Texas Data Privacy and Security Act

Texas capitol photo

The Texas Data Privacy and Security Act (TDPSA) was passed June 16, 2023 and goes into effect July 1, 2024.

This article will highlight parts of the TDPSA related to the use of personal information. This article is not legal advice. You can find the full text of the TDPSA here.

Deidentified and Pseudonymous Data

Data privacy laws, such as HIPAA, CCPA, or GDPR, contain a provision for making data available for statistical use provided the data have been deidentified or pseudonymized. But what do these terms mean?

The terms “deidentified” and “pseudonymous” are used differently by different people. Sometimes it amounts to a distinction without a difference. But the Texas legislature defined the terms as follows in TDPSA.

“Deidentified data” means data that cannot reasonably be linked to an identified or identifiable individual, or a device linked to that individual.

“Pseudonymous data” means any information that cannot be attributed to a specific individual without the use of additional information, provided that the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual.

So Texas defines “deidentified” to mean the data cannot, within reason, be linked to a specific person. Pseudonymous data, however, can be linked back to a specific person, though there are “appropriate” measures to prevent this from happening, except when it’s OK to do so.

After making a distinction between deidentified and pseudonymous data, the law goes on to somewhat conflate the two in Sec. 541.106 entitled “DEIDENTIFIED OR PSEUDONYMOUS DATA.”

What is the standard?

How do you know whether data has been deidentified or pseudonymized? The definitions above say the data “cannot be reasonably linked” or “cannot be linked” to identifiable individuals. But how do you know what can or cannot be linked?

We can help. We are experts in data privacy. We can advise your company on deidentification procedures which are effective and widely used, and how to customize these procedures to retain the usefulness of data while protecting the privacy of the individuals represented in the data.


Trusted consultants to some of the world’s leading companies

Amazon, Facebook, Google, US Army Corp of Engineers, Amgen, Microsoft, Hitachi Data Systems


Photo of the Texas capitol by Ed Schipul, Attribution-ShareAlike (CC BY-SA 2.0).