Texas – SetupAnalytics

// SCOPE

Web analytics, cookies, tag managers, CMPs, ad pixels, session-replay, and biometric-capable tools as deployed on websites and apps targeting Texas consumers. TDPSA applies to anyone 'conducting business in Texas' except SBA-defined small businesses; CUBI applies regardless of size whenever a biometric identifier is captured. English + Spanish notice considerations are noted but not formally mandated by TDPSA.

National addons

Country-specific statutes layered on the EU baseline.

TDPSA

Texas Data Privacy and Security Act

Comprehensive consumer privacy law. Unlike CCPA/VCDPA/CPA, TDPSA has no revenue or data-volume threshold — it applies to any person who (1) conducts business in Texas or produces products/services consumed by Texas residents, (2) processes or engages in the sale of personal data, and (3) is not a 'small business' as defined by the United States Small Business Administration. This is the broadest statutory scope of any US state-privacy law. Opt-out model: rights to know, correct, delete, port, and opt out of (a) sale, (b) targeted advertising, (c) profiling with legal/significant effects.

§ 541.051 Applicability — 'small business' (SBA) carve-out is the only size filter; no revenue/consumer thresholds
§ 541.052 Consumer rights — know, correct, delete, port, opt-out of sale/targeted ads/profiling
§ 541.055 Sensitive data — opt-in consent required (genetic/biometric, precise geolocation, race/ethnicity, religion, health, sexuality, citizenship/immigration, children's data)
§ 541.101 Privacy notice + 'sale of sensitive personal data' / 'sale of biometric data' specific banner-text mandates
§ 541.105 Data protection assessments — required for high-risk processing (targeted ads, sale, sensitive data, profiling)
§ 541.155 Enforcement — exclusive AG authority, $7,500 per violation, 30-day cure period (NOT sunsetted, unlike CPRA)

Tex. Bus. & Com. Code § 541 et seq. — H.B. 4 signed 18 Jun 2023, effective 1 Jul 2024.

CUBI

Capture or Use of Biometric Identifier Act

Biometric-specific law: prohibits capturing a biometric identifier (retina/iris scan, fingerprint, voiceprint, hand/face geometry) for a commercial purpose without prior informed consent. Captured biometrics may not be sold/leased/disclosed except in narrow exceptions, must be reasonably protected, and must be destroyed within 1 year of the original purpose. AG-only enforcement — no private right of action (distinguishing CUBI from Illinois BIPA). The Google ($1.4B) and Meta ($1.4B) settlements were both anchored in CUBI claims (face-grouping in Photos, face-tagging on Facebook).

§ 503.001(b) Prior informed consent required before capturing a biometric identifier
§ 503.001(c)(1) Sale/lease/disclosure of biometric identifiers prohibited except narrow exceptions
§ 503.001(c)(3) Destruction within 1 year of original purpose (or earlier on request)
§ 503.001(d) Civil penalty — up to $25,000 per violation; AG enforces

Tex. Bus. & Com. Code § 503.001 — enacted 2009, predates TDPSA by 15 years.

SCOPE Act

Securing Children Online through Parental Empowerment Act

Minors-only protections (under 18 — broader than COPPA's under-13 federal floor). 'Digital service providers' must (1) register the age of every user, (2) prohibit targeted advertising to known minors, (3) disable algorithmic recommendation/personalization based on a minor's data, (4) prohibit sale of minors' personal information without parental consent, (5) provide parental tools for monitoring/disabling features. Partially enjoined Aug 2024 (1st Amendment grounds for 'harmful content' filtering provisions) — privacy provisions remain in force.

§ 509.052 Age registration — service must register a user's age category before collection
§ 509.053 Prohibition on targeted advertising / data sale / algorithmic personalization for known minors
§ 509.055 Parental tools — monitoring + content/feature controls
§ 509.151 Enforcement — AG only; injunctive relief + civil penalties up to $10,000 per violation

Tex. Bus. & Com. Code § 509 — H.B. 18 signed 2023, effective 1 Sep 2024.

TITEPA

Texas Identity Theft Enforcement and Protection Act

Pre-TDPSA security baseline: businesses holding 'sensitive personal information' (SSN, government ID, financial-account, biometric, health, insurance, login credentials) must implement reasonable safeguards, notify affected consumers within 60 days of a breach affecting 250+ Texans, and notify the AG within 30 days. Continues to operate alongside TDPSA — TDPSA does not displace breach-notification obligations.

§ 521.052 Reasonable safeguards for sensitive PI
§ 521.053 Breach notification — 60 days to consumers (250+ TX residents triggers AG notification within 30 days)
§ 521.151 Civil penalty up to $50,000 per violation; AG enforces

Tex. Bus. & Com. Code § 521 — enacted 2005; amended 2019, 2023.

Regulators

Supervisory authorities that interpret and enforce privacy law here.

State / Land DPAs · 1 authorities

Land / state	Authority	Note
Texas — OAG	Office of the Attorney General of Texas	Sole enforcer of TDPSA, CUBI, SCOPE Act, and TITEPA. Created the dedicated Consumer Privacy Unit in June 2024 — staffed with attorneys, investigators, and IT experts focused exclusively on privacy enforcement. Under AG Ken Paxton, Texas has been the most aggressive US-state attorney general on privacy: secured the two largest US privacy settlements (Google $1.4B May 2024; Meta $1.4B Jul 2024) and ongoing TikTok litigation. No private right of action under TDPSA or CUBI — this concentrates all leverage in the AG office.	site ↗

Coordination body

Texas OAG Consumer Privacy Unit · Office of the Attorney General — Consumer Privacy Unit

Single-regulator model. The OAG Consumer Privacy Unit (created June 2024) consolidates TDPSA + CUBI + SCOPE Act + TITEPA enforcement. No state-level data protection authority, no private right of action, no concurrent agency (contrast with California's CPPA + AG split). Enforcement priorities published via press releases and public notices; no formal binding opinions, but settlement language is treated as de facto authority by Texas-based counsel.

2024-06-04 · Consumer Privacy Unit launch — AG Paxton announces a dedicated privacy enforcement team — first US state AG to create a unit exclusively for privacy/AI/biometric enforcement. Stated priorities: TDPSA compliance, biometric (CUBI), data brokers, children's data (SCOPE).
2024-07-30 · TDPSA enforcement priorities — Six-month-out compliance notices issued to controllers operating in Texas; OAG warned that absence of revenue/consumer thresholds means 'small businesses' (SBA-defined) are the only carve-out — every non-small business operating in Texas should expect coverage.
2024-10-03 · TikTok lawsuit — Texas OAG sues TikTok for SCOPE Act violations + biometric collection from minors without verifiable parental consent. Pending in 2026.

https://www.texasattorneygeneral.gov/consumer-protection/consumer-privacy

Notable enforcement

Texas is the most aggressive single-regulator US-state privacy enforcer. The July 2024 Meta $1.4B and May 2025 Google $1.375B settlements — both anchored in CUBI biometric claims (face-tagging on Facebook, face-grouping in Photos) plus parallel TX UDAP theories — are the largest US state-privacy settlements on record by an order of magnitude over California's prior Healthline $1.55M ceiling. AG Ken Paxton has positioned the office as the de facto national privacy enforcer for biometric and big-tech cases, leveraging CUBI's pre-existing 2009 baseline (15 years older than TDPSA) to reach conduct beyond TDPSA's 1-Jul-2024 effective date. Distinctive structural features amplify this: (1) NO revenue/consumer thresholds in TDPSA — broadest scope of any US state law; (2) NO private right of action — all enforcement leverage concentrated in OAG; (3) Consumer Privacy Unit (created June 2024) staffed exclusively for privacy, biometric, AI, and SCOPE Act work; (4) 30-day cure period preserved (not sunsetted) — but treated as a procedural step, not a safe harbor. Active 2024-2026 priorities: connected-vehicle data (GM, Allstate/Arity), minors' data (TikTok lawsuit ongoing under SCOPE Act + CUBI), AI training data, data brokers. Web-analytics controllers should expect TDPSA-era enforcement throughout 2026 as the cure-period seasoning matures.

GA4 status

GA4 is legal in Texas with proper opt-out implementation. TDPSA uses an opt-out baseline (no pre-collection consent required for adults), BUT (1) controllers must publish a TDPSA-conforming privacy notice with the specific banner-text mandates of § 541.101, (2) opt-out of sale + targeted advertising must be honored (universal opt-out signals like GPC are recognized but, unlike California, not yet expressly mandatory — TDPSA leaves the technical signal question to forthcoming AG guidance), (3) sensitive personal data (precise geolocation, biometric, health, race/ethnicity, religion, sexuality, immigration, children) requires opt-in consent, and (4) CUBI separately bars any biometric capture (e.g., voiceprint, face geometry) without prior informed consent + 1-year destruction. Status flips to red whenever GA4 is configured to capture biometric or precise-location data without explicit consent — the Google $1.375B settlement is the cautionary anchor.

DPA	Stance
Texas OAG	Aggressive single-regulator. CUBI biometric capture is the bright line ($1.4B Meta + $1.375B Google). TDPSA opt-out + sensitive-data opt-in must be operational; the absence of revenue/consumer thresholds means small-business-carveout (SBA-defined) is the only filter. Consumer Privacy Unit treats analytics + ad-tech vendor flows as 'sale of personal data' absent conforming controller-processor contracts under § 541.104.

DPA

Stance

Texas OAG

Aggressive single-regulator. CUBI biometric capture is the bright line ($1.4B Meta + $1.375B Google). TDPSA opt-out + sensitive-data opt-in must be operational; the absence of revenue/consumer thresholds means small-business-carveout (SBA-defined) is the only filter. Consumer Privacy Unit treats analytics + ad-tech vendor flows as 'sale of personal data' absent conforming controller-processor contracts under § 541.104.

Cross-border transfers + Schrems II

Domestic US — no Schrems II issue. TDPSA imposes contractual flow-down obligations (§ 541.104) requiring controllers to bind processors via contract specifying purpose, data type, processing instructions, confidentiality, audit rights, and onward-transfer terms. There is no GDPR-Chapter-V-equivalent regime: no adequacy decisions, no SCCs, no data-residency requirement. CUBI's biometric onward-transfer prohibition (§ 503.001(c)) operates independently — biometric data may not be sold/leased/disclosed even within the US except in narrow exceptions.

Not applicable. Controllers should focus on TDPSA § 541.104 controller-processor contracts and CUBI § 503.001(c) biometric handling restrictions. Failure to bind processors via conforming contracts converts a 'disclosure' into a 'sale of personal data' under TDPSA's broad definition — a Sephora-style risk that the OAG has signaled it will pursue.

Topic: International transfers

Employee data

Employee data — TDPSA excludes it, but CUBI catches biometric monitoring

TDPSA § 541.002(b)(11) excludes personal data processed in the employment, applicant, contractor, B2B-contact, or beneficiary context (mirroring VCDPA / CPA / CTDPA, but contrast California's CPRA which sunsetted that exemption). However, CUBI applies to ALL biometric capture for a 'commercial purpose' regardless of employment status — fingerprint time-clocks, facial-recognition badge entry, voiceprint authentication for call-center staff all require prior informed consent + 1-year destruction + protection. The Google and Meta settlements were biometric-only (face/voice) and would have applied identically to internal employee monitoring. SCOPE Act has no employment carve-out either, but is targeted at digital-service-provider/consumer relationships rather than HR contexts. Practical rule: for non-biometric internal HR analytics (Hotjar on a staff dashboard, productivity pixels) Texas is permissive; for any biometric employee monitoring run a CUBI-conforming consent + retention + safeguards program.

Key thresholds

Child consent age

13 years

Article 27 representative

Not required

Marketing consent

Single opt-in

Vendor signals

Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.

Analytics tools · 4 · 2 green · 1 yellow · 1 red

Vendor	Status	Rationale
	GREEN	Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation. US baseline more permissive.
	GREEN	EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain. US baseline more permissive.
	YELLOW	EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green.
	RED	Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization.

Consent management platforms · 5 · 5 green · 0 yellow · 0 red

Vendor	Status	Rationale
	GREEN	Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate.
	GREEN	Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan.
	GREEN	Open-source, self-hosted. No managed updates — site owner maintains vendor list.
	GREEN	GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults. US baseline more permissive.
	GREEN	German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites.

Ad pixels · 3 · 0 green · 3 yellow · 0 red

Vendor	Status	Rationale
	YELLOW	Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set. US opt-out baseline relaxes the verdict, but GPC + CCPA opt-out signals must still be honoured.
	YELLOW	Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem. US opt-out baseline relaxes the verdict, but GPC + CCPA opt-out signals must still be honoured.
	YELLOW	PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required. US opt-out baseline relaxes the verdict, but GPC + CCPA opt-out signals must still be honoured.

Server-side · 3 · 2 green · 1 yellow · 0 red

Vendor	Status	Rationale
	GREEN	EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic.
	GREEN	EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings.
	YELLOW	"EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing.

Compare with neighbors

Side-by-side rule comparison.

Texas vs Illinois (BIPA)

Common questions

Is Google Analytics legal in Texas in 2026?

Yes, with proper safeguards. Texas uses an opt-out baseline under TDPSA (effective 1 Jul 2024), so GA4 may be deployed without pre-collection consent for adults. However, you must (1) publish a TDPSA-conforming privacy notice with the specific banner-text mandates of § 541.101 (including 'sale of sensitive personal data' / 'sale of biometric data' disclosures if applicable), (2) honor opt-out requests for sale and targeted advertising, (3) require opt-in consent for any sensitive personal data (precise geolocation, biometric, health, race/ethnicity, religion, sexuality, immigration, children), (4) execute a controller-processor contract with Google under § 541.104, and (5) NEVER enable biometric capture (voiceprint, face geometry) without separate CUBI-conforming consent + 1-year destruction. The Google $1.375B settlement (announced May 2025) is the cautionary anchor for biometric claims; the absence of TDPSA thresholds means small-business-carveout (SBA-defined) is the only size filter.

Does TDPSA have a revenue or consumer-volume threshold like CCPA?

No — and this is its single most distinctive feature among US state privacy laws. TDPSA applies to anyone who (1) conducts business in Texas or produces products/services consumed by Texas residents, (2) processes or engages in the sale of personal data, and (3) is NOT a 'small business' as defined by the United States Small Business Administration. There is no $26.625M revenue trigger (CCPA), no 100,000-consumer trigger (VCDPA/CPA/CTDPA), no 50%-of-revenue-from-sale trigger. Practical implication: most non-tiny businesses operating in or marketing to Texas are within scope from day one. The SBA size standards vary by NAICS code (typically 100-500 employees or $7-40M revenue depending on industry) — check 13 C.F.R. § 121.201.

What is CUBI and why does it matter for analytics?

CUBI (Capture or Use of Biometric Identifier Act, Tex. Bus. & Com. Code § 503.001) is Texas's biometric-specific law, enacted in 2009 — 15 years before TDPSA. It bars capturing a 'biometric identifier' (retina/iris scan, fingerprint, voiceprint, hand or face geometry) for a commercial purpose without prior informed consent, requires reasonable safeguards, and mandates destruction within 1 year of the original purpose. Sale, lease, or disclosure is prohibited except in narrow exceptions. The OAG enforces (no private right of action — distinguishing CUBI from Illinois BIPA). The two largest US state-privacy settlements ever — Meta $1.4B (Jul 2024) and Google $1.375B (announced May 2025) — were both anchored in CUBI claims (face-tagging on Facebook / face-grouping in Photos). For analytics: any tool that captures voiceprint (call-center IVR analytics), face geometry (camera-based session replay, age-gating face scans), or fingerprint patterns triggers CUBI's separate opt-in regime, regardless of TDPSA's opt-out baseline.

Who enforces TDPSA and how aggressive are they?

The Office of the Attorney General of Texas is the SOLE enforcer — there is no private right of action and no concurrent agency (contrast California's CPPA + AG split or Illinois BIPA's private suits). The AG created a dedicated Consumer Privacy Unit in June 2024, staffed exclusively for privacy, biometric, AI, and SCOPE Act work — the first such unit at any US state attorney general. Under AG Ken Paxton, Texas has been the most aggressive US-state privacy enforcer: Meta $1.4B (Jul 2024), GM lawsuit (Aug 2024), TikTok lawsuit (Oct 2024), Allstate/Arity lawsuit (Jan 2025), Google $1.375B (announced May 2025; finalized Oct 2025). The combination of (a) no thresholds, (b) AG-only leverage, (c) preserved 30-day cure period, and (d) a dedicated enforcement unit means Texas treats the cure period as a procedural step rather than a safe harbor. Treat any OAG contact as enforcement, not warning.

What did the Meta $1.4B and Google $1.375B settlements actually establish?

Three things. (1) CUBI's biometric-capture rule applies to large-scale consumer-product features — face-tagging in Facebook (Meta, Jul 2024), face-grouping in Google Photos and voiceprint in Google Assistant (Google, announced May 2025; finalized Oct 2025). (2) Pre-TDPSA conduct is reachable under CUBI back to 2009 — Texas does not need TDPSA's effective date to bring biometric claims. (3) Settlement amounts can substantially exceed California's prior $1.55M ceiling (Healthline) when CUBI's $25,000-per-violation multiplier is applied to billions of photos/voiceprints. Google's settlement also included Incognito-mode-tracking and geolocation-history claims under TX UDAP — showing the OAG layers CUBI + TDPSA + UDAP theories in big-tech cases. Practical implication: if your analytics or product stack captures any biometric identifier from Texans, get explicit CUBI-conforming consent + 1-year destruction protocols in place yesterday.

What is the SCOPE Act and how does it differ from COPPA?

SCOPE Act (Securing Children Online through Parental Empowerment Act, Tex. Bus. & Com. Code § 509) is Texas's minors-only digital-protection law, effective 1 Sep 2024. Key differences from federal COPPA: (1) protects users under 18, not under 13 (much broader); (2) requires age registration for every user before collection; (3) prohibits targeted advertising to known minors; (4) prohibits algorithmic personalization based on a minor's data; (5) prohibits sale of minors' data without parental consent; (6) mandates parental tools for monitoring/disabling features; (7) AG-only enforcement, $10,000 per violation. The 'harmful content' filtering provisions were partially enjoined in Aug 2024 on 1st Amendment grounds (Free Speech Coalition v. Paxton) — but the privacy provisions are in force. The TikTok lawsuit (Oct 2024) is the active SCOPE enforcement test case.

Do I need to honor a universal opt-out signal like GPC under TDPSA?

Not yet expressly mandated — but recommended. Unlike California CPRA (11 CCR § 7025 makes GPC honoring mandatory), TDPSA does not yet specify a technical signal. § 541.055 requires controllers to recognize 'opt-out preference signals sent by a platform, technology, or mechanism' — but the AG has not issued formal regulations specifying GPC. Best practice: honor GPC as a TDPSA opt-out request to align with California compliance and pre-empt forthcoming OAG guidance. Multi-state controllers typically extend their California GPC implementation to Texas at no incremental cost.

Does TDPSA cover my employee or B2B data?

No. TDPSA § 541.002(b)(11) excludes personal data processed in the employment, applicant, contractor, B2B-contact, or beneficiary context — mirroring VCDPA/CPA/CTDPA and contrasting California's CPRA (which sunsetted that exemption in 2023). However, CUBI applies to ALL biometric capture for a 'commercial purpose' regardless of employment status: fingerprint time-clocks, facial-recognition badge entry, voiceprint authentication for call-center staff all require prior informed consent + 1-year destruction. Practical rule: for non-biometric internal HR analytics, Texas is permissive; for any biometric employee monitoring, run a CUBI-conforming consent + retention + safeguards program before deployment.

What's the children's-consent age in Texas — 13 or 18?

Both apply, in different layers. (1) COPPA (federal) = under 13 — verifiable parental consent before collecting personal information from a child. (2) TDPSA § 541.055 = 'children' (under 13) — sensitive personal data category requiring opt-in consent. (3) SCOPE Act § 509 = under 18 (a 'known minor') — registration of age, no targeted ads, no sale of data without parental consent, no algorithmic personalization. So: 13 is the federal+TDPSA sensitive-category line; 18 is the SCOPE Act minor-protection ceiling. Digital-service providers operating in Texas must build age-registration into onboarding and gate features by registered age category — this is a SCOPE Act-specific architectural requirement.

Does TDPSA require Spanish-language privacy notices?

Not formally mandated. TDPSA requires a 'reasonably accessible, clear, and meaningful' privacy notice (§ 541.101) but does not specify language. However, given Texas's ~30% Spanish-speaking population and the OAG's consumer-protection mandate, Spanish-language notices are strongly recommended for any consumer-facing controller — particularly retail, healthcare, financial services, and education. The federal Limited English Proficiency (LEP) framework + Texas Department of State Health Services notice-translation expectations provide the soft baseline. For analytics-only deployments on English-language sites, English notices typically suffice; for Texas-targeted bilingual properties, ship both.

// EDITORIAL · NOT LEGAL ADVICE This page summarises Texas's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.