Texas TDPSA
Texas Data Privacy and Security Act
The TDPSA is Texas's comprehensive consumer privacy law, effective 1 July 2024, granting residents rights over their personal data and imposing controller and processor obligations. It treats certain biometric and sensitive data as requiring consent before processing, along with notice when sensitive or biometric data is sold. The Texas Attorney General has exclusive enforcement authority.
Who it applies to
Entities that conduct business in Texas or produce products or services consumed by Texas residents, process or sell personal data, and are not small businesses as defined by the US Small Business Administration.
Identity requirements
- Obtain consumer consent before processing sensitive data, which includes genetic and biometric data processed to uniquely identify an individual
- Provide a required notice when a business sells sensitive personal data or biometric data
- Honor consumer rights to access, correct, delete, and obtain a portable copy of personal data, and to opt out of sale, targeted advertising, and certain profiling
- Maintain a clear and accessible privacy notice describing data categories, purposes, sharing, and how to exercise rights
- Conduct and document data protection assessments for higher-risk processing such as targeted advertising, sale of data, and sensitive data
- Apply data minimization and reasonable security practices, and bind processors by contract
How it impacts identity systems
| Identity area | Impact |
|---|---|
| Customer identity & consent (CIAM) | Consent is required before processing biometric data used to identify a person, and selling biometric data triggers a mandatory consumer notice. |
| Identity verification (KYC/proofing) | Biometric identity proofing of Texas residents falls within the sensitive-data consent and assessment obligations. |
| Identity governance (IGA) | Rights to access, correct, delete, and port data require governed processes for managing consumer identity records. |
| Audit, logging & accountability | Controllers must conduct and retain data protection assessments for higher-risk and sensitive-data processing. |
Penalties
The Attorney General may seek civil penalties of up to 7,500 dollars per violation after a 30-day cure notice, plus injunctive relief and fees; there is no private right of action.
Texas TDPSA: frequently asked questions
- When did the Texas Data Privacy and Security Act take effect?
- The TDPSA took effect on 1 July 2024, with the authorized-agent opt-out provision applying from 1 January 2025.
- How does the TDPSA handle biometric data?
- Biometric data processed to uniquely identify an individual is sensitive data requiring consent before processing, and businesses must give notice when they sell sensitive or biometric data.
- Who enforces the TDPSA?
- The Texas Attorney General has exclusive enforcement authority and has established a dedicated privacy enforcement team; there is no private right of action.