Texas Data Privacy and Security Act: What It Requires, Who It Covers, and How Texas Businesses Comply
Most Texas businesses that collect personal data from consumers are subject to the Texas Data Privacy and Security Act (TDPSA), codified at Texas Business and Commerce Code Chapter 541. Effective July 1, 2024, the TDPSA regulates how businesses collect, use, store, sell, share, and process the personal data of Texas residents. It grants consumers specific rights over their data, imposes obligations on businesses that process it, and provides the Texas Attorney General exclusive enforcement authority with civil penalties of up to $7,500 per violation.
As Texas's first comprehensive consumer data privacy statute, the TDPSA follows the controller-processor framework used by Virginia, Colorado, and Connecticut, and adopts an opt-out model for general personal data with an opt-in requirement for sensitive data. Businesses that have prepared for compliance with other state privacy laws should find the TDPSA's structure familiar, but several provisions are unique to Texas and deserve attention.
Who the TDPSA Covers
TDPSA applies to any person that conducts business in Texas or produces a product or service consumed by residents of Texas, and that processes or engages in the sale of personal data. Unlike California's CCPA (which applies based on revenue, data volume, or data sale thresholds), the TDPSA uses the SBA's definition of "small business" as its exemption rather than a numeric threshold.
Small businesses as defined by the U.S. Small Business Administration are generally exempt. SBA size standards vary by industry (based on number of employees or annual receipts), and whether a business qualifies as "small" under the SBA definition can be a fact-specific question. However, the small business exemption doesn't apply if the business sells sensitive personal data. A small business that sells sensitive data must comply with the TDPSA's consent requirements for that data regardless of its size.
Additional exemptions cover financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), covered entities and business associates governed by HIPAA, entities subject to the Fair Credit Reporting Act (FCRA), nonprofits, institutions of higher education, and electric utilities. Personal data processing for personal or household activities is also exempt.
What the TDPSA Defines as Personal Data
"Personal data" means any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. Pseudonymous data (data that can't identify a person without additional information) qualifies as personal data when combined with information that reasonably links it to an identifiable individual. Publicly available information and de-identified data are excluded.
"Sensitive data" receives heightened protection and includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic data, biometric data (fingerprint, voiceprint, retina or iris scan, or other unique biological pattern), personal data collected from a known child (under 13), and precise geolocation data.
Processing sensitive data requires the consumer's opt-in consent before processing begins. For data collected from a known child, the TDPSA requires compliance with COPPA.
Consumer Rights
Texas consumers have six rights under the TDPSA.
Right to confirm and access. Consumers can ask whether a controller is processing their personal data and, if so, can access that data.
Right to correct. Consumers can request correction of inaccurate personal data, considering the nature of the data and the purposes for processing.
Right to delete. Consumers can request deletion of personal data the controller holds about them, including data obtained from the consumer and data obtained from other sources.
Right to data portability. Consumers can obtain a copy of their personal data in a portable, readily usable format that allows transfer to another controller, to the extent technically feasible.
Right to opt out. Consumers can opt out of the processing of their personal data for targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects.
Right to non-discrimination. Controllers can't discriminate against consumers for exercising their TDPSA rights by denying goods or services, charging different prices, or providing a different level of quality.
Controllers must respond to consumer requests within 45 days. A single 45-day extension is available if reasonably necessary due to the complexity of the request or the volume of requests, provided the controller informs the consumer of the extension and the reason.
As of January 1, 2025, consumers can designate an authorized agent to opt out on their behalf using a universal opt-out mechanism (such as Global Privacy Control). Controllers must recognize and honor GPC signals and other consumer-friendly universal opt-out mechanisms.
Business Obligations
Controllers (businesses that determine the purposes and means of processing personal data) have several affirmative obligations under the TDPSA.
Privacy notice. Controllers must publish a privacy notice that describes the categories of personal data processed, the purposes of processing, how consumers can exercise their rights (including how to appeal a controller's decision), the categories of personal data shared with third parties, and the categories of third parties with whom data is shared. If the controller sells personal data or processes it for targeted advertising, the notice must disclose that fact.
Data minimization. Controllers must limit the collection of personal data to what's adequate, relevant, and reasonably necessary for the disclosed purposes. Collection that exceeds what's needed for the stated purpose violates the data minimization requirement.
Purpose limitation. Controllers can't process personal data for purposes that aren't reasonably necessary to or compatible with the disclosed purposes without obtaining additional consumer consent.
Security. Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and sensitivity of the personal data they process.
Data protection assessments. Controllers must conduct and document data protection assessments for processing activities that present a heightened risk of harm to consumers, including processing for targeted advertising, selling personal data, processing for profiling that presents a reasonably foreseeable risk of harm, and processing sensitive data. Assessments must weigh the direct and indirect benefits of the processing against the potential risks to consumer rights, considering de-identification, consumer expectations, the context of processing, and the controller-consumer relationship. Assessments must be made available to the Texas Attorney General upon request and are exempt from public disclosure under the Texas Public Information Act.
Processor contracts. When a controller engages a processor (a third party that processes data on the controller's behalf), the parties must enter into a written contract governing the processing. Required contract terms include instructions for processing, the nature and purpose of processing, the type of data processed, the duration of processing, the rights and obligations of both parties (including confidentiality, sub-processor requirements, deletion or return of data upon termination, and cooperation with controller assessments).
Enforcement and Penalties
Enforcement authority belongs exclusively to the Texas Attorney General. There is no private right of action, which means individual consumers can't sue businesses directly for TDPSA violations.
Before bringing an enforcement action, the Attorney General must provide written notice of the alleged violation and allow the business 30 days to cure it. During the cure period, the business must fix the violation, provide a written statement and supporting documentation to the Attorney General evidencing that the violation was cured, confirm that the consumer affected by the violation was notified (if contact information was available), and describe any changes to internal policies necessary to prevent recurrence.
The TDPSA's 30-day cure period doesn't sunset. Virginia's and Colorado's cure periods both expired on January 1, 2025; Texas's is permanent, so businesses keep the opportunity to cure violations before facing penalties. Businesses will have the opportunity to cure violations before facing penalties for the foreseeable future.
If the business fails to cure the violation within 30 days, or violates a written statement provided to the Attorney General, civil penalties of up to $7,500 per violation apply. The Attorney General can also seek injunctive relief and recovery of attorney's fees and investigation costs.
In December 2024, Texas Attorney General Ken Paxton initiated investigations into Character.AI, Reddit, Instagram, Discord, and other companies concerning their privacy and safety practices under the TDPSA, signaling active enforcement intent.
How the TDPSA Compares to the CCPA
Both statutes grant consumers similar rights (access, deletion, correction, opt-out, portability), but the two laws differ in several respects that affect compliance.
Applicability thresholds differ. CCPA applies based on revenue ($26.625M), data volume (100,000 consumers), or data sale revenue (50% of annual revenue). TDPSA applies to any non-small-business that processes or sells personal data of Texas residents, with no numeric thresholds.
Enforcement differs. CCPA is enforced by both the California Attorney General and the California Privacy Protection Agency, and CCPA provides a limited private right of action for data breach claims. TDPSA is enforced exclusively by the Texas Attorney General with no private right of action.
Cure period differs. California eliminated its cure period when the CPRA took effect. TDPSA's 30-day cure period is permanent.
Sensitive data treatment is similar. Both require opt-in consent for sensitive data. TDPSA's sensitive data categories are comparable to CCPA's, though the specific definitions and enumerated categories differ in detail.
Practical Recommendations
Determine whether the small business exemption applies to your business by reviewing the SBA size standards for your industry. If the exemption applies but you sell sensitive data, you must still comply with the TDPSA's consent requirements for sensitive data processing.
Publish a TDPSA-compliant privacy notice that covers all required categories (personal data processed, purposes, consumer rights, third-party sharing, targeted advertising/sale disclosures). If your privacy policy already complies with the CCPA, review it against the TDPSA's specific disclosure requirements to confirm coverage.
Implement a mechanism for consumers to exercise their TDPSA rights (web form, email address, toll-free number) and build a response workflow that satisfies the 45-day response deadline.
Honor Global Privacy Control signals and other universal opt-out mechanisms as of January 1, 2025. Configure your website to detect GPC signals and treat them as valid opt-out requests for the sale of personal data and targeted advertising.
Obtain opt-in consent before processing any sensitive data, including precise geolocation, biometric data, health information, and data from children under 13. Don't collect sensitive data through default settings or pre-checked boxes.
Conduct data protection assessments for processing activities that involve targeted advertising, sale of personal data, profiling, or sensitive data. Document the assessment and retain it, because the Attorney General can request it during an investigation.
Review and update processor contracts to include the TDPSA's required terms (processing instructions, confidentiality, sub-processor obligations, deletion upon termination, cooperation with assessments). If your existing data processing agreements were drafted for CCPA or GDPR compliance, confirm they satisfy the TDPSA's specific requirements.
Related practice area: Privacy Law
Need advice tied to your business issue?
Share the issue. Get direct attorney review. Receive a concrete recommendation.
Submit an Inquiry