The Texas Data Privacy and Security Act: What Changed
The Texas Data Privacy and Security Act (TDPSA), signed into law in June 2023 and now in full enforcement in 2026, gives Texas consumers new rights over their personal data โ and creates new obligations for businesses that collect it. If you operate in San Antonio or anywhere in Texas and handle consumer data, this law applies to you.
Unlike the GDPR or California's CCPA, the TDPSA was designed to be business-friendly with clear thresholds. But the penalties for non-compliance are steep: up to $7,500 per violation, enforced by the Texas Attorney General.
Does This Law Apply to Your Business?
The TDPSA applies to entities that:
- Conduct business in Texas or produce products/services consumed by Texas residents
- Process or engage in the sale of personal data
- Are not a small business as defined by the SBA (note: small businesses have some exemptions but are not fully exempt)
โ ๏ธ Important: "Small Business" Doesn't Mean Exempt
Small businesses under the SBA definition have some exceptions (e.g., consent requirements for data sales), but they must still honor consumer rights like access, deletion, and opt-out requests. Don't assume you're exempt.
Consumer Rights Under the TDPSA
Texas consumers now have the right to:
- Access: Know what personal data a business has collected about them
- Correction: Request correction of inaccurate personal data
- Deletion: Request deletion of their personal data
- Data Portability: Obtain their data in a portable, readily usable format
- Opt-Out: Opt out of data sales, targeted advertising, and profiling
Businesses must respond to consumer requests within 45 days (with a possible 45-day extension). You must also provide a clear, accessible way for consumers to submit these requests โ typically a form on your website or a dedicated email address.
Compliance Checklist for San Antonio Businesses
- โ Update your privacy policy to disclose what data you collect, why, and with whom you share it
- โ Implement a data request process โ create a form or email workflow for access, deletion, and opt-out requests
- โ Audit your data collection โ map what personal data your website, CRM, and marketing tools collect
- โ Add consent mechanisms for data sales and targeted advertising (cookie consent banners, preference centers)
- โ Review vendor contracts โ ensure your third-party processors have data processing agreements in place
- โ Implement data security measures โ encryption, access controls, and breach notification procedures
- โ Train your team โ employees handling consumer data must understand their obligations
How This Affects Your Website
Your website is often the primary point of data collection. Key changes to implement:
- Cookie consent banner: Must offer opt-out for tracking cookies used in targeted advertising
- Privacy policy: Must be updated with TDPSA-specific disclosures
- Contact forms: Must disclose how submitted data will be used
- "Do Not Sell My Data" link: Required if you share consumer data with third parties for advertising
Need Help with TDPSA Compliance?
Hatty AI helps San Antonio businesses implement privacy compliance โ from website updates to data mapping and policy creation.
Schedule a Compliance ConsultationRelated: Our Privacy Policy ยท GDPR Compliance ยท AI Compliance Hub