What are the penalties under the TDPSA?

Penalties are up to $25,000 per violation, enforced by the Texas Attorney General. This is among the highest per-violation penalties of any state privacy law.

Does Texas have data broker registration requirements?

Yes. Under a separate law (HB 4460), data brokers must register with the Texas Secretary of State and pay annual fees.

What is the Texas Responsible AI Governance Act (TRAIGA)?

TRAIGA (HB 149), signed June 22, 2025 and effective January 1, 2026, regulates AI development and deployment in Texas. It prohibits AI use for unlawful discrimination, amends the TDPSA to require processors to help protect personal data processed by AI, and requires government entities to disclose AI interactions. The AG enforces with a 60-day cure period.

Texas Privacy Law

Q: Does the TDPSA have revenue or consumer count thresholds?

No. The TDPSA applies to all entities conducting business in Texas that process personal data, unless they qualify as a small business under the SBA definition. This makes it one of the broadest state privacy laws.

Q: Does Texas require GPC recognition?

Yes. The TDPSA requires businesses to honor universal opt-out mechanisms such as Global Privacy Control (GPC).

Texas Data Privacy and Security Act

Effective: July 1, 2024Active

Overview

The Texas Data Privacy and Security Act (TDPSA) was signed into law on June 18, 2023, and became effective on July 1, 2024. Texas is unique among state privacy laws for having no revenue or consumer count threshold, instead applying to all entities conducting business in Texas that process personal data, unless they qualify as a "small business" under the SBA definition. This makes the TDPSA one of the broadest state privacy laws in terms of applicability. The TDPSA provides Texas consumers with comprehensive privacy rights, including access, correction, deletion, portability, and opt-out rights for data sales, targeted advertising, and profiling. Texas requires businesses to honor universal opt-out mechanisms such as Global Privacy Control (GPC), and the law includes an appeals process for denied consumer requests. Given the absence of traditional thresholds, the TDPSA potentially covers a vast number of businesses that operate in Texas or target Texas residents. The law includes a 30-day cure period and penalties of up to $25,000 per violation, enforced by the Texas Attorney General. The higher penalty amount, combined with the broad applicability, makes the TDPSA a particularly significant law for businesses of all sizes.

Applicability Thresholds

Conditions are joined by OR — meeting ANY one triggers applicability.

No revenue or consumer count threshold. Applies to all entities that are not small businesses as defined by the SBA.

Consumer Rights

Right to Access

Right to Delete

Right to Correct

Data Portability

Opt-Out of Sale

Opt-Out of Targeted Ads

Opt-Out of Profiling

Limit Sensitive Data Use

Right to Appeal

Private Right of Action

Key Changes in 2025-2026

Texas Responsible AI Governance Act (TRAIGA, HB 149) effective January 1, 2026 — imposes obligations on AI developers and deployers, amends TDPSA to require processors to help protect personal data processed by AI systems
TRAIGA requires government entities to disclose AI interactions; AG has 60-day cure period for enforcement
Universal opt-out mechanism recognition requirement fully in effect
Texas AG ramping up enforcement activity under the TDPSA — secured $1B+ settlement against a major tech company
Continued enforcement of the separate data broker registration law

Enforcement Details

Enforced By

Texas Attorney General

Penalty Per Violation

$25,000

Cure Period

30 days

Private Right of Action

No — AG enforcement only

Sensitive Data Categories

Consent model: opt-in

Racial or ethnic originReligious beliefsMental or physical health diagnosisSexual orientationCitizenship or immigration statusBiometric data for identification

Universal Opt-Out / GPC Requirements

GPC / Universal Opt-Out Required

Businesses must recognize and honor universal opt-out mechanisms such as Global Privacy Control (GPC). The Texas AG has indicated that compliance with this requirement is a priority.

Effective: January 1, 2025

Minor / Child Protections

The TDPSA requires opt-in consent for processing personal data of known children under 13. The law prohibits the sale of personal data of children under 13 and requires opt-in consent for targeted advertising directed at minors.

Compliance Checklist

1Determine whether your organization qualifies as a small business under the SBA definition — if not, the TDPSA likely applies
2Implement universal opt-out signal recognition (GPC and similar mechanisms)
3Assess TRAIGA obligations if developing or deploying AI systems — ensure AI is not used for unlawful discrimination or statutorily defined harms
4If a data processor, update agreements to include AI-related data protection obligations per TRAIGA amendments to the TDPSA
5Update privacy notices with all TDPSA-required disclosures
6Implement consumer rights request mechanisms with 45-day response period
7Obtain opt-in consent for processing sensitive personal data
8Establish an appeals process for denied consumer requests
9If operating as a data broker, register with the Texas Secretary of State

Texas Privacy Law FAQ

Official Resources

Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.