Texas Data Privacy Laws: TDPSA & Consumer Rights Guide (2026)

Texas has built one of the most comprehensive data privacy frameworks in the United States. The state's approach combines a broad consumer data protection law, dedicated biometric privacy protections, strict breach notification requirements, and aggressive enforcement by the Attorney General's office.

This guide covers every major Texas data privacy statute, what rights you have as a consumer, what obligations businesses must meet, and the penalties for noncompliance.

Texas Data Privacy and Security Act (TDPSA)

The Texas Data Privacy and Security Act, codified as Chapter 541 of the Texas Business and Commerce Code, was enacted through House Bill 4 during the 88th Texas Legislative Session. It took effect on July 1, 2024.

The TDPSA is Texas's comprehensive consumer data protection law. It regulates how businesses collect, use, process, store, sell, share, and analyze personal data belonging to Texas consumers.

Who the TDPSA Applies To

The TDPSA applies to any person or entity that conducts business in Texas or produces a product or service consumed by Texas residents, and that collects, uses, stores, sells, shares, analyzes, or processes consumers' personal data.

Unlike many other state privacy laws, the TDPSA does not set a specific revenue threshold for applicability. Instead, it uses the federal Small Business Administration (SBA) definition to determine which businesses qualify for the small business exemption.

Exempt Entities

The TDPSA exempts six categories of entities from its requirements:

• State agencies and political subdivisions of the state
• Financial institutions governed by the Gramm-Leach-Bliley Act (GLB)
• Entities governed by the Health Insurance Portability and Accountability Act (HIPAA)
• Nonprofit organizations
• Institutions of higher education
• Small businesses as defined by the SBA (with an important exception for sensitive data)

The small business exemption has a significant limitation. If a small business sells sensitive consumer data, it must first obtain the consumer's consent regardless of its size.

Consumer Rights Under the TDPSA

The TDPSA grants Texas consumers several important rights over their personal data. Consumers have the right to:

Confirm and access data. You can ask a business to confirm whether it processes your personal data and request access to that data.

Correct inaccuracies. You can request that a business correct inaccurate personal data it holds about you.

Delete your data. You can request that a business delete personal data it has collected from or about you.

Obtain a portable copy. You can request a copy of your personal data in a portable and readily usable format.

Opt out of targeted advertising. You can opt out of the processing of your personal data for purposes of targeted advertising.

Opt out of data sales. You can opt out of the sale of your personal data to third parties.

Opt out of profiling. You can opt out of profiling that produces a legal or similarly significant effect concerning you.

Controllers must respond to consumer requests without undue delay and no later than 45 days after receiving the request. If a controller sells personal data or processes it for targeted advertising, it must clearly disclose that practice and provide a way for consumers to exercise their right to opt out.

Universal Opt-Out Mechanisms

Texas is one of twelve states that require certain data controllers to recognize universal opt-out mechanisms. Consumers can designate an authorized agent to opt out on their behalf using browser settings, browser extensions, or global privacy controls.

This means tools like Global Privacy Control (GPC) can be used to exercise opt-out rights across multiple websites at once, rather than submitting individual requests to each company.

Personal Data and Sensitive Data Definitions

The TDPSA defines "personal data" as any information that can be linked to a specific, identified individual. Publicly available information or de-identified data that cannot be linked to a specific person does not qualify as personal data.

"Sensitive data" receives heightened protections under the TDPSA and includes:

• Racial or ethnic origin
• Religious beliefs
• Health diagnosis information
• Sexuality or sexual orientation
• Citizenship or immigration status
• Genetic data
• Biometric data used for identification
• Precise geolocation data
• Personal data of a child under the age of 13

Processing sensitive data requires the consumer's prior consent. That consent must be freely given, specific, informed, and unambiguous. The law explicitly states that consent obtained through dark patterns or through acceptance of broad, general terms does not qualify.

Controller and Processor Obligations

Businesses that act as data controllers under the TDPSA must meet several obligations:

Data minimization. Controllers must limit their collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purpose.

Purpose limitation. Controllers cannot process personal data for purposes that are not reasonably necessary to or compatible with the purposes disclosed to the consumer.

Security requirements. Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect personal data.

Data protection assessments. Controllers must conduct data protection assessments for processing activities that present heightened risks, including targeted advertising, data sales, certain profiling activities, and processing of sensitive data. These assessments must be made available to the Texas Attorney General upon request.

Data processing contracts. Controllers must enter into contracts with data processors that include all elements required by the TDPSA, including requirements that processors assist controllers in responding to consumer rights requests and conducting data protection assessments.

TDPSA Enforcement and Penalties

Only the Texas Attorney General has authority to enforce the TDPSA. There is no private right of action, meaning individual consumers cannot sue businesses directly for TDPSA violations.

Before filing an enforcement action, the Attorney General must provide a written notice of the alleged violation and give the company a 30-day cure period. During this window, the company can cure the violation and provide a written statement with supporting documentation.

If the company fails to cure the violation within 30 days, or breaches the written statement it provided to the Attorney General, it faces civil penalties of up to $7,500 per violation. The Attorney General can also seek injunctive relief, attorney's fees, and investigative costs.

Texas Capture or Use of Biometric Identifier Act (CUBI)

The Capture or Use of Biometric Identifier Act, codified as Chapter 503 of the Texas Business and Commerce Code, provides dedicated protections for biometric data that go beyond the TDPSA's general sensitive data provisions.

What CUBI Covers

CUBI regulates the capture and use of biometric identifiers for commercial purposes. The law defines biometric identifiers as:

• Retina or iris scans
• Fingerprints
• Voiceprints
• Records of hand or face geometry

CUBI Requirements

Before capturing an individual's biometric identifier for a commercial purpose, a person or entity must inform the individual and obtain the individual's consent.

CUBI also restricts the sale, lease, or disclosure of biometric identifiers and requires that captured biometric identifiers be destroyed within a reasonable timeframe.

The law was amended to clarify that an individual has not consented to the capture or storage of their biometric identifier based solely on the existence of an image or other media containing biometric identifiers on the internet or other publicly available sources, unless the individual made that image publicly available themselves.

CUBI Penalties

A person who violates CUBI is subject to a civil penalty of up to $25,000 for each violation. The Texas Attorney General enforces CUBI and has actively pursued enforcement actions, including a lawsuit against Google for alleged violations of the biometric identifier statute.

Data Breach Notification Requirements

Texas has strict data breach notification requirements under the Identity Theft Enforcement and Protection Act (ITEPA), codified in Chapter 521 of the Texas Business and Commerce Code.

What Triggers a Notification

A "breach of system security" triggers notification obligations when sensitive personal information is accessed, acquired, or disclosed in an unauthorized manner. Sensitive personal information under ITEPA includes:

• Social Security numbers
• Driver's license or government ID numbers
• Financial account numbers (with security codes or passwords)
• Health insurance information
• Health records

Notification Timelines

Texas law imposes two separate notification deadlines:

Consumer notification. Businesses must notify affected individuals no later than 60 days after determining the breach occurred. Notification can be provided by mail, email, conspicuous website posting, or statewide media broadcast.

Attorney General notification. If the breach affects 250 or more Texas residents, the business must report the breach to the Texas Attorney General as soon as practicable and no later than 30 days after discovering the breach.

Data Disposal Requirements

ITEPA also requires that when a business disposes of records containing personal information, the disposal process must render the personal information unreadable or indecipherable.

ITEPA Penalties

The Texas Attorney General can seek civil penalties of at least $2,000 but not more than $50,000 per violation. For failing to take reasonable action to notify consumers, additional penalties of up to $250,000 per breach may apply. The Attorney General can also recover attorneys' fees, investigative costs, and court costs.

Penalty Comparison Table

Law	Statute	Penalty Per Violation	Maximum Per Breach	Cure Period
TDPSA	Tex. Bus. & Com. Code Ch. 541	Up to $7,500	No statutory cap	30 days
CUBI	Tex. Bus. & Com. Code Ch. 503	Up to $25,000	No statutory cap	None
ITEPA (Breach Notification)	Tex. Bus. & Com. Code Ch. 521	$2,000 to $50,000	$250,000 for failure to notify	None
SCOPE Act	Tex. Bus. & Com. Code Ch. 509	Up to $10,000	No statutory cap	None

Securing Children Online Through Parental Empowerment (SCOPE) Act

The SCOPE Act, effective September 1, 2024, adds another layer of data privacy protection focused specifically on minors under 18.

What the SCOPE Act Requires

Digital service providers that operate online platforms for social interaction must comply with several requirements when minors use their services:

Data collection limits. Providers must limit the collection and use of a minor's personally identifiable information and cannot share or sell that information.

No geolocation tracking. Providers cannot collect a minor's geolocation data.

No targeted advertising. Providers cannot display targeted advertising to minors.

No financial transactions. Minors are prohibited from making purchases or conducting other financial transactions through the digital service.

Harmful content prevention. Providers must develop and implement a strategy to prevent minors' exposure to material that promotes or glorifies self-harm, substance abuse, bullying, harassment, trafficking, or sexual exploitation.

Parental controls. Providers must give parents tools to manage and control the privacy settings on their child's account.

A violation of the SCOPE Act is treated as a deceptive trade practice. The Attorney General can seek injunctive relief, civil penalties of up to 10,000 dollars per violation, and attorneys' fees.

Texas Data Broker Law

Texas also regulates data brokers under Chapter 510 of the Business and Commerce Code (redesignated from Chapter 509 effective September 1, 2025).

Who Must Register

The law applies to data brokers that, in any 12-month period, either derive more than 50 percent of their revenue from processing or transferring personal data not collected directly from the individuals, or derive revenue from processing or transferring the personal data of more than 50,000 individuals not collected directly from those individuals.

Registration Requirements

Qualifying data brokers must register with the Texas Secretary of State by filing a registration statement and paying a $300 fee. Registration certificates expire after one year and must be renewed annually with another $300 fee.

The registration statement must include the data broker's legal name, contact information, physical address, and a link to a page explaining how consumers can exercise their rights under Section 541.051 of the TDPSA.

The Attorney General has actively enforced the data broker registration requirement. In 2024, the AG notified over 100 companies of their apparent failure to comply with the Texas data broker law.

Recent Enforcement Actions

The Texas Attorney General's office has been one of the most active state enforcement bodies for data privacy in the country.

Allstate and Arity Lawsuit

In what was the first enforcement action ever filed by a state attorney general to enforce a comprehensive data privacy law, Texas sued Allstate and its subsidiary Arity. The lawsuit alleged the companies unlawfully collected, used, and sold location and movement data from over 45 million Americans' cell phones through secretly embedded software in mobile apps like Life360. The state alleged this violated the TDPSA's protections for sensitive data, including precise geolocation information.

Investigations Into Tech Companies

The Attorney General launched investigations into Character.AI, Reddit, Instagram, Discord, and other companies over their privacy and safety practices for minors.

Actions Against Foreign Companies

Texas also took legal action against Chinese companies for violating Texans' privacy rights, demonstrating the broad reach of Texas enforcement.

How to File a Data Privacy Complaint in Texas

If you believe a business has violated your data privacy rights under any Texas privacy law, you can file a consumer complaint with the Texas Attorney General's Consumer Protection Division.

The AG's office handles complaints related to:

• The Texas Data Privacy and Security Act
• The Biometric Identifier Act
• The Identity Theft Enforcement and Protection Act
• The SCOPE Act
• The Data Broker Act
• The Children's Online Privacy Protection Act (federal, enforced cooperatively)

More Texas Laws

Looking for information on other Texas recording and privacy laws? Visit our Data Privacy Laws by State hub to compare Texas with other states. You can also explore related topics:

• California Data Privacy Laws for comparison with the CCPA/CPRA
• Illinois Data Privacy Laws for comparison with BIPA
• Colorado Data Privacy Laws for another comprehensive state privacy law
• Florida Data Privacy Laws for comparison with another large state

This article is for informational purposes only and does not constitute legal advice. Data privacy laws change frequently, and enforcement interpretations evolve over time. Consult a licensed attorney in Texas for advice about your specific situation. Last reviewed: March 2026.