Texas Data Privacy and Security Act and How it Affects Your Privacy Policy
Texas can require specific notice text and a visible opt out path when data sales, targeted advertising, or sensitive data are in scope.
The Texas Data Privacy and Security Act took effect on July 1, 2024. Most state privacy laws share a structure, because they impose notice duties, grant consumer rights, and require an opt out, but Texas mandates specific notice language that few other states require.
Coverage works differently in Texas, so the first question is whether the law applies to your business at all. If it does, the statute governs the rights section, the appeal section, the targeted advertising disclosures, and the precise notice text for sales of sensitive or biometric data, so the drafting and the workflow have to advance together.
Texas law applies to anyone who does business in the state or sells to Texas residents, processes or sells personal data, and falls outside the Small Business Administration's definition of a small business. Most comprehensive laws set numeric thresholds tied to revenue or consumer counts, so a company that screened itself against California or Colorado law, for example, can misjudge the applicability of the Texas statute.
There is a small business carveout that exempts many small companies from coverage, but even small businesses that sell sensitive personal data must comply with the disclosure requirements of the statute. Rather than assuming the Texas statute doesn't apply because you meet the SBA's definition of a small business, you must first determine whether you sell sensitive personal data. If you do, the statute applies; if you don't, and you satisfy the small business definition, your business is exempt.
If the statute applies, the business must disclose the sale of sensitive personal data using statutorily prescribed disclosure language, depending on what type of data you sell or may sell. Namely, a company that sells sensitive personal data must include the sentence, "NOTICE: We may sell your sensitive personal data," while a business that sells biometric data must include the phrase, "NOTICE: We may sell your biometric personal data."
Other than those two scenarios, Texas requires the same type of disclosures required by similar state statutes. Disclosures should describe the categories of personal data processed, the categories of data shared with third parties, the categories into which the third parties fall, e.g., payment processors, analytics providers, advertising partners, and hosting providers, and the method a consumer uses to exercise and appeal rights.
Key Takeaways
- The Texas Data Privacy and Security Act took effect on July 1, 2024 and can require exact notice wording, not only the compliance work behind it.
- Coverage turns on the Small Business Administration's definition of a small business, not the revenue or consumer thresholds other states use.
- A small business that sells sensitive personal data still has to comply, so confirm whether you sell sensitive data before assuming you are exempt.
- Sellers of sensitive or biometric data must reproduce the statutory notice sentence word for word, and every covered policy must describe its data, the third parties that receive it, and how a consumer exercises and appeals rights.
Related Guides
Primary Sources
Turn this into a real document
TermsBuilder uses an attorney-built questionnaire to turn these legal issues into Terms & Conditions and Privacy Policy pages that match the way your business operates.
Start your document set