6 Step TDPSA Compliance Requirements Checklist

By: Josh Langeland, CIPM Josh Langeland, CIPM | Updated on: June 14, 2024

Generate a Free TDPSA Privacy Policy
6-Step-TDPSA-Compliance-Requirements-Checklist-01

The Texas Data Privacy and Security Act (TDPSA) enters into force on July 1, 2024 — is your business ready?

I created this six-step TDPSA checklist to help businesses learn how to prepare for Texas’ new comprehensive data privacy law.

Table of Contents
  1. TDPSA Compliance Checklist: Step-by-Step
  2. TDPSA Requirements FAQ
  3. Summary

TDPSA Compliance Checklist: Step-by-Step

Follow these steps to simplify setting up your website for TDPSA compliance.


  Part 1: Perform a Privacy Audit

In my opinion, a privacy audit is the first step businesses should take when complying with privacy laws.

Completing a privacy audit or data inventory helps you determine all personal information you collect from users and why and how it’s used.

You’ll need to know these details to comply with any data privacy law, including the TDPSA.

Part 2: Privacy Notification Requirements

You’ll need to make a privacy policy for your website that meets all notification requirements outlined by the TDPSA, which include explaining:

  • What categories of personal data you collect, including, if necessary, any sensitive data.
  • Your purpose for processing the personal data.
  • How Texas consumers can exercise their rights and appeal decisions.
  • What categories of data you share with third parties, if any.
  • What categories of third parties you share data with, if any.
  • A description of how consumers can submit requests to exercise their rights.

In addition, if you plan to sell sensitive personal data or biometric data, a notice must also appear at the same location where you present users with your privacy policy:

  • NOTICE: We may sell your sensitive personal data.
  • NOTICE: We may sell your biometric data.

Part 3: Consumer Consent and Data Processing

Your business must provide easy ways for Texas consumers to follow through on their opt-out rights, which include:

  • Opting out of having their data processed for targeted advertising
  • Opting out of having their data sold
  • Opting out of profiling

I recommend you achieve this by adding a consent banner to your site with a preference center, allowing users to remove their consent for these different types of data processing.

The method you apply must be fair, reasonable, and compliant with the TDPSA guidelines.

Additionally, remember that Texas consumers have the right to nondiscrimination for following through on their privacy rights.

Part 4: Contractual Obligations for Sharing or Selling Personal Data

If you plan to share personal data with any third-party processors, you must make and have all involved parties sign a contract that includes the following provisions:

  • Gives the instructions for data processing, its nature, and its purpose.
  • Lists all types of data involved and getting processed and for how long.
  • Outlines the rights of each party involved in the contract and their obligations.
  • Lists the duration of the processing.
  • Requires a duty of confidentiality with respect to the personal data.
  • Requires, at the controller’s direction, to delete or return all personal data as requested at the end of the service unless retention is required by law
  • Requires the processor to cooperate with reasonable assessments by the controller to confirm compliance with the TDPSA.
  • Requires any subcontractors to sign a contract outlining these same obligations.

Part 5: Consumer Rights and Verifiable Consumer Requests

Your business must present Texas consumers with two or more ways to submit verifiable consumer requests to act on their privacy rights, which may include:

  • Posting a Data Subject Access Request (DSAR) form on your site.
  • Provisioning them with a working email address where they can submit requests.
  • Adding a consent banner with an updated cookie policy on your site.

In addition, the TDPSA requires websites to honor universal opt-out mechanisms (UOOMs) like Global Privacy Control (GPC) as a valid consumer request by January 1, 2025.

Part 6: Security Procedures and Practices

The TDPSA requires you to protect the confidentiality, integrity, and accessibility of the personal data, which includes establishing, implementing, and maintaining:

  • Administrative measures
  • Technical measures
  • Physical measures

Common security techniques I’ve seen websites use to protect personal information include:

  • Data anonymization
  • Encrypting the information
  • Limiting access to the data
  • Training any employees who have access to it

TDPSA Requirements FAQ

Below, I answer some frequently asked questions about the TDPSA.

Does the TDPSA apply to my business?

The TDPSA applies to your business if you meet the following thresholds:

  • Conduct business in Texas or target products or services in the state.
  • Process or engage in the sale of personal data.
  • Are not considered a small business as defined by the United States Small Business Administration (SBA) unless you sell sensitive personal data.

When does the TDPSA take effect?

The TDPSA takes effect on July 1, 2024.

Who will enforce the TDPSA?

The Texas Attorney General has the exclusive authority to enforce the TDPSA.

They’ll provide entities with a 30-day cure period to fix any possible violations.

What are the penalties for violating the TDPSA?

Penalties for violating the TDPSA include fines of up to $7,500 per incident, but the Attorney General may also:

  • Recover civil penalties
  • Restrain or enjoin the person from violating the TDSPA
  • Seek injunctive relief
  • Recover attorney’s fees or other reasonable expenses incurred during an investigation.

Consumers do not have a private right of action under this law.

Can Termly help with TDPSA compliance?

Termly offers a privacy policy generator and consent management platform (CMP) that can help businesses simplify their compliance with the TDPSA.

The privacy policy generator includes the necessary details to meet the notification requirements outlined by Texas’s data privacy law.

In addition, the CMP is configurable so your Texas consumers can opt out of targeted advertising, the sale of their data, and profiling.

Summary

Simplify your compliance process with the TDPSA before it enters into force by following my easy six-step checklist:

  • Perform a privacy audit so you know all the personal data your business processes.
  • Make a privacy policy that meets all notification requirements described by the law.
  • Provide your users with an easy way to follow through on their opt-out rights.
  • Present your Texas consumers with two or more ways to submit verifiable consumer requests to follow through on their privacy rights.
  • Sign legally compliant contracts that include all provisions outlined by the TDSPA.
  • Establish, implement, and maintain proper security measures to protect the data.

Take even more hassles out of privacy compliance by using resources like our privacy policy generator and CMP.

Josh Langeland, CIPM
More about the author

Written by Josh Langeland, CIPM

Hi, I’m Josh! I am a Privacy Engineer passionate about using technology to respect user privacy. I thrive at the intersection of complex technology and ever-changing privacy law. If I’m not drafting a design review or re-architecting a system, you might find me reading a biography or hiking at the closest national park. More about the author

Related Articles

Explore more resources