Compliance can also be a selling point when competing for contracts or partnerships.

6. Operational changes

To comply with the TDPSA, businesses may need to make operational changes. This could involve revising internal policies, updating contracts with third-party service providers, and implementing new data handling processes. Organizations should be prepared for these changes and allocate resources accordingly.

7. Data subject trust

The TDPSA grants certain rights to data subjects, such as the right to access their data and request its deletion. Meeting these rights effectively can foster trust with data subjects. However, it also requires businesses to establish processes for handling data subject requests promptly and efficiently.

8. International considerations

If your business operates globally or handles data from international customers, TDPSA compliance may align with or complement other privacy regulations like the GDPR. Understanding how the TDPSA relates to international regulations is crucial for organizations with a global footprint.

9. Legal consequences

Non-compliance with the TDPSA can lead to legal consequences, including fines and penalties. Businesses must be aware of the potential costs of non-compliance and the importance of maintaining a strong compliance posture.

Penalties for non-compliance

The TDPSA is not just a set of guidelines; it comes with enforceable penalties for organizations that fail to comply with its provisions. This chapter outlines the potential penalties and consequences that businesses may face in the event of non-compliance with the TDPSA.

The TDPSA is not just a set of guidelines; it comes with enforceable penalties for organizations that fail to comply with its provisions. This chapter outlines the potential penalties and consequences that businesses may face in the event of non-compliance with the TDPSA.

TDPSA compliance is not just a legal obligation but also a strategic business imperative. While it presents challenges, it also offers opportunities for businesses to enhance their data management practices, build trust with customers, and gain a competitive edge in the marketplace. Successful compliance requires a holistic approach that combines legal, technological, and operational efforts.

Previous Exemptions Next Rights of data subjects

Rights of data subjects

The TDPSA places significant emphasis on safeguarding the rights of data subjects, who are the individuals to whom personal data relates. This chapter explores the rights granted to data subjects under the TDPSA, detailing what these rights entail and how businesses and organizations must address them.

1. Right to access personal data

Data subjects have the right to request access to their personal data held by a data controller. This means they can inquire about what data is being processed, for what purposes, and obtain a copy of their data.

2. Right to rectify inaccurate data

Data subjects have the right to rectify any inaccuracies or errors in their personal data. If they believe that the information held by a data controller is incorrect, they can request corrections or updates.

3. Right to be forgotten

Also known as the right to erasure, this right allows data subjects to request the deletion of their personal data under certain circumstances. Data controllers must comply with such requests, particularly when the data is no longer necessary for its original purposes.

4. Right to data portability

The TDPSA grants data subjects the right to receive their personal data in a structured, commonly used, and machine-readable format. They can also request the transfer of their data to another data controller if technically feasible.

5. Right to object to processing

Data subjects have the right to object to the processing of their personal data for specific purposes, such as direct marketing. Data controllers must cease processing the data unless they can demonstrate legitimate grounds that override the data subject's interests.

How can consumers exercise their rights?

Consumers are entitled to exercise their rights by submitting a request to a data controller, specifying the particular consumer rights they wish to exercise. In the case of a child, a parent or legal guardian may act on behalf of the child to exercise their consumer rights related to the processing of the child's personal data.

Controller’s response to data subject rights

The data controller is obliged to fulfill a consumer's request to exercise their rights unless there are valid exemptions. The controller must respond promptly to the consumer's request, ensuring a response is provided within 45 days from the date of receiving the request. In cases where the complexity or volume of requests warrants it, the controller may extend the response period by an additional 45 days. However, this extension and the reason behind it must be communicated to the consumer within the initial 45-day period.

The controller is obligated to provide information to consumers at least twice a year without any charges. However, if a request is considered unjustified, excessive, or recurrent, the controller may impose a reasonable fee to cover administrative costs, or it may choose not to respond to the request at all. Nevertheless, it is incumbent upon the controller to demonstrate that a request is evidently unfounded, excessive, or repetitive.

If the controller is unable to verify a consumer's request using reasonable commercial efforts, it may request additional information from the consumer for authentication.

Lastly, when a controller has acquired a consumer's personal data from a source other than the consumer, compliance with the consumer's request for personal data deletion is achieved by retaining a record of the deletion request and retaining only the minimum data necessary to ensure the consumer's personal data is deleted from the controller's records, with no use of the retained data for any other purpose except for those exempted under TDPSA provisions.

Previous Business implications of the TDPSA Next Conclusion


You are now equipped with the information you need to get your business ready for compliance with the TDPSA.

Prior to July 2024, organizations subject to this recently enacted state legislation should consider taking the following steps:

  • Revise their privacy policy.
  • Incorporate opt-out choices into their cookie consent notifications.
  • Execute data protection assessments as required.
  • Adhere to contractual commitments with third-party data processors.
  • Establish a system for respecting universal opt-out requests from consumers (prior to January 1, 2025).

ManageEngine's compliance solutions

ManageEngine Log360, a comprehensive security information and event management (SIEM) solution, helps enterprises to thwart attacks, monitor security events, and comply with regulatory mandates.

The solution bundles a log management component for better visibility into network activity and an incident management module that helps quickly detect, analyze, prioritize, and resolve security incidents. Log360 features an innovative ML-driven user and entity behavior analytics (UEBA) add-on that baselines normal user behaviors and detects anomalous user activities along with a threat intelligence platform that brings in dynamic threat feeds for security monitoring.

Log360 helps ensure organizations combat and proactively mitigate internal and external security attacks with effective log management and in-depth AD auditing.

About the author

Harshni is a compliance expert, deeply fascinated by the intricacies of this rapidly evolving field. With a passion for learning and writing about new regulatory mandates that shape the cybersecurity landscape, Harshni brings fresh perspectives and valuable insights. When not delving into the world of cybersecurity, she likes singing and learning new melodies on the ukulele.

Previous Rights of data subjects

Take the lead in data protection best practices with our unified SIEM solution!

  • Get personalised demo  
  • Try Log360  
  • Get a quote