Skip to content
Last reviewed: 2026-05-05 Reviewer: M.K., CIPP/E Methodology Report inaccuracy
Editorial reference emblem — TXStylized regulator-jurisdiction emblem for editorial reference. Not affiliated with or endorsed by any government, regulator, or institution.TX
TDPSA Texas Attorney General

REGULATION · US STATE · IN FORCE SINCE 2024

Texas Data Privacy and Security Act

The EU's baseline privacy law since May 2018. Defines six lawful bases, eight data-subject rights, and fines up to 4% of global annual turnover.

EUR-Lex official text Reviewed 2026-05-05 Free reference · sources cited

Scope and territorial reach

Scope

The Texas Data Privacy and Security Act (TDPSA, Tex. Bus. & Com. Code Ch. 541) became effective 1 July 2024 — making Texas the largest US state by population to enact a comprehensive privacy law. It applies to any person who:

  • Conducts business in Texas or produces products/services consumed by Texas residents,
  • Processes or engages in the sale of personal data, AND
  • Is not a “small business” as defined by the U.S. Small Business Administration.

The SBA-based small-business exclusion is a unique TDPSA feature — it is not based on revenue or consumer-count thresholds like other states.

TDPSA §541.051 establishes opt-out rights for:

  • Sale of personal data
  • Targeted advertising
  • Profiling that produces legal or similarly significant effects

For sensitive data — race, religion, health, sexual orientation, citizenship/immigration status, genetic/biometric data, precise geolocation, or data of a known child under 13 — TDPSA requires opt-in consent.

Universal Opt-Out Mechanism (UOOM)

Effective 1 January 2025, Texas controllers must recognise universal opt-out signals — Global Privacy Control (GPC) being the canonical implementation. Texas joins Colorado, Connecticut, and California as states with mandatory UOOM recognition.

Consumer rights (§541.052)

  • Right to confirm processing and access personal data
  • Right to correct inaccuracies
  • Right to delete personal data provided by or obtained about the consumer
  • Right to data portability
  • Right to opt out of sale, targeted advertising, profiling
  • Right to appeal a denied request — internal review within 60 days

Response timeline: 45 days, extendable by 45 days once.

Privacy notice requirements (§541.102)

Distinct from Virginia and California, TDPSA requires a specific notice for entities that sell sensitive personal data: “NOTICE: We may sell your sensitive personal data.” Plus a parallel notice for biometric data sale: “NOTICE: We may sell your biometric personal data.”

These mandated notices must appear in the privacy notice in the same manner as other disclosures.

Data Protection Assessments (§541.105)

Required for: targeted advertising, sale of personal data, processing of sensitive data, profiling with reasonably foreseeable risk of consumer harm, and other high-risk processing. The AG may require disclosure of completed assessments.

Breach notification

Texas has a separate Identity Theft Enforcement and Protection Act (Tex. Bus. & Com. Code §521.053) — pre-existing. Notification required without unreasonable delay and not later than 60 days after discovery, to affected residents. State AG notification required for breaches affecting ≥250 Texas residents.

Enforcement

Exclusive enforcement by the Texas Attorney General — no private right of action. Pre-enforcement 30-day cure period (Texas has not signalled a sunset date for the cure provision, contrasting with Connecticut which sunset its cure period 31 December 2024).

Maximum civil penalty: $7,500 per violation. Texas AG has been visibly active on consumer-protection litigation generally; expect similar posture for TDPSA. As of mid-2026 no public final TDPSA fines, but warning letters have begun.

How TDPSA compares to CCPA/CPRA

  • Both opt-out frameworks for sale + targeted ads + profiling
  • Both require GPC/UOOM recognition (TDPSA from 2025-01-01)
  • Texas has SBA-based small-business exemption; California does not
  • Texas requires explicit “we may sell sensitive PI” notice; California does not require that exact wording
  • Texas AG has 30-day cure period; California has no cure period (CPRA removed)

Key references

  • Texas Attorney General Consumer Privacy: texasattorneygeneral.gov
  • Tex. Bus. & Com. Code Chapter 541 (statute)
  • Texas Identity Theft Enforcement and Protection Act (parallel breach-notification law)

Where it applies — 1 jurisdictions

🇺🇸Texas
US-TX

Seven principles (Article 5)

The constitutional backbone — every processing activity must satisfy all seven simultaneously.

  1. 01
    Transparent privacy notice §541.102

    Privacy notice must list categories of personal data processed, processing purposes, categories shared with third parties, consumer rights, and an active rights-request method.

  2. 02
    "We may sell sensitive personal data" notice §541.102(b)(2)

    If you sell sensitive personal data, the privacy notice must contain the verbatim disclosure: "NOTICE: We may sell your sensitive personal data." Same applies to biometric data sales — TDPSA-unique requirement.

  3. 03
    Purpose limitation §541.101(a)(1)

    Limit collection to what is adequate, relevant, and reasonably necessary for the disclosed purpose; new purposes need fresh consent.

  4. 04
    Data minimization §541.101(a)(1)

    Collect only personal data adequate, relevant, and reasonably necessary for the disclosed purposes.

  5. 05
    Reasonable security §541.101(a)(3)

    Establish, implement, and maintain reasonable administrative, technical, and physical data-security practices appropriate to the volume and nature of data processed.

  6. 06
    Non-discrimination §541.101(a)(4)

    Cannot discriminate against consumers for exercising rights — no denial of goods/services, different prices, or lower quality (loyalty programs allowed if voluntary).

  7. 07
    Universal Opt-Out Mechanism (UOOM) §541.055(e)

    Mandatory since January 1, 2025 — controllers must recognize browser/device-level opt-out signals (e.g. Global Privacy Control) for sale and targeted-advertising opt-outs.

  8. 08
    Sensitive data opt-in §541.101(a)(2)

    Consent required before processing sensitive personal data (race, religion, health, sexual orientation, citizenship, genetic/biometric data, precise geolocation, children's data).

  9. 09
    Data Protection Assessment §541.105

    Mandatory DPA for targeted advertising, sale, profiling with foreseeable risk, sensitive-data processing, and any high-risk processing — documented and provided to TX AG on request.

Six lawful bases (Article 6)

You must identify and document one before processing — and consent isn't always the right one.

§541.101(a)(1)

Reasonably necessary for disclosed purpose

Default basis — processing limited to what's adequate and relevant for purposes disclosed in the privacy notice.

Common for: Account creation, order fulfillment, basic site analytics
§541.055

Opt-out default (sale, targeted ads, profiling)

Sale of personal data, targeted advertising, and profiling with significant effects are allowed by default but consumer can opt out at any time (including via UOOM).

Common for: Ad networks, retargeting pixels, data-broker sharing
§541.101(a)(2)

Opt-in consent for sensitive data

Affirmative consent (clear, informed, freely given) required before processing sensitive personal data.

Common for: Health data, biometric data, precise geolocation, children's data, race/religion/orientation
§541.108(a)

Legal obligation

Compliance with federal, state, or local laws — TDPSA does not restrict.

Common for: Tax records, AML, subpoena response
§541.108(a)(7)

Vital interest / safety

Necessary to protect a vital interest of the consumer or another person, prevent fraud, or protect physical safety.

Common for: Medical emergencies, fraud prevention, account-takeover defense
§541.108(c)

Internal research / product improvement

Improving, repairing, or developing products and services — limited to internal use, no third-party sharing.

Common for: A/B testing, debugging, product analytics (de-identified)
§541.002(b)

SBA small-business exemption

Entities meeting U.S. Small Business Administration size standards are EXEMPT from most TDPSA obligations — but still must obtain consent before selling sensitive personal data. Unique to TDPSA: no revenue or record-count threshold like Virginia/Colorado/Connecticut.

Common for: Most independent SaaS / e-commerce / consultancies under SBA size caps
Cookie banner under GDPR Consent Mode v2

Eight data-subject rights (Articles 12–22)

What individuals can demand from you, with the response window and scope.

RightArticleResponseScope
Right to confirm processing and access §541.051(b)(1) 45 days Confirm whether the controller is processing the consumer's personal data and obtain a copy in a portable, readily usable format.
Right to correct §541.051(b)(2) 45 days Correct inaccurate personal data, taking into account the nature of the data and processing purposes.
Right to delete §541.051(b)(3) 45 days Delete personal data provided by or obtained about the consumer.
Right to data portability §541.051(b)(4) 45 days Obtain a copy of personal data previously provided in a portable and, to the extent technically feasible, readily usable format.
Right to opt out (sale, targeted ads, profiling) §541.051(b)(5) 45 days Opt out of (a) sale of personal data, (b) targeted advertising, (c) profiling that produces legal or similarly significant effects.
Right to appeal §541.052 60 days If a request is denied, consumer may appeal within a reasonable time. Controller has 60 days to inform consumer of action; if still denied, consumer may complain to TX AG.
Topic: DSARs in practice Template: DSR reply (Art 15)

National addons

GDPR is a Regulation — directly applicable, no transposition required. But Member States layer additional rules on top via national acts.

CountryNational actStricter than GDPR baseline?Note
🇺🇸 Texas (primary) TX TDPSA · Tex. Bus. & Com. Code Ch. 541 Stricter Largest US state by population to enact a comprehensive privacy law. UOOM mandatory from Jan 1, 2025. Unique "NOTICE: We may sell your sensitive personal data" disclosure. SBA-defined small-business exemption (no revenue threshold).
🇺🇸 California CA CCPA / CPRA Stricter Sale/share opt-out, sensitive-PI limit-use right, GPC mandatory since 2021. Broader scope (revenue threshold $25M, 100k records, or 50% revenue from data sale).
🇺🇸 Virginia VA VCDPA Aligned First US state-level comprehensive privacy law (2023-01-01). TDPSA closely modeled on VCDPA structure but adds UOOM mandate and SBA exemption.
🇺🇸 Colorado CO CPA Stricter UOOM mandatory since 2024-07-01 (CPA was first state to require it). Rulemaking authority gives AG broader interpretation room than TDPSA.
🇺🇸 Connecticut CT CTDPA Aligned UOOM mandatory since 2025-01-01. Aligned with TDPSA timing but smaller scope (35k+ residents).
🇺🇸 Utah UT UCPA Aligned Most business-friendly US privacy law — no profiling opt-out, no DPA requirement, no right to correct. TDPSA stricter than UCPA.
🇺🇸 Oregon OR OCPA Aligned UOOM mandatory since 2026-01-01. Includes nonprofits in scope (TDPSA exempts them).
🇺🇸 Montana MT MCDPA Aligned Effective 2024-10-01. Lower threshold (50k residents). UOOM mandatory from 2025-01-01.
🇺🇸 Delaware DE DPDPA Aligned Effective 2025-01-01. Lower threshold (35k residents). UOOM required.
🇺🇸 Iowa IA ICDPA Aligned Effective 2025-01-01. Most lenient post-Utah — no profiling opt-out, no UOOM mandate, longer 90-day cure.
🇺🇸 New Jersey NJ NJDPA Aligned Effective 2025-01-15. UOOM required by July 2025. Includes financial-account info as sensitive.
🇺🇸 Tennessee TN TIPA Aligned Effective 2025-07-01. Affirmative defense for NIST-aligned privacy program (unique). 60-day cure.

Compared to other laws

Side-by-side rule comparison with the same field on each side.

COMPARE · 2 ENTITIES
GDPR vs CCPA / CPRA
Opt-in EU baseline against opt-out California — same rows on each side.
COMPARE · 2 ENTITIES
GDPR vs UK GDPR
Post-Brexit divergence — DPA 2018, ICO, UK Extension to DPF.
COMPARE · 2 ENTITIES
GDPR vs LGPD
EU baseline vs Brazilian privacy law modeled on it.

Common questions

Does TDPSA apply to my non-Texas business?
Yes, if you (1) conduct business in Texas or produce products/services consumed by Texas residents AND (2) process or sell personal data — and you do not qualify for the SBA small-business exemption. There are NO numerical thresholds (no "X residents" or "$Y revenue" gate) — TDPSA applies more broadly than VCDPA/CTDPA at the top level, but the SBA exemption pulls most small businesses out of scope.
TDPSA vs CCPA / VCDPA — key differences?
Three TDPSA-specific items: (1) SBA small-business exemption (no revenue/threshold gate; if you meet U.S. SBA size standards for your industry, you're exempt from most obligations — but still need consent to sell sensitive PI). (2) Mandatory "NOTICE: We may sell your sensitive personal data" verbatim disclosure if you sell sensitive PI. (3) UOOM mandatory from 2025-01-01. Otherwise structure mirrors VCDPA closely (opt-out for sale/targeted ads/profiling, opt-in for sensitive).
What's the SBA small-business exemption?
TDPSA §541.002(b) exempts entities that meet U.S. Small Business Administration size standards (defined per NAICS code — typically <$8M-$41.5M revenue or <100-1500 employees depending on industry). This is unique among US state privacy laws. Caveat: even SBA-exempt businesses must obtain affirmative consent before selling sensitive personal data. Practical effect: most independent SaaS / e-commerce / agencies are exempt from rights-request, DPA, and notice obligations.
"We may sell your sensitive PI" notice — when required?
Required (§541.102(b)(2)) any time you sell sensitive personal data — defined as race, ethnicity, religion, mental/physical health diagnosis, sexual orientation, citizenship/immigration status, genetic/biometric data, precise geolocation (1750ft / 533m), and personal data of a known child. Verbatim text required: "NOTICE: We may sell your sensitive personal data." Same applies for biometric data (§541.102(b)(3)). Disclosure must be conspicuous in the privacy notice.
UOOM mandate from 2025 — what counts?
From 2025-01-01, controllers engaged in sale or targeted advertising MUST recognize a Universal Opt-Out Mechanism. The de facto standard is Global Privacy Control (GPC) — the same browser-level signal honored under California, Colorado, Connecticut, and now Texas. Receiving a GPC signal must be treated as a valid opt-out request for that consumer's sale and targeted-advertising rights — no cookie banner consent needed to suppress.
Do I need to honor GPC under TDPSA?
Yes — Global Privacy Control is the recognized UOOM. As of 2025-01-01, TDPSA §541.055(e) requires controllers to treat a GPC signal as a valid opt-out from sale and targeted advertising. Implementation: detect navigator.globalPrivacyControl in the browser, suppress sale-of-data and targeted-ad tags (Meta Pixel, GA4 Signals, ad-network beacons) before they fire.
Maximum TDPSA fine?
$7,500 per violation (Tex. Bus. & Com. Code §541.155). "Per violation" can compound across affected consumers — but TDPSA gives a 30-day cure period (no sunset) before any penalty action: TX AG must notify the violator, give 30 days to fix, and only after non-cure can civil-penalty action be brought. Texas does NOT have a private right of action under TDPSA — only TX AG enforces.
Data Protection Assessment under TDPSA — same as VCDPA?
Substantively similar (§541.105) — required for targeted advertising, sale, profiling with foreseeable significant risk, sensitive-data processing, and any high-risk activity. DPA must weigh benefits against risks and document mitigations. TX AG can compel production. One difference: VCDPA's DPA requirement triggers on slightly different thresholds — TDPSA's ties more explicitly to the sale/targeted-ad/profiling triad and sensitive data.
Cure period — sunset or permanent?
Permanent — no sunset. TDPSA §541.155(b) gives a 30-day cure period before TX AG can bring civil-penalty action. This contrasts with California (cure period sunset 2023), Colorado (sunset 2025), and others. Practical effect: TX AG enforcement in 2024-2025 has been heavy on warning letters and corrective-action settlements rather than first-strike fines.
Texas Identity Theft Act — separate law for breach notification?
Yes — TDPSA does NOT cover breach notification. Breach is governed by the Texas Identity Theft Enforcement and Protection Act (Tex. Bus. & Com. Code Ch. 521). Notify affected Texas residents "as quickly as possible" and notify TX AG within 60 days if the breach affects 250+ Texas residents (Ch. 521.053). Two parallel statutes — TDPSA = privacy/rights; Ch. 521 = breach response.