18 Jul How to Comply with the New Texas Data Privacy & Security Act
Online data privacy and protection continue to be a hot topic, especially in Texas. That’s because the Texas Data Privacy and Security Act (TDPSA), which was originally signed into law in 2023, went into effect on July 1, 2024.
The TDPSA grants Texas residents essential rights over their personal data protection and privacy. It applies to companies that conduct business in Texas and/or produce a product or service consumed by Texas residents — and that also “collect, use, store, sell, share, analyze, or process consumers’ personal data.”*
*We at Threadgill Agency cannot provide legal recommendations when it comes to complying with the new TDPSA regulations, so we encourage you to seek direction from a legal party when identifying how your business qualifies or is exempt from TDPSA laws.
The TDPSA’s Impact on Businesses
With the TDPSA update, consumers have the right to know whether a company is processing their personal data and what that data is. They also have a right to opt out when that data is being used for sale, targeted ads, or profiling. Consumers can also correct inaccuracies or request the deletion of data.
With these consumer rights guaranteed by the new Texas data privacy law, companies must now comply with requirements that include:
- Providing a clear and accessible Privacy Notice with all required disclosures
- Providing clear and conspicuous notice if they sell sensitive or biometric data
- Disclosing if they sell sensitive personal data for targeted advertising
- Offering an opt-out mechanism for consumers as it relates to targeted advertising
- Providing a Data Protection Assessment (DPA) that documents and demonstrates that your organization has reliable methods for protecting customers data and processes in place for consumers to submit requests to exercise their TDPSA rights.
Failure to comply may result in fines of op to $7,500 per violation should anyone submit a complaint to the state Attorney General’s office.
TDPSA Compliance from a Marketing Perspective
While there are many components to TDPSA, the one that is most directly impactful to digital marketing is the right for consumers to manage consent on whether they receive ‘targeted advertising’ based on their personal information. In order to comply with the restrictions imposed by the TDPSA while still continuing to capture valuable consumer insights is to integrate your business website with a Consent Management Platform (CMP), such as Cookiebot.
A CMP is an indispensable data privacy solution that has helped achieve compliance with GDPR in the EU and CCPA in California for several years now. It is also useful for complying with the new Texas data privacy law and other states’ current or upcoming privacy and protection acts.
Essentially, a CMP adds the “this website uses cookies” banner at the bottom of your site, but it also has the critical functionality of managing the types of consent a user may want to accept or decline when visiting your website. For instance, they can provide consent for cookies that manage the website experience, but decline consent for those used for ad personalization.
Some options, like Cookiebot, also have a “manage preferences” page, allowing a user to return to the site and revoke consent — even if they previously gave it. Many CMP vendors can also be set up in a geo-targeted way based on state laws so that the settings will shift based on each state or country’s laws.
Google provides a full list of more than a dozen CMP options that are integrated with Google Tag Manager (GTM). It’s important to note that all Google-related tags (Google Ads, GA4) have default consent settings already set in the tag, but they only work if a CMP is in place.
How do I know if I am using personalized data for marketing? You should check with your agency of record to determine how data is being used today to target customers. If you are running any remarketing campaign, you likely are. However, even if no personalized campaigns are in place, if you have the Google Ads tags on the site, it may still be collecting the data regardless of how it is being used. So, implementing a CMP might be a wise investment.
What Organizations Are Exempt From Complying With TDPSA
All of this said, TDSPA does have a pretty robust list of exemptions, and your organization may not have to worry about complying. As outlined by the TDPSA, the following entities are exempt from this policy:
- State agencies or political subdivisions of Texas
- Financial institutions subject to Title V of the Gramm-Leach-Bliley Act (GLBA)
- Covered entities or business associates governed by the privacy, security, and breach notification rules established under HIPAA
- Non-profit companies
- Institutions of higher education
- Electric utility, power generation companies, and retail electric providers
In addition, the Attorney General of Texas highlights that small businesses under 500 employees are generally exempt — except if they sell a consumer’s sensitive data. “Sensitive data” includes:
- Personal data that reveals racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sexuality
- Citizenship or immigration status
- Biometric data
- Precise geolocation data
- The personal data of a child under 13
We would still recommend confirming with your organization’s attorney that you do fall within an exempt category.
Looking Beyond the Lone Star State
Texas isn’t the only state enacting new rules regarding data protection and privacy. Here’s a list of what is currently in force—or on the horizon—for companies and consumers in other states.
- Colorado Privacy Act (CPA) — currently in force
- Connecticut Data Privacy Act (CTDPA) — currently in force
- Delaware Personal Data Privacy Act (DPDPA) — effective January 1, 2025
- Florida Digital Bill of Rights (FDBR) — effective July 1, 2024
- Indiana Consumer Data Protection Act (Indiana CDPA) — effective January 1, 2026
- Iowa Consumer Data Protection Act (Iowa CDPA) — effective January 1, 2025
- Kentucky Consumer Data Protection Act (KCDPA) — effective Jan. 1, 2026
- Maryland Online Data Privacy Act (MODPA) — effective Oct. 1, 2025
- Montana Consumer Data Privacy Act (MCDPA) — effective October 1, 2024
- New Hampshire Data Privacy Law (NHDPL) — effective Jan. 1, 2025
- New Jersey Data Privacy Act (NJDPA) — effective Jan. 15, 2025
- Oregon Consumer Privacy Act (OCPA) — effective July 1, 2024
- Tennessee Information Protection Act (TIPA) — effective July 1, 2025
- Utah Consumer Privacy Act (UCPA) — currently in force
- Virginia Consumer Data Protection Act (VCDPA) — currently in force
—
From navigating new laws on data protection and privacy to innovative digital strategy, content marketing, SEO, web development, and so much more, The Threadgill Agency is a team of digital leaders who can future-proof your marketing efforts. Reach out to us to learn how we can help.