Texas Privacy and Security Act: Key Points

And Then There Were Ten

The Texas Data Privacy and Security Act (HB4) was approved by the Texas Senate on May 10, 2023. Greg Abbott, the governor of Texas, will now receive the bill and sign the TDPSA. Once signed, Texas will be the tenth state to pass comprehensive privacy legislation.

The TDPSA is modeled after the Virginia Consumer Data Protection Act, although it has several original aspects. Most notable is its unique approach to the applicability of the law. Texas bases the definition of eligibility on whether the company is or is not a small business as defined by the U.S. Small Business Administration. This stands in contrast to the threshold for eligibility based on the number of consumers a company has, as we have seen in previous state privacy bills.

Consumer’s rights under the bill include the right to view, update, delete, and request a copy of their information. Additionally, the bill sets requirements for companies in the areas of accountability, transparency, and data protection. 

The Texas privacy act straddles party lines and enjoyed strong bipartisan support as it made its way through Texas’s Republican majority legislative bodies. Lawmakers tried staying away from political issues and instead focused on sound data governance and protecting consumer rights.

Texas Privacy and Security Act: Key Points

History of the TDSPA

The Lone Star state has been working on privacy laws for years, and efforts gained traction as people and stakeholders started to understand more about what was being done with their data and activity online. Privacy become a priority for Texans and the Texas privacy protection act was crafted to protect this important right.

Giovanni Capriglione, the primary author of the Texas Data Privacy law, related an all-too-familiar anecdote on a podcast episode called Data Privacy Unlocked with Husch Blackwell’s David Stauss. He described how his teenage daughter came to him a few years ago and said that she needs a copy of her birth certificate for an “innocent” astrology app that she was engaging with. That was the “ah moment” that led to the beginning of his efforts in pushing for privacy law. 

In 2019, he filed a bill, but there were too many stakeholders involved, and it hit a dead end. Instead, a consul was developed to create a study that would report to the legislative committee. In the 2021 post-covid session, the bill still didn’t have enough traction. 

Over the last couple of years, news of the powerful overreach of tech companies into personal data coupled with the reality setting that the Feds are not likely going to be able to put a federal privacy law into effect any time soon, put Texas into a better position to pass privacy legislation. In addition, now that there were other states to refer to, it has been easier for Texas to see what works and doesn’t, and craft the bill with the advantage of hindsight.

Still, there were challenges. Capriglione explains that 165 stakeholders representing different constituencies were involved in drafting the bill. Each had different needs and views. “It was like a game of Jenga”, he said, to get to a point where the Texas privacy data law was reconciled.

Representative Capriglione submitted the legislation on February 3, 2023, and on March 28, 2023, the Business & Industry Committee approved it.  The bill (originally filed as HB 1844) was given a new number, HB4 when the Texas Speaker of the House designated it as a priority. The prioritization demonstrated the rising, bipartisan need for data privacy among Texans.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Learn more about how to be compliant with Texas Privacy and Security Act

Key Takeaways

Controller Obligations

Businesses must conduct data protection assessments for high-risk processing activities, obtain opt-in consent for processing sensitive data, and refrain from selling personal data or using it for targeted advertising without consent. 

The bill also outlines requirements for third-party data sharing and contractual obligations. 


The Virginia bill proposes a 100,000 threshold, while the Texas bill’s threshold is based on the definition of small business, which is defined by revenue. There are steep compliance costs to aligning with a new law, and stakeholders wanted to make sure that small businesses would not have too much of a burden. Additionally, Texan lawmakers opined that revenue is a straightforward number, easily found on a tax return. The number of consumers, on the other hand, is a more arbitrary number, introduces too many loopholes, and is hard to track and enforce.

However, a small business that sells Texas residents’ sensitive personal data will be required to obtain the data subject’s consent before the sale.

Definition of Consent

Under the bill, “consent,” when referring to a consumer, means a “clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. The term includes a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.”

The definition of “consent” does not extend to:

  1. acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information;
  2. hovering over, muting, pausing, or closing a given piece of content; or
  3. An agreement obtained through the use of dark patterns

Pseudonymous Data

Pseudonymous data is data that in its current form is not identifiable, but when overlaid with other information, it becomes personal data.

Pseudonymous data is included in the definition of “personal information” only when the data is used by a controller or a processor layered with additional information that reasonably links the data to an identifiable individual.

Sale of Personal Data  

The measure expands the VCDPA’s definition of “sale of personal data,” adding a reference to “other valuable consideration” to cover trade-off agreements without a clear financial exchange.


Texas is the latest among many states that have successfully passed a comprehensive data privacy law.  As of this writing, California, Colorado, Connecticut, Virginia, Utah, and most recently Iowa, Indiana, Tennessee, and Montana have passed comprehensive data privacy laws on the state level. 

Stay with Centraleyes as we continue to monitor the developments of state privacy bills and provide updates as they progress. 

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Does your company need to be compliant with Texas Privacy and Security Act?
Skip to content