Texas Consumer Data Protection and Security Obligations

Texas Business & Commerce Code Chapter 521 and the Texas Data Privacy and Security Act establish a layered framework of obligations for businesses that collect, store, or process personal information belonging to Texas residents. This page maps the scope of those obligations, the mechanics of compliance, the scenarios where enforcement exposure arises, and the boundaries between state, federal, and sector-specific regimes. The framework is enforced primarily by the Texas Office of the Attorney General and applies to a broad range of private-sector entities operating within or affecting Texas consumers.

Definition and scope

Texas consumer data protection law operates along two parallel tracks: breach notification obligations under Texas Business & Commerce Code Chapter 521, and broader privacy rights established by the Texas Data Privacy and Security Act (TDPSA), which took effect July 1, 2024.

Chapter 521 applies to any person or organization that conducts business in Texas and owns or licenses computerized data containing sensitive personal information. "Sensitive personal information" under §521.002 includes Social Security numbers, driver's license numbers, account numbers combined with passwords, and biometric data. The statute imposes two primary obligations: reasonable security measures for stored data, and notification to affected individuals — and in qualifying cases to the Texas Attorney General — within 60 days of discovering a breach (Texas B&C Code §521.053).

The Texas Data Privacy and Security Act (H.B. 4, 88th Legislature) extends beyond breach notification to establish affirmative consumer rights: the right to access personal data, correct inaccuracies, delete data, obtain a portable copy, and opt out of targeted advertising, sale of personal data, or profiling. The TDPSA applies to controllers that process personal data of at least 100,000 Texas consumers annually, or 25,000 consumers when the controller derives revenue from selling personal data.

Entities exempt from the TDPSA include state agencies, financial institutions subject to the Gramm-Leach-Bliley Act, covered entities and business associates under HIPAA, and nonprofit organizations. Small businesses as defined by the U.S. Small Business Administration are similarly exempt from TDPSA's broadest requirements, though Chapter 521 breach notification obligations still apply to them.

Scope boundary: This page addresses obligations arising under Texas state law as they affect private-sector entities serving Texas consumers. Obligations imposed exclusively on state agencies under Texas Government Code Chapter 2054 — including DIR-mandated cybersecurity frameworks and state employee training requirements — are addressed separately at Texas Cybersecurity for State Agencies. Federal preemption scenarios, multi-state data flows, and international data transfers fall outside this page's coverage.

How it works

Compliance under the Texas consumer data protection framework proceeds through four operational phases:

1. Data mapping and classification — Entities must identify what categories of personal data are collected, where they are stored, how they are processed, and with which third parties they are shared. Under the TDPSA, controllers must conduct and document data protection assessments for processing activities presenting heightened risk, including targeted advertising and sale of sensitive data.

2. Implementation of reasonable security measures — Chapter 521 does not prescribe specific technical controls but sets a reasonableness standard. The NIST Cybersecurity Framework (CSF) and NIST SP 800-53 are the recognized reference architectures for demonstrating reasonable security. The broader regulatory context for Texas cybersecurity covers how these federal standards intersect with state obligations.

3. Consumer rights fulfillment — Under the TDPSA, controllers must respond to authenticated consumer requests within 45 days (extendable by an additional 45 days when reasonably necessary). Controllers must provide a clear privacy notice disclosing data categories collected, purposes of processing, and how to submit rights requests. Processors — entities handling data on behalf of controllers — must execute data processing agreements specifying permissible processing activities.

4. Breach detection and notification — When a breach of computerized sensitive personal information occurs, Chapter 521 requires notification to affected Texas residents as quickly as reasonably possible, not to exceed 60 days. If the breach involves 250 or more Texas residents, the Attorney General must also be notified. Notification must describe the nature of the breach, the data exposed, remedial steps taken, and contact information for the entity.

The Texas Attorney General holds exclusive enforcement authority for TDPSA violations. Before initiating suit, the OAG must provide a 30-day cure notice — a window the TDPSA preserves indefinitely, unlike comparable laws in Virginia and Colorado, which sunset their cure periods.

Common scenarios

Retail and e-commerce data collection: A Texas-based retailer collecting payment card data, email addresses, and purchase histories triggers Chapter 521 obligations for any stored sensitive data. If the retailer processes data of more than 100,000 Texas consumers annually, TDPSA controller obligations also apply, requiring a public-facing privacy notice and a consumer rights intake process.

Third-party vendor breach: When a service provider handling data on behalf of a Texas business suffers a breach, Chapter 521 places notification obligations on the business that owns or licenses the data — not only the vendor. Contracts with third-party processors should specify breach notification timelines that allow the controller to meet the 60-day statutory window. For sector-specific guidance on vendor relationships, see Texas Supply Chain Cybersecurity.

Healthcare-adjacent businesses: A wellness application collecting health metrics that does not qualify as a HIPAA covered entity or business associate falls outside HIPAA's scope but within TDPSA's definition of "sensitive data." The TDPSA classifies health information not covered by HIPAA as sensitive data requiring explicit consent before processing. This distinction separates entities that might assume HIPAA exemption applies when it does not.

Financial services: Banks and credit unions subject to the Gramm-Leach-Bliley Act are exempt from the TDPSA. However, fintech companies and payment processors that do not qualify as financial institutions under GLBA remain subject to both Chapter 521 and the TDPSA. The Texas Cybersecurity for Financial Institutions reference covers the GLBA boundary in detail.

Small business breach: A staffing firm with 18 employees stores applicant Social Security numbers in an unencrypted spreadsheet. A ransomware incident exposes that file. Despite being a small business exempt from TDPSA's broader obligations, the firm is subject to Chapter 521's breach notification requirements and must notify affected individuals within 60 days. Texas Cybersecurity for Small Business addresses the resource constraints specific to this scenario.

Decision boundaries

Determining which obligations apply to a given entity requires working through four classification questions:

Does Chapter 521 apply? Any entity conducting business in Texas that owns or licenses computerized data with sensitive personal information falls within scope. There are no revenue thresholds or employee count exclusions for Chapter 521. The obligation is triggered by possession of qualifying data, not by business size.

Does the TDPSA apply? The TDPSA applies when the entity (a) conducts business in Texas or produces products/services consumed by Texas residents, (b) processes personal data, and (c) meets either the 100,000-consumer threshold or the 25,000-consumer/revenue threshold. Entities below both thresholds remain subject to Chapter 521 but not the TDPSA's affirmative privacy rights framework.

Does a federal or sector exemption apply? HIPAA-covered entities, GLBA-regulated financial institutions, FERPA-covered educational records, and data processed exclusively for employment purposes under federal law carry exemptions from portions or all of the TDPSA. These exemptions are data-category-specific: an entity exempt for its HIPAA-regulated data must still comply with TDPSA for data outside HIPAA's scope.

Does a state agency exemption apply? State agencies, political subdivisions, and public higher education institutions are exempt from the TDPSA. Their obligations flow instead from Texas Government Code Chapter 2054 and the DIR cybersecurity framework. The full reference landscape for these entities is mapped at the Texas Security Authority index.

Comparing Chapter 521 and the TDPSA side by side clarifies the operational distinction: Chapter 521 is a breach-response statute — reactive in nature, triggered by an incident — while the TDPSA is a proactive governance statute requiring ongoing compliance infrastructure regardless of whether a breach has occurred. An entity can be fully compliant with Chapter 521 notification procedures while simultaneously lacking the consumer rights mechanisms, privacy notices, and data protection assessments the TDPSA mandates.

For assessments of organizational readiness, the Texas Cybersecurity Audits and Assessments reference covers the audit frameworks used to evaluate both statutory compliance and security posture. Entities evaluating insurance coverage for data liability should also review Texas Cybersecurity Insurance for the underwriting criteria tied to these obligations.

References

• Texas Business & Commerce Code, Chapter 521 — Protection of Sensitive Personal Information
• Texas Data Privacy and Security Act (H.B. 4, 88th Legislature) — Texas Legislature Online
• Texas Government Code, Chapter 2054 — Information Resources
• [Texas Office of the Attorney General — Data Security Breaches](https