Texas became the largest US state by population to enact a consumer privacy law when Governor Greg Abbott signed the Texas Data Privacy and Security Act (TDPSA) in June 2023. The law took effect on July 1 2024, with additional requirements coming into force in January 2025.
What Is the TDPSA?
The Texas Data Privacy and Security Act establishes privacy rights for Texas residents and creates obligations for businesses that collect and process their personal data. Unlike California’s law, the TDPSA does not create a dedicated privacy agency. Enforcement rests with the Texas Attorney General.
The law follows a similar structure to other state privacy laws like Virginia’s VCDPA, granting consumers rights to access, correct, delete, and control their personal information.
Does It Apply to Your Business?
The TDPSA takes a different approach to applicability than most other state privacy laws. There is no revenue threshold and no minimum number of consumers whose data must be processed.
The law applies to businesses that:
- Conduct business in Texas, or produce products or services consumed by Texas residents
- Process or engage in the sale of personal data
- Are not classified as a small business under the US Small Business Administration definition
The Small Business Exception
Small businesses as defined by the SBA are generally exempt from the TDPSA. However, this exemption disappears entirely if the business sells sensitive personal data. Since many websites collect health-related browsing data, precise geolocation, or biometric information through third-party tools without realising it, the small business exemption is narrower than it may appear.
Key Consumer Rights
Texas residents have the following rights under the TDPSA:
- Right to confirm whether a business is processing their personal data
- Right to access their personal data
- Right to correct inaccuracies
- Right to delete their personal data
- Right to obtain a portable copy of their data
- Right to opt out of targeted advertising
- Right to opt out of the sale of personal data
- Right to opt out of profiling that produces legal or significant effects
Business Obligations
Businesses covered by the TDPSA must:
- Provide a clear privacy notice explaining data collection and use practices
- Limit data collection to what is adequate, relevant, and reasonably necessary
- Implement reasonable security measures
- Obtain consent before processing sensitive data
- Respond to consumer rights requests within 45 days
- Honor universal opt-out mechanisms such as Global Privacy Control (from January 2025)
The requirement to recognize opt-out preference signals is significant. Since January 1 2025, businesses must configure their systems to respond immediately to signals like Global Privacy Control, not merely store preferences for later processing.
Sensitive Data
The TDPSA treats certain categories of personal data as sensitive and requires explicit consent before processing. Sensitive data includes:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sexual orientation
- Citizenship or immigration status
- Genetic or biometric data
- Personal data from a known child
- Precise geolocation data
Enforcement and Penalties
The Texas Attorney General has exclusive enforcement authority. The TDPSA does not provide consumers with a private right of action.
When the Attorney General identifies a potential violation, the business receives a 30-day notice to cure the issue. This cure period does not expire after a set time, unlike some other state laws where it sunsets.
Penalties for violations that are not cured can reach $7,500 per violation. Each affected consumer counts as a separate violation, so fines can accumulate quickly. A violation affecting 1,000 consumers could result in penalties up to $7.5 million.
Key Dates
- June 18 2023: TDPSA signed into law
- July 1 2024: TDPSA became effective
- January 1 2025: Universal opt-out mechanism requirements took effect
Where to Find Official Resources
- Full legal text: Texas Business and Commerce Code, Chapter 541
- Texas Attorney General: texasattorneygeneral.gov
- Texas State Law Library spotlight: sll.texas.gov
- Texas Department of Information Resources: dir.texas.gov
Getting Started
Texas is the second-largest US state by population, which means the TDPSA has substantial reach. The lack of a revenue threshold means many smaller businesses may be covered if they are not classified as small businesses under SBA definitions.
Start by determining whether your business qualifies for the small business exemption. If you process any sensitive data, the exemption likely does not apply. Review your privacy notices, implement Global Privacy Control support, and ensure your opt-out mechanisms respond immediately to consumer signals.
