Texas Data Privacy and Security Act (TDPSA)

Overview

The Texas Data Privacy and Security Act (TDPSA), codified at Tex. Bus. & Com. Code § 541.001 et seq. and enacted as HB 4 (2023), became effective July 1, 2024. The TDPSA is distinguished from every other state privacy law by one design choice: there are no revenue or consumer-count thresholds. The law applies to any entity that conducts business in Texas or produces products/services consumed by Texas residents and is not a "small business" as defined by the U.S. Small Business Administration.

The SBA definition varies by NAICS code but generally excludes companies with under roughly $7.5M–$41.5M in revenue or 500–1,500 employees depending on sector. In practice, every mid-sized or larger company operating in Texas is covered.

The Texas AG has a proven track record of aggressive enforcement: a $1.4 billion settlement with Meta (2022–2024) for facial-recognition violations; a multi-state $8M Google location-tracking settlement; and active investigations across the sector. Compliance is not optional.

Exemptions cover HIPAA entities, GLBA financial institutions, non-profits, higher-ed, FCRA/DPPA/FERPA/COPPA-regulated data, employee/B2B, regulated electric utilities.

Consumer Rights

• Right to confirm and access personal data
• Right to correct inaccuracies
• Right to delete
• Right to data portability
• Right to opt out of sale, targeted advertising, and profiling
• Right to appeal a denial

Sensitive data (race, religion, health diagnosis, sexual orientation, citizenship, genetic/biometric identifiers, minors under 13, precise geolocation) requires opt-in consent.

Compliance Requirements

Controllers must publish privacy notices, honor GPC/UOOM (mandatory in Texas), conduct DPIAs for high-risk processing, and execute processor contracts per § 541.104. Texas additionally maintains the Capture or Use of Biometric Identifier (CUBI) Act (§ 503.001) as a parallel regime for biometric data — requiring informed consent for capture, prohibiting sale/lease/disclosure, and mandating destruction within a reasonable time. CUBI enforcement is AG-only with $25,000 per violation penalties.

Cure Period + Enforcement

The Texas AG holds exclusive enforcement. Penalties reach $7,500 per violation under TDPSA plus investigation costs, and $25,000 per violation under CUBI. The 30-day cure period remains active, but the AG's documented willingness to pursue high-profile actions means cure should not be treated as a dependable safe harbor.

How Inori Addresses This

• Notice: src/content/legal/privacy.mdx v1.2 covers TDPSA disclosures and third-party sharing.
• GPC (mandatory): middleware.ts:respectGpc honors Sec-GPC: 1 — Texas is part of the UOOM mapping, with 12-month persistence and X-GPC-Honored: true response echo.
• DSAR: /api/dsar serves all TDPSA rights with a 30-day SLA, inside the 45-day statutory window.
• Hard purge: 90-day cron deletes tenant data after account closure.
• Sensitive data: Not collected. Biometric identifiers under CUBI are not captured — the dual compliance posture is satisfied by abstention.
• Deferred: Automated DPIA templates and CUBI-specific biometric workflows ship when biometric features are added to the product.

Related Concepts

See CCPA/CPRA, VCDPA, Colorado Privacy Act, and CTDPA for comparative state frameworks. GPC covers the Universal Opt-Out Mechanism. DSAR describes the request pipeline. UCPA sits at the opposite threshold extreme.