Texas Data Privacy and Security Act (TDPSA): Complete 2026 Compliance Guide

Texas’s TDPSA — The Broadest State Privacy Law

The Texas Data Privacy and Security Act (TDPSA) was signed into law on June 18, 2023, and took effect on July 1, 2024. What makes Texas unique among all state privacy laws is its lack of traditional applicability thresholds — the TDPSA applies to all entities conducting business in Texas that process personal data, unless they qualify as a “small business” under the SBA definition. This makes it potentially the broadest state privacy law in the country.

If your business operates in Texas or serves Texas residents, use our Privacy Law Calculator to determine your compliance obligations across all state privacy laws.

Who Must Comply with the TDPSA?

Unlike most state privacy laws that set revenue or consumer count thresholds, the TDPSA takes a different approach:

• Applies to all entities that conduct business in Texas or produce products or services consumed by Texas residents
• Applies to all entities that process or sell personal data
• Only exemption from applicability: Entities that qualify as a “small business” as defined by the U.S. Small Business Administration (SBA)

This means that even mid-size businesses that might be exempt under California, Virginia, or Colorado laws are likely covered by the TDPSA. The SBA definition varies by industry but generally includes businesses with fewer than 500 employees for most manufacturing and mining industries, or less than $8 million in annual receipts for most nonmanufacturing industries.

Important note: Even small businesses under the SBA definition must still comply with the TDPSA’s data sale provisions — specifically, they cannot sell sensitive personal data without explicit consent.

Exemptions

The TDPSA provides entity-level and data-level exemptions:

• Entity exemptions: Government entities, nonprofits, institutions of higher education, electric utilities, power generation companies
• Data exemptions: Data governed by HIPAA, GLBA, FCRA, FERPA, DPPA, COPPA, and Farm Credit Act data
• Small business exemption: SBA-defined small businesses are exempt from most provisions (but not the sensitive data sale restriction)

Consumer Rights Under the TDPSA

The TDPSA grants Texas consumers a comprehensive set of privacy rights:

• Right to access — Confirm whether a controller is processing personal data and access that data
• Right to correction — Request correction of inaccurate personal data
• Right to deletion — Request deletion of personal data
• Right to data portability — Obtain a copy of personal data in a portable, readily usable format
• Right to opt out of data sale — Opt out of the sale of personal data
• Right to opt out of targeted advertising — Opt out of processing for targeted advertising
• Right to opt out of profiling — Opt out of profiling with legal or similarly significant effects
• Right to limit sensitive data — Require opt-in consent for sensitive data processing
• Right to appeal — Appeal a controller’s refusal to act on a request

Controllers must respond to consumer rights requests within 45 days, with one 45-day extension if reasonably necessary. Crucially, the TDPSA prohibits “dark patterns” — manipulative interface designs that subvert or impair consumer choice.

Universal Opt-Out Mechanism (GPC) Requirement

Texas requires businesses to honor universal opt-out mechanisms such as Global Privacy Control (GPC). This requirement has been fully in effect since January 1, 2025.

The Texas Attorney General has indicated that compliance with the universal opt-out requirement is an enforcement priority. Businesses must:

• Detect and honor GPC browser signals automatically
• Treat a GPC signal as an opt-out of both data sales and targeted advertising
• Not add friction or additional steps to the opt-out process
• Provide clear instructions in their privacy notice about universal opt-out mechanisms

Check your GPC obligations across all states with our GPC Compliance Checker.

Key 2025–2026 Developments

TRAIGA: Texas Responsible AI Governance Act (HB 149)

Signed on June 22, 2025, and effective January 1, 2026, the Texas Responsible AI Governance Act (TRAIGA) is one of the first comprehensive state-level AI regulations in the US. TRAIGA directly intersects with the TDPSA:

• TDPSA amendment: Processors must help controllers protect personal data processed by AI systems, adding new contractual obligations
• AI discrimination prohibition: Deployers must not use AI systems that result in unlawful discrimination based on protected characteristics
• Government AI transparency: Government entities must disclose when they use AI to interact with consumers
• Enforcement: The Texas AG has a 60-day cure period specifically for TRAIGA violations

TRAIGA is significant because it bridges privacy law and AI regulation, requiring businesses to consider both when deploying AI systems that process personal data.

Aggressive AG Enforcement

The Texas Attorney General has been one of the most aggressive state enforcers of privacy rights. In 2024–2025, the office secured over $1 billion in settlements against major technology companies for violations related to biometric data collection, geolocation tracking, and deceptive data practices. This enforcement posture signals that the TDPSA will be actively enforced.

Data Broker Registration (Separate Law)

Texas has a separate Data Broker Law (HB 4460), effective since September 1, 2023, which requires data brokers to:

• Register annually with the Texas Secretary of State
• Pay registration fees
• Post conspicuous notices regarding data collection practices
• Maintain data security measures

Non-compliance with the data broker law can result in penalties of up to $100 per day. Learn more about data broker requirements in our Data Broker Registration Guide.

Sensitive Data Under the TDPSA

The TDPSA requires opt-in consent before processing sensitive personal data. Sensitive categories include:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnosis
• Sexual orientation
• Citizenship or immigration status
• Biometric data for identification purposes

Key rule for all businesses: Even SBA-defined small businesses that are otherwise exempt from the TDPSA cannot sell sensitive personal data without explicit consumer consent.

Enforcement and Penalties

The TDPSA is enforced by the Texas Attorney General. There is no private right of action.

• Penalties: Up to $25,000 per violation
• Cure period: 30 days (permanent — does not sunset)
• Enforcement history: The Texas AG has demonstrated a willingness to pursue large-scale enforcement actions

The $25,000 per-violation penalty is among the highest of any state privacy law, exceeded only by Florida ($50,000). Combined with the broad applicability and the AG’s aggressive posture, the TDPSA represents significant enforcement risk. View all state enforcement actions on our Enforcement Tracker.

How Texas Compares to Other State Privacy Laws

• Broadest applicability: The TDPSA and Nebraska’s NDPA are the only state privacy laws without traditional consumer count or revenue thresholds
• Highest penalties: $25,000 per violation is among the highest flat rates, exceeded only by Florida ($50,000)
• GPC required: Texas joins California, Connecticut, Colorado, Montana, Delaware, Oregon, and Maryland in requiring universal opt-out recognition
• AI regulation: TRAIGA makes Texas one of the first states with comprehensive AI governance tied to its privacy law
• Permanent cure period: The 30-day cure period does not sunset, making it more business-friendly than states that have eliminated their cure periods
• Separate data broker law: Texas is one of few states with both a comprehensive privacy law and a dedicated data broker registration requirement

Use our State Comparison Tool to see how Texas stacks up against all 20+ state privacy laws.

8-Step TDPSA Compliance Plan

1. Determine applicability — Check whether your organization qualifies as a small business under the SBA definition. If not, the TDPSA almost certainly applies. Use the Privacy Law Calculator.
2. Implement GPC recognition — Ensure your website and apps detect and honor Global Privacy Control and other universal opt-out signals. This has been required since January 1, 2025.
3. Assess TRAIGA obligations — If you develop or deploy AI systems that process personal data, evaluate compliance with the Texas Responsible AI Governance Act (effective January 1, 2026). Update processor agreements to include AI-related data protection obligations.
4. Update privacy notices — Include all TDPSA-required disclosures: data categories, processing purposes, third-party sharing, consumer rights, opt-out instructions, and any AI-related disclosures required by TRAIGA.
5. Build consumer rights processes — Create intake, verification, fulfillment, and appeals workflows for all nine consumer rights. Configure 45-day response timelines. Ensure no dark patterns in the request process.
6. Audit sensitive data practices — Obtain opt-in consent for all sensitive data categories. Remember that even SBA-exempt small businesses must obtain consent before selling sensitive data.
7. Check data broker status — If your business buys, sells, or licenses personal data, determine whether you meet the data broker definition and register with the Texas Secretary of State if required.
8. Review processor contracts — Ensure all data processor agreements include TDPSA-mandated provisions, including the new TRAIGA requirement for AI-related data protection obligations.

For a detailed walkthrough, visit our Texas Compliance Checklist.

This article provides general educational information and is not legal advice. Consult qualified legal counsel for guidance specific to your organization. Last updated: March 29, 2026.