Texas's main privacy law is the Texas Data Privacy and Security Act (TDPSA). It is a comprehensive consumer data-privacy law, effective July 1, 2024. The TDPSA gives Texas residents rights over their personal data and requires covered businesses to honor opt-outs and protect sensitive data.
The TDPSA reaches most businesses doing business in Texas that are not small businesses under the federal definition, wherever those businesses are based. Below: who must comply, what rights consumers get, and what the law requires of your website.
What Is the Texas Data Privacy and Security Act (TDPSA)?
The TDPSA is Texas's comprehensive consumer data-privacy law. It creates personal-data rights for Texas consumers and duties for the businesses, called controllers, that process their data. Texas became the 11th state to enact a comprehensive consumer privacy law, joining Virginia, Colorado, and Connecticut in the same opt-out family of statutes.
The law is Chapter 541 of the Texas Business and Commerce Code, enacted as House Bill 4 during the 88th Texas Legislature. It is part of a broader wave of US state privacy laws passed since 2023.
Some searches for "Texas privacy law" actually mean a different Texas statute. Examples include the state's one-party-consent audio recording law or the SCOPE Act for minors. This page covers only the TDPSA, the state's comprehensive consumer data privacy law.
When Did the TDPSA Take Effect?
The TDPSA took effect July 1, 2024. Its universal opt-out signal requirement followed six months later, on January 1, 2025.
The law's path to enforcement ran as follows:
- June 18, 2023: Governor Greg Abbott signs House Bill 4 into law.
- July 1, 2024: Most of the TDPSA becomes effective, including consumer rights and business obligations.
- January 1, 2025: Section 541.055(e) takes effect, requiring controllers to recognize universal opt-out signals for targeted advertising and the sale of personal data.
The law has been in force since mid-2024. It reads as settled, ongoing compliance work, not emerging regulation.
Who Has to Comply with the TDPSA? (The Small-Business Test)
The TDPSA has no revenue threshold and no consumer-count threshold. It applies to any person who conducts business in Texas or produces a product or service consumed by Texas residents. That person must also process or sell personal data, and not qualify as an SBA-defined small business.
That three-part test reaches further than most state privacy laws. A business anywhere in the country that sells to Texas residents and processes their personal data can be covered. Its size in dollars or customer count does not matter.
California's CCPA, by contrast, only reaches businesses that clear a set revenue threshold or one of two data-volume thresholds.
The applicability test has three conditions, and a covered business meets all three:
- Conducts business in Texas or produces a product or service consumed by Texas residents
- Processes or engages in the sale of personal data
- Is not a small business under the SBA's size standards, which vary by industry and are usually stated in employee count or average annual receipts
The third condition is the one that surprises small operators. Being small under the SBA's definition does not remove every duty. A small business that sells a consumer's sensitive data still needs that consumer's consent first, the one obligation that reaches otherwise-exempt small businesses.
Who Is Exempt from the TDPSA?
Six categories of entities fall outside the TDPSA's applicability test, and several types of data are exempt regardless of who processes them.
Exempt entities:
- State agencies and political subdivisions of Texas
- Financial institutions governed by the Gramm-Leach-Bliley Act
- Entities governed by the Health Insurance Portability and Accountability Act (HIPAA)
- Nonprofit organizations
- Institutions of higher education
- Small businesses as defined by the SBA, except for the sensitive-data-sale consent duty
Exempt data types include information already governed by the Gramm-Leach-Bliley Act, HIPAA, the Fair Credit Reporting Act, and FERPA. The Driver's Privacy Protection Act and the Farm Credit Act cover two more data-level exemptions. The law also does not restrict an individual processing personal data for personal or household activities.
What Rights Does the TDPSA Give Texas Consumers?
Texas residents get seven rights under the TDPSA, and covered businesses must act on a verified request within 45 days.
| Right | What it lets a consumer do |
|---|---|
| Right to know | Confirm whether a business is processing their personal data and obtain it in a readable format |
| Right to correct | Fix inaccuracies in their personal data |
| Right to delete | Request deletion of data they provided or that was collected about them |
| Right to opt out | Stop targeted advertising, the sale of personal data, or profiling tied to major decisions such as lending, housing, employment, or healthcare |
| Right to submit requests without an account | Exercise any right without being forced to create a new account |
| Right to appeal | Challenge a business's denial of a request |
| Right to non-discrimination | Exercise these rights without retaliation, a price change, or a lower quality of service |
Businesses can extend the 45-day window once, by another 45 days, if they notify the consumer with a reason first. A response is free up to twice a year per consumer, unless the request is unfounded, excessive, or repetitive.
The opt-out right for targeted advertising and data sales works much like similar opt-out rights in other state privacy laws. The trigger for coverage under each law is very different, though, as the comparison below shows.
What Counts as Sensitive Data Under the TDPSA?
Sensitive data under the TDPSA covers eight categories, and a business must get a consumer's affirmative consent before processing any of it.
Texas defines those eight categories as follows.
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health condition or diagnosis
- Sexuality
- Citizenship or immigration status
- Genetic or biometric data processed to uniquely identify a person
- Personal data of a child under 13
- Precise geolocation data
The inclusion of citizenship or immigration status sets Texas apart from many other states, whose sensitive-data lists stop at health, biometric, and geolocation categories. Consent for sensitive data must be freely given, informed, and unambiguous.
The law rules out consent obtained through dark patterns or acceptance of broad general terms. It also rejects consent inferred from a user merely hovering over, pausing on, or closing a piece of content.
This consent requirement is the one duty that reaches even SBA-exempt small businesses when they sell sensitive data. It sits inside an otherwise opt-out law as an opt-in island. Everywhere else, the TDPSA lets businesses collect by default and requires an opt-out; for sensitive data, it flips to requiring permission first.
What Does the TDPSA Require Businesses to Do?
Covered businesses, called controllers, carry several core duties under the TDPSA, starting with a clear privacy notice.
The duties include:
- Publishing a reasonably accessible, clear privacy notice that discloses what personal data is processed, why, which categories are shared with third parties, and how consumers exercise their rights
- Limiting data collection to what is adequate, relevant, and reasonably necessary for the disclosed purpose
- Offering two or more secure methods for consumers to submit rights requests, though a business that operates exclusively online and has a direct consumer relationship may offer email alone
- Responding to requests within 45 days, extendable once by 45 more days with notice
- Providing an appeals process when a request is denied
- Maintaining reasonable data security practices
- Signing data processing contracts with any processor that handles data on the controller's behalf
- Conducting data protection assessments for high-risk processing
A business that sells sensitive or biometric data has one more duty. Its privacy notice must carry the exact words NOTICE: We may sell your sensitive personal data, or the biometric equivalent. That notice sits in the same location and format as the general privacy notice.
Data Protection Assessments
A data protection assessment is a documented risk review a controller must complete before certain high-risk processing. That covers targeted advertising, the sale of personal data, risky profiling, and any processing of sensitive data. The assessment weighs the benefits of the processing against its risks to the consumer.
The Texas Attorney General can request a controller's data protection assessments during an investigation. The assessments themselves stay exempt from disclosure under the Texas Public Information Act. Providing one to the Attorney General does not waive attorney-client or work-product privilege.
Does the TDPSA Require Honoring Universal Opt-Out Signals?
Yes. Since January 1, 2025, TDPSA controllers must let consumers opt out through a universal opt-out mechanism. That signal covers targeted advertising and the sale of personal data, sent as a browser setting, browser extension, or device-level signal.
The statute frames this as an authorized-agent mechanism. A consumer designates a technology, and that technology communicates an opt-out request on the consumer's behalf. The signal must reflect an affirmative, freely given choice, not a default-on setting the consumer never actively selected.
Detecting and honoring that signal is a duty the business's systems must handle. It is separate from showing a cookie banner, and a banner alone does not satisfy it.
How Is the TDPSA Enforced? (Penalties and the Attorney General)
The Texas Attorney General has exclusive authority to enforce the TDPSA. The law gives consumers no private right of action, so they cannot sue businesses directly.
Before filing an enforcement action, the Attorney General must give written notice and a 30-day window to cure the violation. A business that fails to cure faces a civil penalty of up to $7,500 per violation.
The same penalty applies if it breaches a written cure statement already given to the Attorney General. The Attorney General can also seek injunctive relief plus attorney's fees and costs.
Unlike states whose cure periods have sunset, the TDPSA's 30-day notice-and-cure right is permanent. No provision in Chapter 541 phases it out, so it remains available to every business the Attorney General investigates.
How Is the TDPSA Different from the CCPA and GDPR?
The TDPSA, the CCPA, and the GDPR diverge most on what triggers coverage and how consent works.
| TDPSA | CCPA | GDPR | |
|---|---|---|---|
| What triggers coverage | Conducts business in Texas or serves Texas residents, processes or sells personal data, not an SBA small business | Meets a revenue or data-volume threshold | Processes any EU resident's data, regardless of size |
| Consent model | Opt-out, with opt-in required only for sensitive data | Opt-out, with opt-in required for minors and sensitive data | Opt-in by default |
| Private right of action | None | Limited, for certain data breaches | Not applicable; enforced by data protection authorities |
| Universal opt-out signal | Required since January 1, 2025 | Required (Global Privacy Control) | Not applicable; consent is opt-in already |
The TDPSA's biggest practical difference from the CCPA is its applicability test. The CCPA only reaches businesses that clear a specific revenue or data-volume number. The TDPSA reaches any qualifying business regardless of size, unless it counts as an SBA small business.
GDPR's rules sit furthest from both. They require opt-in consent before processing begins, rather than an after-the-fact opt-out.
What the TDPSA Means for Your Website and Cookies
A TDPSA-covered site needs a working opt-out path for targeted-advertising cookies and data sales, not just a privacy policy.
A covered site should work through the practical checklist below.
- Publish a clear privacy notice that names what your cookies and trackers collect
- Give Texas visitors a way to opt out of targeted-advertising cookies and the sale of their data, often built as a "Do Not Sell or Share" control
- Detect and honor recognized universal opt-out signals sent from a visitor's browser or device
- Get affirmative consent before loading anything that processes sensitive data, such as precise location tracking
- Keep records of each visitor's consent and opt-out choices
The TDPSA is one of a growing set of global privacy laws that now expect this same opt-out infrastructure on a site's cookie banner. A site already built for what the GDPR requires for cookies has the technical pieces in place. It just needs the Texas opt-out model layered in for Texas visitors specifically.
How Consently Helps You Meet the TDPSA's Opt-Out and Consent Requirements
Consently supports the consumer-facing side of TDPSA compliance. It provides a Texas-ready opt-out banner, a Do Not Sell or Share control, and a record of every visitor's choice.
Consently shows Texas visitors a CCPA and US state-law style opt-out banner with a built-in Do Not Sell or Share control. Its automatic geotargeting shows the GDPR opt-in banner to EU visitors on the same site. One account runs both models without a separate setup for each region.
Two features back the notice and record-keeping side. Consent logs with export give a timestamped record of who opted out and when, useful if the Texas Attorney General ever requests proof. The cookie, privacy, and terms-and-conditions policy generators produce the privacy notice the TDPSA requires, including the sensitive-data disclosure language.
One requirement Consently does not handle automatically: detecting a visitor's browser-level universal opt-out signal. Honoring that signal under Section 541.055(e) is a separate obligation a business meets through its own configuration.
Consently's banner, region-based display, and consent logs support the website tasks listed above. A policy generator or banner tool provides compliance assistance, not a legal guarantee.
Consently's CCPA and US state-law opt-out tools are free to try for 14 days, no credit card required. Start your free trial to see the opt-out banner and consent log in your own dashboard.
FAQs
What is the Texas Data Privacy and Security Act in simple terms?
The TDPSA is a Texas law that gives residents rights over their personal data and makes covered businesses honor opt-outs and protect sensitive data. It took effect July 1, 2024.
When did the Texas privacy law take effect?
The TDPSA took effect July 1, 2024. Its universal opt-out signal requirement, under Section 541.055(e), took effect separately on January 1, 2025.
Who has to comply with the TDPSA?
A business must comply if it does business in Texas or serves Texas residents, and processes or sells personal data. It must also not be a small business under the SBA's definition. There is no revenue or consumer-count threshold.
Does the TDPSA apply to small businesses?
SBA-defined small businesses are generally exempt from the TDPSA. They still need a consumer's consent before selling that consumer's sensitive data, the one duty the exemption does not cover.
What are the penalties for violating the TDPSA?
Violations carry a civil penalty of up to $7,500 per violation. The Texas Attorney General enforces it after a 30-day cure window closes without a fix.
Who enforces the TDPSA?
The Texas Attorney General enforces the TDPSA, and holds exclusive authority to do so.
Is there a private right of action under the TDPSA?
No. Consumers cannot sue a business directly under the TDPSA. They can file a complaint with the Texas Attorney General instead.
Does the TDPSA require a cookie banner?
The TDPSA does not name cookie banners specifically. Its opt-out rights make a "Do Not Sell or Share" control the practical compliance path for most websites.
How is the TDPSA different from the CCPA?
The TDPSA uses an SBA small-business test with no revenue threshold, while the CCPA uses specific revenue and data-volume thresholds. The TDPSA also has no private right of action, unlike the CCPA's limited one for data breaches.

