Cyber One Solutions logo.
Get Support
Compliance / Texas Data Privacy Act

Texas Data Privacy and Security Act Compliance: The Security Controls Behind the Law.

The Texas Data Privacy and Security Act (TDPSA) is the state's comprehensive consumer data privacy law. It took effect July 1, 2024, with recognition of universal opt-out preference signals beginning July 1, 2025. The law applies to a person who conducts business in Texas or produces products or services consumed by Texas residents, processes or engages in the sale of personal data, and is not a small business as defined by the United States Small Business Administration (SBA). Unlike most state privacy laws, the TDPSA does not use numeric thresholds such as a minimum consumer count; the small-business exemption is tied to the SBA definition, which means many mid-sized Texas businesses are in scope even with modest data volumes. The law is enforced exclusively by the Texas Attorney General. There is no private right of action, enforcement carries a 30-day cure period, and civil penalties can reach USD 7,500 per violation.

The TDPSA pairs consumer rights with a clear data-security obligation: controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and sensitivity of the personal data at issue. Cyber One Solutions owns that data-security side. We build and operate the technical program the law assumes: data inventory and mapping, access control, encryption in transit and at rest, monitoring, vendor and processor security terms, and incident response. We are not a law firm and do not provide legal advice or draft your legal privacy notice. Your legal counsel handles the legal policy work, including the consumer-facing notice, consent language, and rights-request procedures, while Cyber One Solutions implements, operates, and documents the controls that make the security requirement real and the evidence ready.

What You Get
A data inventory and data map showing what personal and sensitive data you hold, where it lives, who can access it, and which processors receive it.
Reasonable administrative, technical, and physical safeguards scaled to the volume and sensitivity of the personal data you process.
Access controls enforcing least privilege, unique user identity, and multi-factor authentication on systems holding personal data.
Encryption of personal data in transit and at rest, with key management and configuration documented for review.
Processor security terms and the technical safeguards required by data processing agreements, implemented and monitored on the systems your processors touch.
Monitoring, logging, and an incident response plan that lets you detect, contain, and document a security event affecting personal data.
The Short Answer

Who must comply with the Texas Data Privacy and Security Act, and what does it require?

The Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024, applies to a person who conducts business in Texas or produces products or services consumed by Texas residents, processes or sells personal data, and is not a small business as defined by the U.S. Small Business Administration. Unlike most state privacy laws, it uses no numeric consumer-count threshold. Controllers must post a privacy notice, honor consumer rights, obtain consent for sensitive data, recognize universal opt-out signals, conduct data protection assessments, sign processor agreements, and maintain reasonable data security practices. The Texas Attorney General enforces it with a 30-day cure period and penalties up to USD 7,500 per violation. Cyber One Solutions implements and manages the security side; legal counsel handles the legal policy work.

  • Effective July 1, 2024; universal opt-out recognition since July 1, 2025
  • Applies to businesses that are not SBA small businesses, with no consumer-count threshold
  • Reasonable administrative, technical, and physical data security practices
  • Consumer rights: access, correction, deletion, portability, and opt-outs
  • Enforced by the Texas Attorney General: 30-day cure, up to USD 7,500 per violation
The TDPSA Security Framework

What the Texas Data Privacy and Security Act Requires of Controllers.

The TDPSA places obligations on controllers (the businesses that determine why and how personal data is processed) and on processors (the vendors that process data on a controller's behalf). Some obligations are legal and belong to counsel; others are security obligations that Cyber One Solutions implements and operates. These are the core requirements, and the work we deliver against the security half of each one.

Reasonable Data Security Practices

Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and sensitivity of the personal data. The law sets the obligation; we translate it into concrete controls: access management, encryption, patching, monitoring, and documented procedures scaled to your data.

Data Inventory and Mapping

You cannot protect or honor rights over data you cannot locate. We build a data inventory and map of the personal and sensitive data you collect, the systems and processors that hold it, and the access paths to it, which is the foundation for both the security program and the legal team's rights-request and assessment work.

Sensitive Data Handling and Consent

The TDPSA requires consent before processing sensitive data (such as data revealing health, race, religion, citizenship, genetic or biometric data, precise geolocation, and data from a known child). Counsel owns the consent language; we implement the technical controls that segregate, restrict access to, and protect sensitive data once it is collected.

Consumer Rights Fulfillment

Consumers can access, correct, delete, and obtain a portable copy of their personal data, and opt out of targeted advertising, the sale of personal data, and certain profiling. We provide the data map, access controls, and secure retrieval and deletion mechanisms the operational rights-request workflow depends on; counsel defines the workflow and the legal response.

Universal Opt-Out and Data Protection Assessments

Controllers must honor universal opt-out preference signals (recognized since July 1, 2025) and conduct data protection assessments for higher-risk processing such as targeted advertising, sale of data, certain profiling, and sensitive-data processing. We supply the technical configuration and the security evidence the assessment documents; counsel performs the legal assessment itself.

Processor Security Terms

Controllers must bind processors through a data processing agreement, and processors must apply appropriate technical and organizational safeguards. We implement and monitor those safeguards on the systems your processors touch, help you evaluate processor security posture, and maintain the evidence that the contractual security terms are actually operating.

Why the TDPSA Applies to You

Many Texas businesses are in scope, and the security obligation is not optional.

The TDPSA reaches businesses that operate in Texas or serve Texas residents, process or sell personal data, and are not small businesses under the SBA definition. Because the law avoids the numeric consumer-count thresholds used in other states, scope turns on whether you are an SBA small business, not on how many records you hold. If you are in scope, the reasonable-security requirement is a baseline legal obligation enforced by the Texas Attorney General, and the practical work of meeting it is a security program, not a paperwork exercise.

Scope is tied to the SBA small-business definition, not a record count.

The TDPSA applies to a person who conducts business in Texas or produces products or services consumed by Texas residents, processes or engages in the sale of personal data, and is not a small business as defined by the United States Small Business Administration. This is a meaningful difference from laws in other states that exempt businesses below a fixed number of consumers or a revenue line tied to selling data.

Because the exemption uses the SBA definition rather than a numeric data threshold, a business with a relatively small volume of personal data can still be in scope if it exceeds the SBA small-business size standard for its industry. The practical effect is that many mid-sized Texas businesses are covered even though they would fall outside comparable laws elsewhere.

There is a narrower obligation worth noting even for SBA small businesses: the law restricts the sale of sensitive data without consent. Determining your status is a legal question for counsel; once status is settled, Cyber One Solutions scopes the security program to the data you actually hold.

The reasonable-security requirement is the part Cyber One Solutions owns.

The TDPSA requires controllers to establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and sensitivity of the personal data. The word reasonable is deliberately scaled: a business holding large volumes of sensitive data is expected to do more than one holding a small amount of low-sensitivity data.

Administrative practices are the policies and procedures governing who may access data, how access is granted and revoked, how the workforce is trained, and how incidents are handled. Technical practices are the controls that enforce those policies: authentication, encryption, logging, monitoring, and patching. Physical practices protect the facilities and devices where data lives.

Cyber One Solutions implements all three and documents them, so that the reasonable-security obligation is backed by evidence rather than assertion. If the Attorney General investigates, your documented controls and logs are what demonstrate that reasonable practices were in place and operating.

The Texas Attorney General enforces the TDPSA, with a cure period and per-violation penalties.

Enforcement authority rests exclusively with the Texas Attorney General. There is no private right of action, so individual consumers cannot sue under the TDPSA; the state brings any enforcement action. Before suing, the Attorney General must provide notice of an alleged violation and a 30-day period to cure it.

If a violation is not cured within that window, civil penalties can reach USD 7,500 per violation, and a single set of facts can give rise to many violations. The cure period is an opportunity, but relying on it as a strategy is risky: a controller that cannot quickly produce evidence of its security practices is poorly positioned to cure inside 30 days.

The stronger posture is a documented, operating security program that makes a violation less likely and a cure straightforward if one is alleged. That documentation, the data map, the access and encryption configuration, the monitoring logs, and the incident response plan, is exactly what Cyber One Solutions builds and maintains.

Frequently asked questions.

Are we a controller or a processor under the TDPSA, and does it change what we have to do?

A controller determines the purposes and means of processing personal data; a processor processes data on the controller's behalf. Most businesses are controllers for their own customer and employee data and may act as processors when they handle data for a client. Controllers carry the broader set of obligations, including the privacy notice, consumer-rights response, consent for sensitive data, and data protection assessments, while processors must follow the controller's instructions and apply appropriate security safeguards under a data processing agreement. Your legal status is a question for counsel; the security controls Cyber One Solutions implements support you in either role, because access control, encryption, monitoring, and incident response are expected of both.

How is the TDPSA different from other state privacy laws?

The most distinctive feature is the applicability test. Instead of exempting businesses below a numeric consumer count or a revenue-from-data threshold, the TDPSA exempts small businesses as defined by the United States Small Business Administration. That brings many mid-sized Texas businesses into scope that comparable laws elsewhere would exclude. Otherwise the TDPSA tracks the common structure of recent state privacy laws: a posted privacy notice, consumer rights of access, correction, deletion, and portability, opt-outs for targeted advertising, sale, and certain profiling, consent for sensitive data, recognition of universal opt-out signals, data protection assessments for higher-risk processing, and processor contract requirements. Cyber One Solutions focuses on the security and data-protection controls these requirements assume; counsel handles the legal interpretation and the consumer-facing language.

Common Questions

Texas Data Privacy and Security Act Compliance, Answered.

Common questions from Texas businesses on TDPSA applicability, the reasonable-security requirement, consumer rights, and the split between legal work and security work.

Don't see your question?
Our team answers questions like these every day, no sales pitch attached.
Ask a Question
Related Services

Related Services.

Compliance works best as part of a managed security program. Explore the services that deliver and sustain these controls.

Compliance Management
Full compliance programs across the TDPSA, HIPAA, SOC 2, CMMC, FTC Safeguards, PCI DSS, and cyber-insurance requirements.
Learn More
Managed Cybersecurity
24/7 SOC, SIEM, EDR/MDR, access control, and encryption: the operational controls behind the TDPSA reasonable-security requirement.
Learn More
SOC 2 Compliance
Implement and operate the security, availability, and confidentiality controls a SOC 2 examination evaluates.
Learn More
Cyber Insurance Readiness
Implement and evidence the security controls cyber insurance carriers verify before they bind or renew coverage.
Learn More