Texas Data Privacy Laws: TDPSA & Consumer Rights Guide (2026)

The Texas Data Privacy and Security Act (TDPSA), codified at Tex. Bus. and Com. Code Chapter 541, took effect July 1, 2024, granting Texas residents rights to access, correct, delete, and opt out of the processing of their personal data. Only the Texas Attorney General enforces the law; civil penalties reach USD 7,500 per violation.

Texas has built one of the most aggressive data privacy enforcement frameworks in the country. The state combines a broad consumer data protection law, dedicated biometric protections, strict breach notification requirements, children's online privacy rules, a data broker registry, and a new AI governance statute.

The Texas Attorney General's office has backed this framework with landmark enforcement. The USD 1.4 billion Meta settlement in July 2024 and the USD 1.375 billion Google settlement finalized in October 2025 together represent the largest state-level privacy recoveries in U.S. history.

This guide covers each major Texas privacy statute, what rights consumers hold, what businesses must do, and what the penalties are for noncompliance. It is current as of May 2026.

Texas Data Privacy and Security Act (TDPSA)

The Texas Data Privacy and Security Act is codified at Chapter 541 of the Texas Business and Commerce Code. It was enacted through House Bill 4 during the 88th Texas Legislative Session and took effect July 1, 2024.

The TDPSA is Texas's comprehensive consumer data protection law. It governs how businesses collect, use, process, store, sell, share, analyze, and otherwise handle personal data belonging to Texas residents.

Who the TDPSA Covers

The TDPSA applies to any person or entity that conducts business in Texas or produces a product or service consumed by Texas residents, and that collects, uses, stores, sells, shares, analyzes, or processes consumers' personal data.

This is a notably broad trigger. Most state privacy laws set minimum revenue or data-volume thresholds before coverage kicks in. Texas does not. Any business touching Texas consumer data is potentially covered, subject to the exemptions below.

Exempt Entities

The TDPSA exempts six categories from its requirements:

• State agencies and political subdivisions of Texas
• Financial institutions governed by the Gramm-Leach-Bliley Act (GLBA)
• Covered entities and business associates governed by HIPAA
• Nonprofit organizations
• Institutions of higher education
• Small businesses as defined by the federal Small Business Administration

The small-business exemption carries an important carve-out. A small business that sells sensitive consumer data must still obtain the consumer's consent before doing so. Size does not permit the sale of health information, biometric data, precise geolocation, or children's data without permission.

Consumer Rights Under the TDPSA

The TDPSA grants Texas consumers the following rights:

Confirm and access. You can ask a business to confirm whether it processes your personal data and request a copy of that data.

Correct inaccuracies. You can request that a business correct inaccurate personal data it holds about you.

Delete your data. You can request deletion of personal data collected from or about you.

Portability. You can request a copy of your data in a portable, readily usable format.

Opt out of targeted advertising. You can opt out of the use of your personal data for targeted advertising purposes.

Opt out of data sales. You can opt out of the sale of your personal data to third parties.

Opt out of profiling. You can opt out of profiling that produces legal or similarly significant effects concerning you.

Controllers must respond to verified consumer requests within 45 days. If additional time is needed, controllers may extend by another 45 days with notice. If a controller denies a request, it must provide a reason and explain how the consumer can appeal. The appeal must be decided within 60 days.

Universal Opt-Out Mechanisms

Texas is among the states that require covered controllers to honor universal opt-out signals. Consumers may designate an authorized agent to submit opt-out requests on their behalf using tools such as Global Privacy Control (GPC). A controller that processes data for targeted advertising or sells personal data must provide a clear and conspicuous means for consumers to opt out, and must recognize valid universal opt-out mechanisms.

Personal Data and Sensitive Data

"Personal data" means any information that is linked or reasonably linkable to an identified or identifiable individual. Publicly available information and properly de-identified data fall outside this definition.

"Sensitive data" receives heightened protection and requires the consumer's affirmative consent before processing. The TDPSA's sensitive data categories are:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnosis
• Sexuality or sexual orientation
• Citizenship or immigration status
• Genetic data
• Biometric data processed for the purpose of unique identification
• Precise geolocation data (within a radius of 1,750 feet)
• Personal data of a child under 13

Consent obtained through dark patterns or buried within general terms of service does not satisfy the TDPSA's consent standard.

Controller and Processor Obligations

Data controllers under the TDPSA must satisfy these baseline requirements:

Data minimization. Collection must be limited to what is adequate, relevant, and reasonably necessary for the disclosed purpose.

Purpose limitation. Data cannot be processed for purposes incompatible with what was disclosed to the consumer at the time of collection.

Security. Controllers must implement and maintain reasonable administrative, technical, and physical security practices appropriate to the volume and nature of the personal data.

Data protection assessments. Controllers must conduct and document data protection assessments before undertaking processing activities that present heightened risk: targeted advertising, data sales, certain profiling uses, and the processing of sensitive data. The Texas AG may request these assessments, and controllers must produce them.

Processor contracts. Contracts with data processors must include all elements the TDPSA requires, including obligations to assist with consumer rights requests and data protection assessments.

TDPSA Enforcement and Penalties

The Texas Attorney General holds exclusive enforcement authority. There is no private right of action under the TDPSA.

Before filing suit, the AG must give the company written notice of the alleged violation and a 30-day window to cure. If the company cures and provides a written statement of compliance, no enforcement action may proceed for that violation. If the company fails to cure, or later breaches its written cure statement, the AG may seek:

• Civil penalties up to USD 7,500 per violation
• Injunctive relief
• Attorney's fees and investigative costs

There is no aggregate cap on penalties per enforcement action.

Texas Capture or Use of Biometric Identifier Act (CUBI)

The Capture or Use of Biometric Identifier Act (CUBI) is codified at Chapter 503 of the Texas Business and Commerce Code. It predates the TDPSA and provides dedicated protections for biometric data beyond what the TDPSA's sensitive data provisions require.

What CUBI Covers

CUBI regulates the capture and commercial use of biometric identifiers. The law defines biometric identifiers as:

• Retina or iris scans
• Fingerprints
• Voiceprints
• Records of hand geometry or face geometry

CUBI Requirements

Before capturing an individual's biometric identifier for a commercial purpose, a person or entity must:

1. Inform the individual that a biometric identifier is being collected or stored
2. Obtain the individual's consent to that collection or storage

CUBI also prohibits selling, leasing, or otherwise disclosing a biometric identifier to a third party without consent, and requires destruction of biometric data within a reasonable time.

A 2023 amendment clarified that an individual does not consent to capture simply because an image containing their biometric identifiers exists somewhere on the internet or in publicly available sources, unless the individual personally made that image publicly available.

CUBI Penalties

Each violation of CUBI carries a civil penalty of up to USD 25,000. The Texas AG enforces the statute. Unlike the TDPSA, CUBI does not include a 30-day cure period before the AG can pursue penalties.

Meta Settlement (July 2024)

In July 2024, Attorney General Ken Paxton secured a USD 1.4 billion settlement from Meta for alleged violations of CUBI. The AG's lawsuit alleged Meta captured the facial geometry of Texas residents through its facial-recognition "Tag Suggestions" feature without obtaining informed consent. The USD 1.4 billion figure is the largest privacy settlement ever obtained by a single state attorney general.

Google Settlement (Finalized October 2025)

Texas filed suit against Google in 2022 alleging violations of CUBI and other Texas privacy statutes, including unauthorized capture of biometric identifiers through Google Photos and Google Assistant. The parties reached an agreement in principle on May 9, 2025, and finalized a USD 1.375 billion settlement on October 31, 2025. The settlement also resolved claims related to location tracking and Incognito-mode data collection.

Data Breach Notification Requirements (ITEPA)

The Texas Identity Theft Enforcement and Protection Act (ITEPA), codified at Chapter 521 of the Texas Business and Commerce Code, governs breach notification obligations for businesses that maintain sensitive personal information about Texas residents.

What Triggers Notification

A "breach of system security" occurs when sensitive personal information is acquired by an unauthorized person. Sensitive personal information under ITEPA includes:

• Social Security numbers
• Driver's license or state identification card numbers
• Financial account numbers combined with security codes, passwords, or access codes
• Health insurance policy or subscriber numbers combined with health information
• Information about an individual's physical or mental health condition or treatment

Notification Timelines

Texas imposes two parallel deadlines:

Consumer notification. The business must notify affected individuals no later than 60 days after the date on which it determines that a breach occurred. Notification may be delivered by mail, email, conspicuous website posting, or statewide media broadcast.

Attorney General notification. If the breach affects 250 or more Texas residents, the business must also notify the Texas AG as soon as practicable and no later than 30 days after discovering the breach. Reports are submitted through the AG's data breach portal.

Data Disposal Requirements

ITEPA requires that when a business disposes of records containing personal identifying information, the disposal method must render the data unreadable or indecipherable. This applies to both physical records and electronic storage media.

ITEPA Penalties

The AG may seek civil penalties between USD 2,000 and USD 50,000 per violation. For failures to take reasonable action to notify consumers, an additional penalty of up to USD 250,000 per breach event may apply. The AG may also recover attorneys' fees, investigative costs, and court costs.

Securing Children Online Through Parental Empowerment (SCOPE) Act

The SCOPE Act, codified at Chapter 509 of the Texas Business and Commerce Code, took effect September 1, 2024. It imposes specific obligations on digital service providers that operate online platforms for social interaction when those platforms are accessed by minors under 18.

What the SCOPE Act Requires

Covered platforms must:

• Limit the collection and use of a minor's personally identifiable information and prohibit sharing or selling it
• Refrain from collecting a minor's geolocation data
• Refrain from displaying targeted advertising to minors
• Prevent minors from making purchases or conducting financial transactions on the platform
• Develop and implement a strategy to prevent minors' exposure to material that promotes self-harm, substance abuse, bullying, harassment, trafficking, or sexual exploitation
• Provide parents with tools to manage and control their child's privacy settings

A violation of the SCOPE Act is treated as a deceptive trade practice. The AG may seek injunctive relief and civil penalties of up to USD 10,000 per violation.

Texas Data Broker Registration Law

Texas requires certain data brokers to register with the Secretary of State under Chapter 510 of the Business and Commerce Code. The original data broker law (enacted as SB 2105 during the 88th Legislature, effective September 1, 2023) was expanded by two bills signed June 20, 2025, both effective September 1, 2025.

Who Must Register

A "data broker" is now defined (following the 2025 amendments from SB 2121 and SB 1343) as a business entity that collects, processes, or transfers personal data that the entity did not collect directly from the individual. The 2025 amendment removed the prior requirement that data brokering be the company's "principal source of revenue," substantially broadening the registration obligation.

Registration is required if the entity, in a 12-month period, either derives more than 50 percent of its revenue from processing or transferring such data, or processes or transfers the personal data of more than 50,000 individuals not collected directly from those individuals.

Registration Process

Qualifying data brokers must register with the Texas Secretary of State by filing a registration statement and paying a USD 300 annual fee. The registration must include:

• The data broker's legal name and contact information
• A physical address
• A link to a page explaining how consumers can exercise their rights under TDPSA Section 541.051

In 2024, the AG notified over 100 companies of their apparent failure to comply with the data broker registration requirement. The AG has continued active enforcement of the registry since.

Texas Responsible AI Governance Act (TRAIGA)

The Texas Responsible AI Governance Act (TRAIGA), signed in 2025, took effect January 1, 2026. TRAIGA amends and interacts with the TDPSA by imposing obligations on persons and entities that develop or deploy AI systems in Texas.

Key TRAIGA Requirements

TRAIGA prohibits the use of AI systems for behavioral manipulation, discrimination, the creation or distribution of unlawful deepfakes or child sexual abuse material, and infringement of constitutional rights.

For AI systems that interact with Texas consumers, governmental entities must disclose to consumers that they are interacting with an AI system. The statute also establishes a regulatory sandbox program for AI developers and creates the Texas Artificial Intelligence Advisory Council.

TRAIGA's liability framework is intent-based: unlike statutes that impose strict liability for discriminatory outcomes, TRAIGA requires proof of intentional misconduct. The AG holds exclusive enforcement authority, with a 60-day cure period before any enforcement action may proceed.

The TRAIGA amendment to the TDPSA clarifies that data processors must assist controllers in adhering to security requirements when processing data through AI systems.

Recent Enforcement Actions

The Texas AG's office has been among the most aggressive state enforcers of data privacy in the country.

Texas v. Allstate and Arity (January 2025)

On January 13, 2025, the Texas AG filed the first-ever lawsuit under any state comprehensive data privacy law. The complaint alleged that Allstate and its subsidiary Arity secretly harvested location and movement data from over 45 million Americans by embedding a software development kit into popular mobile apps including Life360, GasBuddy, and Fuel Rewards. The SDK tracked real-time location, movement patterns, and driving behavior without user knowledge or consent. The AG alleged violations of the TDPSA, including failures related to sensitive geolocation data, and also alleged that Arity violated the data broker registration requirement by failing to register despite processing data on millions of individuals.

Meta Settlement (July 2024)

The Texas AG secured a USD 1.4 billion settlement from Meta in July 2024 for alleged CUBI violations related to facial-recognition technology. The settlement is the largest privacy settlement ever obtained by a single state attorney general.

Google Settlement (October 2025)

The Texas AG finalized a USD 1.375 billion settlement with Google in October 2025, resolving claims related to biometric data collection through Google Photos and Google Assistant, unauthorized location tracking, and Incognito-mode data collection. The settlement is the largest state-level privacy settlement ever obtained against Google.

Investigations Into Platform Safety for Minors

The AG launched investigations into Character.AI, Reddit, Instagram, Discord, and other platforms over their privacy and safety practices for minors under the SCOPE Act and related statutes.

Actions Against Foreign Companies

Texas also pursued legal action against Chinese companies for alleged violations of Texas residents' privacy rights, signaling that Texas enforcement extends beyond domestic technology companies.

Federal Privacy Overlay

Several federal statutes apply alongside Texas law and provide additional protections for Texas residents.

TAKE IT DOWN Act (Pub. L. 119-12, signed May 19, 2025). This federal law criminalizes the publication of nonconsensual intimate images (NCII), including AI-generated deepfakes. The criminal prohibition took effect immediately on May 19, 2025. Platform takedown obligations (requiring covered platforms to establish a notice-and-removal process within 48 hours) became effective May 19, 2026, with FTC enforcement authority.

HIPAA. Covered entities and business associates handling protected health information are governed by HIPAA's Privacy and Security Rules, which overlay the TDPSA's sensitive data provisions for health information.

Gramm-Leach-Bliley Act (GLBA). Financial institutions subject to GLBA are exempt from the TDPSA's scope, but GLBA's Safeguards Rule imposes its own data security and privacy notice requirements.

Children's Online Privacy Protection Act (COPPA). COPPA governs the online collection of personal information from children under 13 and applies alongside Texas's SCOPE Act for covered operators.

Fair Credit Reporting Act (FCRA). Consumer reporting agencies and users of consumer reports face FCRA obligations independent of state law.

FTC Act Section 5. The Federal Trade Commission can pursue unfair or deceptive data practices against most companies under Section 5, providing a federal enforcement backstop.

American Privacy Rights Act (APRA). The 2024 bicameral APRA draft did not pass. An APRA 2.0 proposal circulated in 2025 but had not been enacted as of May 2026. No federal comprehensive privacy law is in force.

Penalty Comparison Table

Practical Compliance Steps for Businesses

Businesses operating in Texas or serving Texas residents should take the following steps:

Map your data. Identify all personal data collected from Texas residents, categorize it by sensitivity level, and document the purpose of each processing activity.

Update your privacy notice. Your notice must clearly disclose what data you collect, why you collect it, whether you sell it or use it for targeted advertising, and how consumers can exercise their rights.

Build consumer rights workflows. You need documented processes to handle access, correction, deletion, portability, and opt-out requests within 45 days. Designate a point of contact or build a consumer request portal.

Honor universal opt-out signals. If you sell personal data or process it for targeted advertising, you must recognize GPC and other approved universal opt-out mechanisms.

Conduct data protection assessments. Document your assessments for targeted advertising, data sales, profiling, and sensitive data processing activities before beginning those activities.

Audit your biometric data practices. If you collect fingerprints, facial geometry, voiceprints, iris scans, or hand geometry for any commercial purpose, obtain express written consent first and implement a retention-and-destruction schedule.

Register if you are a data broker. If your business fits the post-2025-amendment definition, register with the Texas Secretary of State and pay the USD 300 annual fee.

Review AI deployments. TRAIGA took effect January 1, 2026. Businesses developing or deploying AI in Texas need to assess whether their systems fall within TRAIGA's scope and what disclosure or prohibition requirements apply.

Prepare breach response protocols. Know your 60-day consumer notification deadline and your 30-day AG notification deadline for breaches affecting 250 or more Texans.

How Texas Consumers Can Exercise Their Rights

If you are a Texas resident, you have several avenues to protect your personal data:

Submit requests directly to businesses. Contact the company's privacy team or use their designated privacy portal to submit access, correction, deletion, portability, or opt-out requests. Businesses must respond within 45 days.

Use Global Privacy Control. Enable GPC in your browser (supported in Firefox, Brave, and via browser extensions) to send automatic opt-out signals to covered businesses as you browse.

Appeal a denial. If a business denies your request, you can submit an appeal. The business must respond to your appeal within 60 days and explain the reason for any continued denial.

File a complaint with the Texas AG. The AG's Consumer Protection Division accepts data privacy complaints online. The AG handles complaints under the TDPSA, CUBI, ITEPA, SCOPE Act, and Data Broker Act.

Report to the FTC. Federal complaints about deceptive data practices can be filed at ReportFraud.ftc.gov. The FTC enforces COPPA, FCRA, and FTC Act Section 5.

Related State Comparisons

Comparing Texas with other states can help businesses assess their multi-state compliance posture:

• California Data Privacy Laws (CCPA/CPRA with CPPA rulemaking authority)
• Illinois Data Privacy Laws (BIPA biometric law; no comprehensive consumer privacy law yet)
• Colorado Data Privacy Laws (CPA, effective July 1, 2023)
• Virginia Data Privacy Laws (VCDPA)
• Our world data privacy overview for cross-jurisdictional comparison

More Texas Laws

• Texas AI Meeting Recording Laws
• Texas Alimony Laws
• Texas At-Will Employment Laws
• Texas Car Accident Laws
• Texas Car Seat Laws
• Texas Child Custody Laws
• Texas Child Support Laws
• Texas Common Law Marriage Laws
• Texas Deepfake Laws
• Texas Divorce Laws
• Texas Dog Bite Laws
• Texas Emancipation Laws
• Texas Expungement Laws
• Texas Hit and Run Laws
• Texas Landlord-Tenant Laws
• Texas Lemon Laws

This article is for informational purposes only and does not constitute legal advice. Data privacy laws change frequently. Consult a licensed Texas attorney for advice about your specific situation. Last reviewed: May 2026.

Related news

• Texas app store age-verification law (SB 2420)

In-depth guides

• What Is the TDPSA? Texas Data Privacy and Security Act
• TDPSA Consumer Rights: Your Texas Data Privacy Rights
• TDPSA Compliance Checklist for Businesses (2026)