Book a call
Book a call

Texas TDPSA Compliance

The Texas Data Privacy and Security Act became effective July 1, 2024. Texas joined the growing list of US states with comprehensive privacy laws. TDPSA is enforced by the Texas Attorney General. Texas has a distinctive applicability threshold tied to small business status rather than data volume. This page covers what TDPSA requires, who is in scope, and how to build compliance.

By Julian Gage Last reviewed: 26 February 2026

Key takeaways

  • TDPSA applies to businesses serving Texas residents that process or sell personal data and are not small businesses.
  • It sets specific consumer-rights and processing requirements.
  • Obligations track other state laws with Texas-specific details.
  • Engage scopes whether it applies and builds the program.

Does TDPSA apply to you

TDPSA applies to persons that: Conduct business in Texas or produce a product or service consumed by Texas residents; and Process or engage in the sale of personal data; and Are not a small business as defined by the United States Small Business Administration.

The ‘small business’ exemption is the distinctive feature of TDPSA. Small business definitions vary by industry under SBA standards, but generally cover companies under specific revenue or employee thresholds. For most technology companies, the small business exemption typically does not apply beyond very early stage.

Notably, TDPSA does not require a specific number of Texas consumers to be processed. The combination of doing business in Texas, processing personal data, and not being a small business is sufficient. This is a broader scope than VCDPA, CPA, and CCPA.

What TDPSA requires

A compliant privacy notice. The notice must describe categories of personal data processed, purposes of processing, how consumers can exercise their rights, categories of personal data shared with third parties, and a description of the methods to exercise rights.

Consumer rights operational capability. Texas consumers have rights including:

  • Right to access
  • Right to correction
  • Right to deletion
  • Right to data portability
  • Right to opt out of the sale of personal data, targeted advertising, and profiling in furtherance of decisions that produce legal or similarly significant effects

Controllers must respond to consumer requests within 45 days, extendable by 45 days.

Universal opt-out mechanism. Texas requires controllers to recognize valid universal opt-out signals beginning January 1, 2025.

Sensitive data consent. Processing of sensitive personal data requires opt-in consent. Sensitive data definitions are similar to other state laws.

Data protection assessments. Controllers must conduct and document data protection assessments for processing activities involving targeted advertising, sale of personal data, profiling with high-risk effects, sensitive data, or other heightened-risk processing.

Processor contracts. Contracts between controllers and processors must include specific terms similar to other state laws.

Sale of sensitive personal data disclosure. TDPSA includes a specific requirement to clearly disclose any sale of sensitive personal data with specific notice language including ‘NOTICE: We may sell your sensitive personal data.’

Sale of biometric data disclosure. TDPSA includes a specific requirement to clearly disclose any sale of biometric data with specific notice language.

Enforcement

The Texas Attorney General has exclusive enforcement authority. No private right of action. Penalties up to 7,500 USD per violation. TDPSA includes a 30-day cure period before the Attorney General can initiate enforcement. The Texas Attorney General has been an active state-level privacy enforcer in other contexts and is expected to actively enforce TDPSA.

How TDPSA compares to other state laws

TDPSA shares structure with VCDPA and CPA but with distinctive elements:

  • Small business threshold rather than consumer count threshold. This brings more companies into scope than the consumer-count thresholds of California, Virginia, and Colorado.
  • Specific notice language for sensitive data and biometric data sales. The required notice language is more prescriptive than other state laws.
  • Universal opt-out mechanism requirement.
  • No cure period expiration mechanism, providing slightly more cure flexibility than Colorado.

How Engage Compliance helps

TDPSA compliance is included in our DPO services for clients serving Texas residents. Specific work includes:

  • Small business threshold assessment to determine applicability.
  • Privacy notice with Texas-specific sections including required notice language for sensitive and biometric data sales.
  • Consumer rights process design and implementation.
  • Universal opt-out mechanism implementation.
  • Data protection assessment documentation.
  • Multi-state harmonization across TDPSA and other US state laws.

Get started

If you have Texas operations and need TDPSA compliance support, book a consultation.

  • Same-business-day response
  • Professional indemnity and cyber insurance
  • Named DPO notified to the supervisory authority
Book a free intro call Free risk assessment

FAQ

Frequently asked questions

Does TDPSA apply to us?

TDPSA applies if you conduct business in Texas or produce a product or service consumed by Texas residents, process or engage in the sale of personal data, and are not a small business as defined by the United States Small Business Administration. There is no minimum number of Texas consumers, which makes the scope broader than Virginia, Colorado, and CCPA.

Why is the scope broader than other states?

TDPSA ties applicability to small-business status rather than a consumer-count threshold. Small business definitions vary by industry under SBA standards, but for most technology companies beyond very early stage the small-business exemption does not apply, so the law is in scope.

Is there special notice language we must use?

Yes. TDPSA requires specific disclosure language for any sale of sensitive personal data and for any sale of biometric data, including the prescribed sensitive-data sale notice. This required language is more prescriptive than other state laws.

How fast must we respond, and do we honor opt-out signals?

Controllers must respond to consumer requests within 45 days, extendable by 45 days, and must recognize valid universal opt-out signals from January 1, 2025. Texas consumers have rights to access, correction, deletion, portability, and opt-out of sale, targeted advertising, and certain profiling.

What are the penalties?

The Texas Attorney General has exclusive enforcement authority and there is no private right of action. Penalties reach up to 7,500 USD per violation, and there is a 30-day cure period before the Attorney General can initiate enforcement.

Related

ServiceOutsourced DPO servicesPricingOutsourced DPO cost guideServiceCalifornia CCPA complianceServiceColorado CPA compliance