Texas Data Privacy and Security Act: What Texas Businesses Must Do
A practical guide to the Texas Data Privacy and Security Act (TDPSA) for small businesses: who it applies to, consumer rights, compliance steps, penalties, and how it compares to other state privacy laws.
Last updated: 2026-02-07
A customer in Houston submits a request asking what personal data your online store has collected about them. You have 45 days to respond -- and if you get it wrong, the Texas Attorney General can fine you up to $7,500 per violation. The Texas Data Privacy and Security Act (TDPSA) went into effect on July 1, 2024, making Texas one of the largest states with a comprehensive privacy law. What makes TDPSA unusual is that it has no revenue threshold. If you process personal data from Texas residents, this law probably applies to you.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney for guidance specific to your business. The information here is based on the Texas Data Privacy and Security Act (Tex. Bus. & Com. Code Chapter 541), as of the date of publication.
Does the TDPSA Apply to Your Business?
The TDPSA casts a wider net than most state privacy laws. It applies to any entity that:
- Conducts business in Texas or produces a product or service consumed by Texas residents, AND
- Processes or engages in the sale of personal data, AND
- Is not a small business as defined by the U.S. Small Business Administration (SBA).
That third point is key. Unlike California's CCPA/CPRA, which uses a $25 million revenue threshold, or Colorado's CPA, which requires you to process data on 100,000 consumers, the TDPSA has no numeric revenue or volume threshold. If you do business in Texas and handle personal data, you are likely covered -- unless you qualify as an SBA small business.
The SBA defines "small business" differently by industry using NAICS codes. A retail store might qualify as small with up to $8 million in annual receipts. A software publisher might qualify with up to $41.5 million. Check the SBA's size standards table for your industry to see where you land.
However, there is a critical exception to the small business exemption. Even if your company qualifies as a small business under SBA standards, the exemption does not apply if you engage in the sale of sensitive personal data. If you sell sensitive data -- which includes things like racial or ethnic origin, health data, biometric data, or precise geolocation -- the TDPSA applies to you regardless of your size.
Practical example: A 10-person Shopify store in Austin that sells clothing and collects names, emails, and shipping addresses would likely qualify as an SBA small business and be exempt. But a small marketing agency that sells lists containing consumers' precise geolocation data would not be exempt, even with only five employees and $500,000 in revenue.
The TDPSA also exempts certain types of entities and data, including nonprofits, higher education institutions, data already regulated by HIPAA, Gramm-Leach-Bliley Act, FCRA, and FERPA.
What Rights Do Texas Consumers Have?
The TDPSA gives Texas residents seven core privacy rights. When a consumer exercises any of these rights, your business must respond within 45 days (with a possible 45-day extension if reasonably necessary).
Right to Access. Consumers can request confirmation of whether you are processing their personal data and obtain a copy of that data.
Right to Correction. Consumers can ask you to correct inaccurate personal data, taking into account the nature of the data and the purposes of processing.
Right to Deletion. Consumers can request deletion of personal data you hold about them. This covers data provided by the consumer and data obtained from other sources.
Right to Data Portability. Consumers can request their data in a portable, readily usable format so they can transfer it to another entity without hindrance.
Right to Opt Out of Sale. Consumers can opt out of the sale of their personal data. The TDPSA defines "sale" as the exchange of personal data for monetary consideration.
Right to Opt Out of Targeted Advertising. Consumers can opt out of the processing of their personal data for targeted advertising purposes.
Right to Opt Out of Profiling. Consumers can opt out of profiling that produces legal or similarly significant effects.
| Right | Granted? | Notes |
|---|---|---|
| Access | ✅ | Confirm processing and obtain a copy of personal data |
| Correction | ✅ | Fix inaccurate personal data |
| Deletion | ✅ | Delete personal data held by the business |
| Portability | ✅ | Obtain data in a portable, usable format |
| Opt-out of sale | ✅ | Stop the sale of personal data for monetary consideration |
| Opt-out of targeted ads | ✅ | Stop processing data for targeted advertising |
| Opt-out of profiling | ✅ | Stop profiling with legal or significant effects |
| Non-discrimination | ✅ | Cannot penalize consumers for exercising rights |
What Your Business Must Do
Compliance with the TDPSA requires concrete operational changes. Here is what businesses need to have in place.
Publish a clear privacy notice. Your privacy notice must disclose the categories of personal data you process, the purposes of processing, how consumers can exercise their rights, the categories of personal data shared with third parties, and the categories of those third parties. If you sell personal data or use it for targeted advertising, you must clearly disclose that.
Respond to consumer requests within 45 days. You need a documented intake process for receiving requests, verifying consumer identity, and delivering responses. You can extend the deadline by another 45 days if reasonably necessary, but you must notify the consumer of the extension and explain why. If you decline a request, you must explain the reason and provide instructions for appealing.
Implement an appeal process. If you deny a consumer's request, the consumer has the right to appeal. You must provide a mechanism for appeals and respond within 60 days. If you deny the appeal, you must inform the consumer that they can contact the Texas Attorney General.
Conduct data protection assessments. The TDPSA requires assessments for certain processing activities, including targeted advertising, the sale of personal data, processing of sensitive data, and profiling that presents a reasonably foreseeable risk of harm. These assessments must weigh the benefits of processing against the potential risks to the consumer.
Get consent before processing sensitive data. Unlike some states that use an opt-out model for all data, the TDPSA requires affirmative opt-in consent before you process sensitive data. This includes racial or ethnic origin, religious beliefs, health diagnoses, sexual orientation, citizenship status, genetic or biometric data, children's data, and precise geolocation.
Honor universal opt-out mechanisms. Starting January 1, 2025, the TDPSA requires businesses to recognize universal opt-out preference signals (like the Global Privacy Control) for opt-out-of-sale and opt-out-of-targeted-advertising requests. If your website does not honor these signals, you are not compliant.
Establish data processing agreements. If you use processors (vendors, SaaS tools, analytics providers) that handle personal data on your behalf, you need written contracts that govern the processor's data handling obligations, confidentiality requirements, and audit rights.
How Is the TDPSA Enforced?
The TDPSA is enforced exclusively by the Texas Attorney General. There is no private right of action, meaning individual consumers cannot sue your business directly for TDPSA violations.
The maximum penalty is $7,500 per violation. For violations involving the personal data of a known minor, penalties can reach $25,000 per violation. The Attorney General can also seek injunctive relief and recover reasonable attorney's fees and investigation costs.
The law originally included a 30-day cure period, giving businesses the opportunity to fix a violation before facing enforcement action. This cure period is available through January 1, 2026. After that date, the Attorney General has discretion on whether to offer a cure opportunity based on factors like the number of violations, the business's size, and the business's sophistication.
As of early 2026, the Texas Attorney General's office has been actively investigating privacy complaints. While no major public enforcement actions under the TDPSA have been widely reported at the time of writing, the AG's office has signaled that enforcement is a priority -- particularly around data broker practices and the handling of children's data.
How the TDPSA Compares to Other State Privacy Laws
The TDPSA shares a common framework with other state privacy laws but has unique characteristics -- particularly its lack of a revenue threshold and its SBA small business exemption.
| Feature | Texas (TDPSA) | California (CCPA/CPRA) | Tennessee (TIPA) |
|---|---|---|---|
| Effective date | Jul 1, 2024 | Jan 1, 2020 / Jan 1, 2023 | Jul 1, 2025 |
| Revenue threshold | None | $25 million | Over $25 million |
| Data volume threshold | None (processes/sells personal data) | 100K consumers/households | Processes data of 175K+ consumers OR 25K+ consumers with 50% revenue from data sales |
| Small business exemption | SBA-defined (unless selling sensitive data) | None (thresholds serve this purpose) | Revenue threshold serves this purpose |
| Max penalty per violation | $7,500 ($25K for minors) | $2,500 ($7,500 intentional) | $7,500 ($15K for knowing violations) |
| Cure period | 30 days (until Jan 1, 2026) | None | 60 days (until Jul 1, 2026) |
| Universal opt-out signal | Required (from Jan 1, 2025) | Required | Not required |
| Private right of action | No | Limited (data breaches only) | No |
Compared to Tennessee's TIPA, the TDPSA is broader in scope because it has no revenue threshold. Compared to California's CCPA/CPRA, the TDPSA is narrower in some ways (no private right of action) but broader in others (no revenue threshold, so it catches more businesses). For businesses that operate in both Texas and Colorado, the good news is that the rights frameworks are similar -- if you comply with one, you are most of the way toward the other.
Action Checklist for Small Businesses
If the TDPSA applies to your business, here is what to tackle first:
- Determine whether you qualify for the SBA small business exemption. Look up the SBA size standard for your NAICS industry code. If you qualify and do not sell sensitive personal data, you may be exempt.
- Conduct a data inventory. Map out what personal data you collect, where it is stored, who you share it with, and why. You cannot respond to consumer requests if you do not know what data you have.
- Update your privacy notice. Ensure it discloses all required categories: data collected, purposes, third parties, consumer rights, and how to exercise them.
- Set up a DSAR intake process. Create a clear method for consumers to submit access, correction, deletion, and opt-out requests. An email address or web form works. Document your verification and response procedures.
- Implement universal opt-out signal recognition. Make sure your website recognizes and honors signals like the Global Privacy Control (GPC) for sale and targeted advertising opt-outs.
- Review vendor contracts. Ensure data processing agreements are in place with any third-party processors handling personal data on your behalf.
- Conduct data protection assessments. Evaluate your targeted advertising, data sales, sensitive data processing, and profiling activities for risk.
- Train your team. Everyone who handles customer data or privacy inquiries should understand the basics of the TDPSA and your internal procedures.
Key Dates
- July 1, 2024: TDPSA takes effect.
- January 1, 2025: Businesses must recognize universal opt-out preference signals.
- January 1, 2026: 30-day cure period expires. Attorney General gains discretion on cure opportunities.
References
- Texas Data Privacy and Security Act: Tex. Bus. & Com. Code Chapter 541 (H.B. 4611, 88th Legislature). Full text on Texas Legislature Online
- SBA Size Standards: U.S. Small Business Administration Table of Size Standards. SBA size standards
- Global Privacy Control: Global Privacy Control specification
Last reviewed: February 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.
Need help managing DSAR requests from Texas consumers? Check out our DSAR Compliance Guide for a step-by-step framework, or grab a DSAR Response Template to streamline your response process today.