What types of compliance documents can ComplianceIQ generate?

ComplianceIQ generates privacy policies, terms of service, employee handbooks, data handling policies, OSHA compliance documents, acceptable use policies, HIPAA compliance docs, information security policies, and more — all tailored to your industry.

Are the generated documents legally valid?

ComplianceIQ generates comprehensive, industry-standard compliance documents informed by current regulations. While they provide an excellent foundation, we recommend having critical documents reviewed by legal counsel for your specific jurisdiction.

How does ComplianceIQ stay current with regulations?

Our AI models are continuously updated with the latest regulatory frameworks including GDPR, CCPA, HIPAA, SOC 2, OSHA, and more. Pro and Enterprise plans include regulatory update alerts.

← All states·TDPSA

Texas (TDPSA) Privacy Law Compliance

The Texas Data Privacy and Security Act (effective July 1, 2024) breaks from the Virginia template by removing the volume + revenue thresholds — instead applying to any controller doing business in Texas EXCEPT small businesses as defined by the U.S. Small Business Administration. This makes Texas one of the broadest state privacy laws by company count, particularly affecting mid-market SaaS.

Statute

Texas Data Privacy and Security Act

Tex. Bus. & Com. Code §541.001 et seq.

Effective

Jul 1, 2024

UOOM honouring Jan 1, 2025

Enforcer

Texas Attorney General

(exclusive)

Consumer rights

10 business obligations

Run free policy audit Does this apply to me? ↓

Who must comply

Persons that conduct business in Texas OR produce products/services consumed by Texas residents
AND process or engage in the sale of personal data
AND are NOT a small business as defined by the U.S. Small Business Administration
NOTE: small business exception does NOT apply to the sale of sensitive data without consent — even small businesses must obtain opt-in

Exemptions

State + local government, electric utilities + power generation companies
Non-profits, higher-education institutions, GLBA financial institutions, HIPAA-covered entities + BAs
Employment + B2B data fully exempt
Small businesses per SBA size standards (industry-specific, generally <$8M-$47.5M revenue depending on NAICS)

Consumer rights (8)

Right to access / know

Confirm whether personal data is processed and obtain a copy in a portable format

Right to correct

Correct inaccurate personal data

Right to delete

Request deletion of personal data the controller has collected

Right to data portability

Receive data in a portable, machine-readable format

Right to opt out of sale

Opt out of the sale of personal data to third parties

Right to opt out of targeted advertising

Opt out of cross-context behavioural advertising

Right to opt out of profiling with legal effect

Opt out of automated decisions producing legal or similarly significant effects

Right to appeal

Appeal a controller's refusal to honour a rights request (typically 45–60 days)

Business obligations (10)

Public privacy notice

Clear, accessible notice of categories collected, purposes, third parties, rights, and contact channel

Rights response within 45 days

Respond to consumer rights requests within 45 days (extendable by 45 more with notice)

Data processing agreements

Written contracts with processors restricting their processing to the controller's documented instructions

Data protection assessments

Document risk assessment for targeted advertising, sale, profiling, sensitive data processing

Honour universal opt-out signals (GPC)

Recognise the Global Privacy Control browser signal as a valid opt-out (where required)

Reasonable security practices

Administrative, technical, physical safeguards appropriate to the data's sensitivity

Data minimisation + purpose limitation

Collect only what is adequate, relevant, and reasonably necessary for the disclosed purposes

Children & teen consent

Opt-in consent before selling or sharing data of minors (age threshold varies 13–16)

Opt-in for sensitive data

Affirmative consent BEFORE processing sensitive data (applies even to SBA-small businesses)

Sensitive data warning at point of collection

Required disclosure: 'NOTICE: We may sell your sensitive personal data.' or 'NOTICE: We may sell your biometric personal data.' where applicable

Required privacy notice elements

Categories of personal data processed
Purpose of processing
Categories shared with third parties + categories of third parties
Rights enumeration with submission method + appeal process
Sale + targeted advertising disclosure with opt-out
REQUIRED notice text for sensitive data sale: 'NOTICE: We may sell your sensitive personal data.'
REQUIRED notice text for biometric data sale: 'NOTICE: We may sell your biometric personal data.'

Don't hand-check this. Drop your existing privacy policy into the free policy audit and we'll grade every required element and surface the missing language.

Common compliance pitfalls

⚠ Assuming small business = fully exempt

Even SBA-defined small businesses must obtain opt-in consent before SELLING sensitive data. The small business exemption only excuses the broader controller obligations.

⚠ Missing the literal 'NOTICE' disclosure text

Texas is the only state with prescribed disclosure text. Generic 'we sell sensitive data' wording fails — the policy must include the exact statutory language.

⚠ Not honouring GPC by January 2025

Texas joined Colorado + Connecticut requiring detection + honour of Universal Opt-Out Mechanisms (GPC) starting January 1, 2025.

⚠ Counting B2B + employee data toward 'do you process'

TDPSA fully exempts employment + B2B data. The threshold question is about processing data of consumers (individual / household).

FAQ

Is there a volume threshold?

No. Texas removed the 100K consumer + revenue thresholds that Virginia/Colorado/Connecticut use. Instead, the law applies to any non-small-business controller processing personal data in Texas. This dramatically expands coverage to mid-market companies that fell below other states' thresholds.

How is 'small business' defined?

By reference to SBA size standards (13 CFR §121.201) — industry-specific by NAICS code. For most SaaS (NAICS 511210) the threshold is $47M revenue; for most consulting (NAICS 541613) it's $25M. Check 13 CFR §121.201 for your NAICS.

Does TDPSA have a private right of action?

No. Enforcement is exclusive to the Texas Attorney General. The AG has indicated active enforcement starting with privacy notice deficiencies + sale-of-sensitive-data opt-in failures.

Grade your Texas privacy policy in 20 seconds

Paste your privacy policy and we'll score it against TDPSA requirements — categories collected, rights enumeration, opt-out mechanism, sensitive data handling. Free, 3 audits/day, no signup.

Run free audit for Texas