Texas Privacy Law and Its Cybersecurity Implications
Texas operates a multi-statute privacy and data security framework that imposes distinct obligations on private businesses, state agencies, and regulated industries — each carrying cybersecurity compliance requirements that intersect with but do not duplicate federal law. This page covers the structure of Texas privacy law, its mechanics, the causal drivers behind its evolution, classification boundaries across sector types, and the operational tensions practitioners encounter. The Texas Security Authority home index provides broader orientation across the full regulatory landscape covered on this domain.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory)
- Reference table or matrix
Definition and scope
Texas privacy law, as it applies to cybersecurity, is anchored in two primary statutes: Texas Business & Commerce Code (B&C Code), Chapter 521 — which governs the protection and breach notification of sensitive personal information held by private-sector entities — and the Texas Data Privacy and Security Act (TDPSA), enacted by the 88th Texas Legislature in 2023 (HB 4) and effective July 1, 2024 (Texas Legislature Online, HB 4). Together, these statutes define what constitutes protected personal data, who bears custodial obligations, and what cybersecurity controls must be in place to satisfy a reasonable standard of care.
The B&C Code Chapter 521 applies to any person who conducts business in Texas and maintains sensitive personal information in the course of that business. The TDPSA applies to controllers and processors that (a) conduct business in Texas or produce products or services consumed by Texas residents, (b) process or engage in the sale of personal data, and (c) are not small businesses as defined by the U.S. Small Business Administration — or, if they are small businesses, do not sell sensitive personal data without consent. Entities subject to the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), or the Children's Online Privacy Protection Act (COPPA) retain those federal obligations, and the TDPSA does not displace them.
Scope boundary: This page addresses Texas-specific privacy statutes and their cybersecurity obligations. Federal frameworks — including HIPAA (45 CFR Parts 160 and 164), the GLBA Safeguards Rule (16 CFR Part 314), and federal agency binding operational directives issued by CISA — are outside this page's primary coverage. Multi-state data flows, international transfers, and cross-border enforcement scenarios are not fully addressed here. For the statutory and regulatory architecture in full, see Regulatory Context for Texas Cybersecurity.
Core mechanics or structure
Texas Business & Commerce Code, Chapter 521
Chapter 521 imposes two core obligations. First, businesses must implement reasonable cybersecurity procedures appropriate to the nature of the sensitive personal information they hold and the size and complexity of the business (B&C Code §521.052). The statute does not prescribe a specific framework but uses a "reasonable" standard, which courts and regulators interpret in light of industry norms and NIST guidance.
Second, upon discovering a breach of system security, a covered entity must notify affected Texas residents not later than 60 days after discovery (B&C Code §521.053). If the breach involves more than 250 Texas residents, the entity must also notify the Texas Attorney General via the OAG's electronic reporting portal.
"Sensitive personal information" under Chapter 521 includes an individual's first name or first initial and last name combined with any of the following: Social Security number, driver's license or government-issued ID number, account or credit/debit card number in combination with a password or access code, or medical or health insurance information.
Texas Data Privacy and Security Act (TDPSA)
The TDPSA creates a comprehensive consumer data rights framework modeled partly on the Virginia Consumer Data Protection Act. Controllers must:
- Conduct and document data protection assessments for processing activities that present heightened risk (targeted advertising, sale of personal data, profiling with legal effects, and processing of sensitive data categories).
- Honor consumer rights including access, correction, deletion, portability, and opt-out of targeted advertising and sale of personal data.
- Implement reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of personal data processed.
- Establish and publish a privacy notice disclosing categories of data processed, purposes, and consumer rights mechanisms.
The TDPSA is enforced exclusively by the Texas Attorney General (Texas OAG). There is no private right of action. Controllers receive a 30-day cure period before the OAG may initiate enforcement action, a provision that distinguishes Texas from several other comprehensive state privacy laws.
Causal relationships or drivers
Three structural forces drove the legislative expansion of Texas privacy obligations.
Volume of breach incidents: Texas ranked among the top 5 states by reported data breach volume in filings tracked by the Identity Theft Resource Center across multiple years. This incident density accelerated legislative attention and raised pressure on the OAG to use its Chapter 521 enforcement authority more aggressively.
Comparative state legislation: By 2023, at least 12 other states had enacted comprehensive consumer privacy statutes (California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Montana, Tennessee, Oregon, Texas, Florida — per the International Association of Privacy Professionals State Privacy Legislation Tracker). Texas legislators structured the TDPSA in direct response to this interstate competitive and compliance landscape.
Federal inaction on a national standard: The absence of a comprehensive federal consumer privacy statute has left states as the primary regulatory actors. Texas's enactment of the TDPSA reflects that gap. The Federal Trade Commission's authority under Section 5 of the FTC Act (15 U.S.C. §45) remains relevant but does not establish data-specific cybersecurity mandates equivalent to state breach notification laws.
Classification boundaries
Privacy and cybersecurity obligations under Texas law differ significantly by entity type and data category. Texas consumer data protection requirements, detailed at Texas Consumer Data Protection, distinguish the following classifications:
By entity type:
- Private businesses (non-regulated): Subject to B&C Code Chapter 521 and TDPSA if thresholds are met.
- State agencies and institutions of higher education: Governed by Texas Government Code Chapter 2054, administered by the Texas Department of Information Resources (DIR). The TDPSA expressly exempts government bodies.
- Healthcare covered entities: Governed by HIPAA; Chapter 521 applies to the extent it is not preempted, but HIPAA's preemption analysis controls most conflict scenarios.
- Financial institutions: Subject to the GLBA Safeguards Rule; TDPSA carves out GLBA-regulated institutions and the data they process under that Act.
- K–12 public schools: Governed by Texas Education Code §11.175 and the federal Family Educational Rights and Privacy Act (FERPA); TDPSA does not apply to school districts acting in a governmental capacity.
By data sensitivity tier:
- Sensitive personal information (B&C Code §521.002): Triggers breach notification at 60 days.
- Sensitive data (TDPSA §541.001): Includes racial/ethnic origin, religious beliefs, mental/physical health diagnosis, sexual orientation, immigration status, biometric identifiers, and children's data — all require opt-in consent for processing.
- General personal data (TDPSA): Subject to opt-out rights but not opt-in consent requirements.
Tradeoffs and tensions
Reasonableness standard vs. prescriptive frameworks: The "reasonable" cybersecurity standard in B&C Code §521.052 allows flexibility but creates litigation uncertainty. When the OAG or a court evaluates whether a breach resulted from inadequate security, the absence of a defined control baseline — such as NIST SP 800-53 or the NIST Cybersecurity Framework — leaves organizations without a clear safe harbor. Prescriptive standards, by contrast, can become outdated faster than threat environments evolve.
30-day cure vs. deterrence: The TDPSA's 30-day cure period was designed to reduce litigation burden on small businesses, but critics argue it reduces deterrent effect. A controller that receives an OAG cure notice, makes cosmetic changes, and then reverts to non-compliant practices faces limited incremental consequence within a single enforcement cycle.
TDPSA small business exemption: The SBA size standard exemption removes a substantial portion of Texas businesses from TDPSA coverage even if they process large volumes of personal data. This creates an asymmetry where data-intensive small businesses bear fewer obligations than large firms handling less sensitive data.
Interaction with sectoral federal law: Healthcare organizations in Texas face overlapping obligations from HIPAA, the Texas Medical Records Privacy Act (Health & Safety Code Chapter 181), and B&C Code Chapter 521. Determining which standard controls in a breach scenario — and which notification timeline applies — requires analysis that the statutes themselves do not fully resolve.
Common misconceptions
Misconception 1: The TDPSA creates a private right of action.
Correction: The TDPSA is enforced solely by the Texas Attorney General. Consumers cannot file individual lawsuits under the Act. This distinguishes Texas from California, where the California Consumer Privacy Act (CCPA) includes a limited private right of action for data breaches (Cal. Civ. Code §1798.150).
Misconception 2: HIPAA compliance satisfies Texas breach notification requirements.
Correction: HIPAA's breach notification rule (45 CFR §164.400) requires notification to affected individuals within 60 days of discovery and to HHS. Texas B&C Code §521.053 imposes a parallel 60-day notification requirement to affected Texas residents and (above 250 residents) to the OAG. These are independent obligations; HIPAA compliance does not extinguish the Texas statutory obligation.
Misconception 3: Government bodies are covered by the TDPSA.
Correction: The TDPSA expressly excludes "a government body as defined by Section 552.003, Government Code." State agencies, counties, municipalities, school districts, and other governmental entities are outside the TDPSA's scope. Their data protection obligations arise from Government Code Chapter 2054, DIR security standards, and applicable public records law.
Misconception 4: Only large enterprises face TDPSA compliance obligations.
Correction: The TDPSA applies to businesses that are not small businesses as defined by the SBA — OR that are small businesses but sell sensitive personal data without consent. Small businesses that monetize sensitive data categories fall within the statute's reach regardless of revenue or employee count.
Checklist or steps (non-advisory)
The following sequence describes the operational elements a covered entity would address when mapping compliance with Texas privacy law to its cybersecurity program. This is a reference structure, not professional advice.
Phase 1 — Scope determination
- [ ] Identify whether the entity conducts business in Texas or serves Texas residents
- [ ] Determine annual revenue, employee count, and data processing volume relative to SBA size thresholds for TDPSA applicability
- [ ] Identify whether any sectoral exemption applies (HIPAA, GLBA, FERPA, government body)
- [ ] Confirm whether the entity is a "controller," "processor," or both under TDPSA definitions
Phase 2 — Data inventory
- [ ] Catalog categories of personal data collected, including whether sensitive data categories (biometric, health, financial, children's data) are present
- [ ] Map data flows to processors, third-party vendors, and cross-border transfers
- [ ] Identify data elements that trigger B&C Code §521 sensitive personal information classification
Phase 3 — Security program assessment
- [ ] Evaluate whether current administrative, technical, and physical safeguards meet a "reasonable" standard relative to data volume and sensitivity
- [ ] Compare existing controls against the NIST Cybersecurity Framework (NIST CSF 2.0) as a recognized benchmark
- [ ] Assess incident detection and response capabilities against the 60-day notification window
Phase 4 — Contractual and documentation alignment
- [ ] Establish data processing agreements with processors that include security obligation pass-throughs
- [ ] Complete and document required data protection assessments for high-risk processing activities under TDPSA §541.105
- [ ] Develop or update the public-facing privacy notice
Phase 5 — Incident response readiness
- [ ] Establish a breach determination protocol that identifies the threshold between a "security incident" and a "breach of system security" under B&C Code §521.002
- [ ] Assign ownership of OAG notification filings and verify access to the OAG breach reporting portal
- [ ] Test incident response procedures against a tabletop scenario at minimum annually
Reference table or matrix
| Statute / Framework | Covered Entities | Data Category | Notification Trigger | Timeline | Enforcer |
|---|---|---|---|---|---|
| B&C Code §521 | Private businesses in Texas | Sensitive personal information (SSN, financial account, health data) | Breach of system security | 60 days from discovery (§521.053) | Texas Attorney General |
| TDPSA (HB 4, 2023) | Controllers/processors serving TX residents; non-govt; meets size thresholds | Personal data and sensitive data categories | Consumer rights violations; inadequate security | 30-day cure period before enforcement | Texas Attorney General |
| TX Health & Safety Code Ch. 181 | Healthcare providers, payers, and their contractors | Protected health information | Unauthorized disclosure | Aligned with HIPAA (60 days) | Texas HHS; OAG |
| TX Gov't Code Ch. 2054 | State agencies, institutions of higher education | Agency data systems | Cybersecurity incident | 48 hours to DIR (§2054.1125) | DIR; State Auditor's Office |
| HIPAA (federal) | Covered entities and business associates | Protected health information | Breach of unsecured PHI | 60 days to HHS; immediate individual notice | HHS Office for Civil Rights |
| GLBA Safeguards Rule | Financial institutions | Customer financial data | Breach of security | Notify FTC within 30 days of discovery (16 CFR §314.15) | FTC |
For sector-specific treatment of how these frameworks apply to public agencies, see Texas Cybersecurity for State Agencies and Texas Department of Information Resources Cybersecurity. The interaction between these statutes and incident response obligations is covered in Texas Cybersecurity Incident Response.
References
- Texas Business & Commerce Code, Chapter 521 — Protection of Sensitive Personal Information
- Texas Data Privacy and Security Act (HB 4, 88th Legislature) — Texas Legislature Online
- [Texas Government Code, Chapter 2054 — Information Resources](