The Texas Data Privacy and Security Act (TDPSA) is now in effect. For energy companies, industrial operators, logistics firms and construction businesses operating in Texas, this law creates new compliance obligations that many organizations are not yet prepared to meet. This guide explains what the TDPSA requires, who it applies to, and the practical steps your operation needs to take now.
What Is the Texas Data Privacy and Security Act?
The Texas Data Privacy and Security Act (TDPSA) is a comprehensive state privacy law that establishes rights for Texas consumers and obligations for businesses that process their personal data. It applies to entities that conduct business in Texas, produce products or services consumed by Texas residents, process personal data, and meet certain size or revenue thresholds.
Unlike some state privacy laws, the TDPSA has broad applicability and does not exempt small businesses based solely on employee count — which means many mid-market industrial and energy companies in Texas fall within its scope.
Who Does the TDPSA Apply To?
The TDPSA applies to businesses that: process the personal data of at least 100,000 Texas consumers per year, or process the personal data of at least 25,000 Texas consumers and derive over 25% of gross revenue from selling personal data.
For industrial operators, this scope is broader than it appears. Employee records, contractor management systems, customer portals, supplier databases, visitor management systems and operational technology platforms that collect worker data can all bring an organization within TDPSA scope.
Key Obligations for Industrial and Energy Operators
Data Processing Transparency
Organizations must provide a clear privacy notice describing what personal data is collected, how it is used, and with whom it is shared. For industrial operators, this includes data collected through operational technology systems, contractor management platforms and employee monitoring systems.
Consumer Rights Response
Texas consumers have the right to access, correct, delete and obtain a copy of their personal data, and to opt out of targeted advertising and data sales. Organizations must establish processes to respond to these requests within 45 days.
Data Protection Assessments
Companies must conduct and document data protection impact assessments for high-risk processing activities. For energy and industrial operators, activities involving geospatial data collection, biometric systems, or extensive employee monitoring likely qualify as high-risk.
Vendor and Third-Party Contracts
Data processors — including technology vendors, geospatial survey providers, cybersecurity firms and analytics platforms — must have written data processing agreements in place that specify processing purposes, data types, security measures and deletion requirements.
Penalties for Non-Compliance
The Texas Attorney General has exclusive enforcement authority over the TDPSA. Civil penalties can reach $7,500 per violation. Importantly, the TDPSA includes a 30-day cure period — organizations that receive notice of a violation have 30 days to address the issue before penalties are assessed. But once the cure period expires without remediation, penalties apply per individual violation.
A 30-Day TDPSA Compliance Readiness Checklist
- Week 1: Data inventory — identify all personal data collected, processed and stored across IT and OT systems
- Week 1: Vendor audit — review all third-party data processors and assess existing contracts for TDPSA requirements
- Week 2: Privacy notice — draft or update your public-facing privacy notice to reflect current data processing practices
- Week 2: Consumer rights procedures — establish internal processes for responding to data access, correction and deletion requests within 45 days
- Week 3: Data protection assessments — identify high-risk processing activities and document impact assessments
- Week 3: Data processor agreements — update or execute DPAs with all technology vendors and service providers
- Week 4: Security controls review — assess technical and organizational security measures for personal data environments
- Week 4: Internal training — brief relevant staff on consumer rights obligations and response procedures
How Vector Integration Systems Helps You Comply
Vector Integration Systems provides TDPSA compliance services as part of our integrated Data Privacy and Governance capability layer. Our assessment covers your full data processing environment — including OT systems, geospatial data collected through aerial and terrestrial surveys, contractor management platforms and operational technology networks.
We deliver a gap analysis, remediation roadmap, updated vendor contracts, privacy notices and internal procedures — all documented to meet the evidentiary standard the Texas Attorney General would require in an enforcement action.
Schedule a free TDPSA compliance assessment at vectorisystems.com. We respond within 1 business day and deliver your gap analysis within 10 business days — at no cost and with no commitment required.