TDPSA Compliance Checklist for Businesses (2026)

If your business operates in Texas or serves Texas residents, the Texas Data Privacy and Security Act (TDPSA), Tex. Bus. & Com. Code ch. 541, effective July 1, 2024, may impose controller obligations on you. Unlike other state privacy laws that set fixed consumer-volume or revenue thresholds, the TDPSA uses the U.S. Small Business Administration's industry-specific size standards as the single applicability gate, meaning many mid-size companies that assume they are too small to comply may actually be fully covered. This ten-step checklist walks through every controller duty, from the applicability self-test to processor contracts and enforcement exposure, so you can assess your compliance posture or close gaps before the Texas AG's 30-day notice letter arrives.

For a plain-language overview of what the TDPSA requires, see the companion explainer. For detail on the five rights your Texas customers can invoke against your business, see consumer rights under the TDPSA.

Step 1: Run the Applicability Self-Test

The TDPSA's applicability gate is unlike every other major state privacy law. There is no fixed revenue threshold, no 100,000-consumer floor, and no percentage-of-revenue-from-data-sales test. The only gate is whether your business qualifies as a small business under the U.S. Small Business Administration's size standards. Tex. Bus. & Com. Code § 541.002(a).

The SBA's size standards are set by NAICS industry code and are published at 13 C.F.R. Part 121. Most retail and service-sector businesses are measured by average annual receipts over a rolling three-year period. Most manufacturing and wholesale businesses are measured by average number of employees over a rolling twelve-month period. Thresholds commonly range from $7.5 million to $47 million in receipts for retail and service industries and from 500 to 1,500 employees for manufacturing. Look up your specific NAICS code using the SBA's Size Standards Tool at sba.gov/size-standards.

Two aggregation rules matter. First, you must count affiliated entities when calculating size, so a business with a large parent or holding company may exceed the threshold even if the operating subsidiary alone would not. Second, calculate size for each industry in which you operate, because a business that straddles two sectors may meet the small-business standard in one but not the other.

If your business exceeds the SBA threshold for its primary industry, the TDPSA applies in full and you should proceed through all remaining steps. If you fall under the threshold as a true SBA small business, most TDPSA obligations do not apply, but stop before assuming full exemption: § 541.107 still bars you from selling sensitive personal data without prior consumer consent regardless of your size-standard status.

Document your self-test conclusion with the NAICS code you used, the applicable size standard, and the annual receipts or employee count that produced your result. If the AG ever investigates, a documented threshold analysis is far more persuasive than a claim that the TDPSA simply did not apply.

Step 2: Confirm Whether an Entity or Data Exemption Applies

Even if your business exceeds the SBA size threshold, the TDPSA contains categorical entity exemptions that remove entire classes of organizations from the law's reach. Under Tex. Bus. & Com. Code § 541.002(b), the following entities are fully exempt: Texas state agencies and political subdivisions; financial institutions and their affiliates subject to Title V of the Gramm-Leach-Bliley Act; HIPAA covered entities and business associates; nonprofit organizations; institutions of higher education; and electric utilities and power generation companies.

Beyond entity-level exemptions, specific categories of data are carved out under § 541.003 regardless of which company holds them. Exempt data categories include HIPAA protected health information, health records, patient safety work product, and certain deidentified health datasets; FCRA-regulated consumer credit data; Driver's Privacy Protection Act motor vehicle data; FERPA educational records; Farm Credit Act data; personal data processed in the employment, independent contractor, or job application context; emergency contact information; and benefits administration data.

The entity exemption and the data exemption are independent tests that you must run separately. A HIPAA-covered hospital is entity-exempt across its entire operation. A non-HIPAA software company may still process some HIPAA-regulated data streams as a business associate, which are exempt at the data level even though the company itself is covered by the TDPSA for its other data activities.

Apply a dual check to every data stream: first, does an entity-level exemption remove your entire organization from coverage? Second, even if your organization is covered, does a data-category exemption remove this particular data type from TDPSA requirements? Only after both checks should you treat a stream as governed by the TDPSA's full controller duty stack.

Step 3: Map Your Sensitive Data and Prepare Opt-In Consent Flows

The TDPSA's most demanding consumer-facing obligation is its requirement for affirmative opt-in consent before processing sensitive data. This is not an opt-out standard that allows collection to begin while offering a later unsubscribe. You need an informed, voluntary yes before any sensitive data processing begins. Tex. Bus. & Com. Code § 541.101(b)(4).

The TDPSA defines sensitive data in § 541.001 to include eight categories: personal data revealing racial or ethnic origin; religious beliefs; mental or physical health diagnoses; sexuality; citizenship or immigration status; genetic data; biometric data processed to uniquely identify an individual, such as fingerprints, voiceprints, iris or retina scans, and related biological measurements; personal data collected from a known child; and precise geolocation data. Review every product, analytics tool, advertising platform, health form, account profile, and user-generated field in your systems against this list.

The list is broader than most businesses expect. A wellness app that invites users to log symptoms is processing health diagnosis data. A mobile app that shares GPS coordinates with advertising partners is processing precise geolocation data. An HR platform that collects employee biometrics for time-and-attendance is processing biometric data. A loyalty program that infers demographic characteristics from purchase history and applies them to advertising segments may be generating sensitive data even without explicit user disclosure.

For each sensitive data stream you identify, build a granular opt-in mechanism that clearly names the sensitive data type being collected, explains the specific purpose, and offers a genuine choice to decline without stripping access to the core service where reasonably possible. Pre-checked boxes, general terms-of-service bundling, and passive scroll-through consents do not satisfy an affirmative opt-in standard.

For data collected from children known to be under 13, § 541.101(b)(4) directs compliance with COPPA's verifiable parental consent framework rather than direct consumer consent. If your service is directed at children or you have actual knowledge you are collecting data from a child, COPPA compliance is the required mechanism.

Step 4: Post Mandatory Sale Notices for Sensitive and Biometric Data

This is one of the most distinctive requirements in the TDPSA and one that has no direct parallel in most other state privacy laws. If your business sells sensitive personal data to third parties, you must post a clear and conspicuous notice using the exact statutory language specified in Tex. Bus. & Com. Code § 541.102(b): "NOTICE: We may sell your sensitive personal data."

If your business separately sells biometric personal data, an additional verbatim notice is required under § 541.102(c): "NOTICE: We may sell your biometric personal data."

Both notices are requirements in addition to, not instead of, the general opt-out disclosure required whenever any personal data is sold. A company that sells both sensitive data and biometric data must post all three disclosures: the general sale opt-out, the sensitive-data verbatim notice, and the biometric-data verbatim notice.

These notices must be conspicuously displayed. The statute requires they appear in the controller's privacy notice or in another manner reasonably accessible to consumers. Burying either notice in the fifteenth paragraph of a dense privacy policy or rendering it in eight-point gray text on a white background will not satisfy a clear and conspicuous standard. Consider positioning both notices near the top of your privacy notice, above the fold, in formatted callout text.

Crucially, even SBA small businesses that are otherwise exempt from the TDPSA's controller obligations are still prohibited from selling sensitive data without the consumer's prior consent under § 541.107. The small-business exemption does not reach this provision. Note that the verbatim notice requirement in § 541.102(b)-(c) is a controller obligation and applies to non-exempt businesses that engage in data sales; small businesses subject only to § 541.107 must obtain consent, but their specific disclosure obligations are governed by that section rather than the full § 541.102 controller privacy-notice framework.

Step 5: Update Your Privacy Notice

A TDPSA-compliant privacy notice must contain six mandatory elements under Tex. Bus. & Com. Code § 541.102. First, the categories of personal data you process, with explicit identification of any sensitive data categories. Second, the purposes for which you process each category of personal data. Third, how consumers may exercise their five statutory rights and the process for appealing a denial of a rights request. Fourth, the categories of personal data you share with third parties. Fifth, the categories of third parties with whom you share personal data. Sixth, the methods by which consumers may submit rights requests, such as an email address, web form, or toll-free phone number.

If your business sells personal data to third parties or processes personal data for targeted advertising, the notice must also include a clear, conspicuous disclosure of that practice and a working mechanism for consumers to opt out. Tex. Bus. & Com. Code § 541.102(b).

Targeted advertising is defined narrowly. Displaying ads based on data collected from consumer activity across nonaffiliated websites or applications over time qualifies. Displaying contextual ads based on activity within your own site or app at the time of the visit does not. Make sure your disclosure accurately describes which advertising practices your business actually engages in so the notice is neither over-inclusive nor misleading.

The privacy notice must be reasonably accessible. This means it should be linked prominently from your homepage and from every point of data collection, not just buried in your site footer or accessible only through a nested help page. If you add the mandatory sale notices described in Step 4, integrate them visibly near the top of the notice document.

For full detail on each consumer right, including access, correction, deletion, portability, and opt-out, and for the exact 45-day response timeline and appeal process, see the companion consumer rights under the TDPSA spoke.

Step 6: Implement the Universal Opt-Out Mechanism

As of January 1, 2025, controllers subject to the TDPSA must honor universal opt-out signals submitted on behalf of Texas consumers. This obligation is codified in Tex. Bus. & Com. Code § 541.055(e), which took effect six months after the TDPSA's main provisions launched on July 1, 2024.

A universal opt-out mechanism is defined broadly to include browser settings and extensions (such as Global Privacy Control signals), links to dedicated opt-out internet pages, and global settings on electronic devices. When a consumer or their designated authorized agent sends a recognized signal, you must process the opt-out with commercially reasonable effort, including verifying Texas residency and the agent's authority to act on the consumer's behalf.

You cannot require consumers to create an account or log in as a precondition for exercising opt-out rights through a universal mechanism. The requirement is specifically designed to allow anonymous, browser-level opt-outs without forcing account creation.

Businesses that were already honoring Global Privacy Control signals for compliance with California's CPRA should review whether their implementation also satisfies the TDPSA's version of the requirement, particularly the Texas-residency verification component. Signals that work across all U.S. states may need to be augmented to ensure proper state-specific handling.

Any delay in recognizing and processing universal opt-out signals is a curable violation within the AG's 30-day notice framework. The practical implication is that upon receiving a written notice from the AG, you have 30 days to implement signal recognition, confirm in writing that you have done so, and document the remediation for the file.

Step 7: Conduct and Document Data Protection Assessments

Written Data Protection Assessments (DPAs) are mandatory for five categories of processing under Tex. Bus. & Com. Code § 541.105(a). The five triggers are: processing personal data for targeted advertising; selling personal data; processing personal data for profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment, financial injury, physical injury, reputational harm, intrusion on solitude or seclusion, or other substantial consumer injury; processing sensitive data; and any other processing that presents a heightened risk of harm to consumers.

Each assessment must weigh the benefits of the processing activity against the risks to consumers, taking into account several factors: the extent to which deidentified data could substitute for personal data, consumer reasonable expectations about how their data will be used, the nature and context of the processing relationship, and whether safeguards in place adequately mitigate the identified risks. Tex. Bus. & Com. Code § 541.105(b).

One assessment may cover a set of comparable processing operations rather than requiring a separate document for every individual campaign, data-sharing agreement, or product feature. If you run five targeted advertising campaigns that use identical data types, purposes, and safeguards, a single well-documented DPA covering that program is defensible. If a campaign materially changes the data types used or the consumer population targeted, refresh the assessment.

The Texas AG may require a controller to disclose a data protection assessment relevant to an investigation, and completed assessments are protected from public disclosure while in the AG's possession. Tex. Bus. & Com. Code § 541.105(c)-(d). Treat completed DPAs as sensitive legal documents from the outset: involve legal counsel, maintain them in a confidential records system, and note any attorney-client privilege claims on the document itself.

Timing also matters. Begin DPAs before a new processing activity launches, not after. A DPA completed retroactively after a complaint is less credible than one that was part of the product design process.

Step 8: Execute Written Processor Contracts

Every service provider, vendor, or third party that processes personal data on your behalf, under your instructions, must be governed by a binding written controller-processor contract before any personal data is shared or accessed. Tex. Bus. & Com. Code § 541.104(b). There are no de minimis exceptions for small vendors or short-term engagements.

The contract must specify five structural elements: the instructions for processing personal data; the nature and purpose of the processing; the type of data subject to processing; the duration of processing; and the rights and obligations of both parties. These elements define the outer boundaries of what the processor is authorized to do. Any processing outside those defined parameters makes the processor a controller in its own right, with its own liability exposure.

Beyond the structural scope elements, the contract must impose six operational obligations on the processor: a duty to ensure all personnel who access personal data are bound by confidentiality obligations; a duty to delete or return all personal data to you upon termination or request, unless law requires longer retention; a duty to provide information sufficient for you to assess its compliance with the TDPSA; a duty to cooperate with and permit reasonable controller audits or independent third-party assessments of its data practices; and a duty to flow down equivalent data protection obligations to any subprocessors it engages through written contracts.

Begin with a vendor inventory. List every third party that touches personal data you control: cloud infrastructure providers, analytics platforms, marketing automation tools, payment processors, CRM systems, customer support software, and any other SaaS or services platform that ingests or stores data from your systems. Determine whether each relationship is a processor (acting under your instructions) or a third-party controller (acting for its own purposes), because the distinction determines whether a data processing agreement or a data-sharing agreement is the right instrument.

Step 9: Build Consumer Request Workflows

Texas consumers have five statutory data rights under the TDPSA. They may ask you to confirm whether you process their personal data and to obtain a copy of it. They may ask you to correct inaccuracies in personal data you maintain about them. They may ask you to delete personal data you hold about them. They may ask for a portable copy of their data in a readily usable format that enables transfer to another controller. And they may opt out of three specific uses: targeted advertising, sale of personal data, and profiling used to make decisions with legal or similarly significant effects on the consumer.

Controllers must respond to authenticated requests within 45 days of receipt. One extension of up to an additional 45 days is permitted if the controller notifies the consumer within the initial period of the reason for delay. Responses must be provided free of charge twice per calendar year per consumer; reasonable fees may apply to manifestly unfounded or excessive additional requests.

If you deny a request, you must inform the consumer of the reason for the denial and provide them with a method to appeal. The appeal must be reviewed and decided within a reasonable period after submission. If the appeal is also denied, you must provide the consumer with the Texas Attorney General's contact information for further escalation.

Build the appeal mechanism as a documented, internal workflow rather than a generic support ticket queue. The TDPSA's appeal chain is not satisfied by a "contact us" email. Designate a privacy team member responsible for appeals, document each decision with reasoning, and maintain records of the AG referral step that consumers receive when appeals are denied.

Step 10: Understand Enforcement, the Cure Period, and the Allstate Warning

The Texas AG is the sole enforcer of the TDPSA. The statute expressly provides that it may not be construed as providing a basis for a private right of action, meaning no individual consumer, plaintiff's law firm, or class action can sue your company for a TDPSA violation. Tex. Bus. & Com. Code §§ 541.151, 541.156.

Before initiating any enforcement action, the AG must provide written notice identifying the specific statutory provisions alleged to have been violated. You then have 30 days to cure the identified violations and provide a written statement to the AG confirming the cure and the compliance measures implemented. If you cure successfully within that window, no enforcement action may be initiated for that specific violation. Tex. Bus. & Com. Code § 541.154. Unlike California's CPRA, which capped its cure period for certain violations, the TDPSA cure period does not have a sunset date as currently enacted.

If the 30-day period expires without a satisfactory cure, or if you later violate a written cure commitment, the AG may seek civil penalties of up to $7,500 per violation, injunctive relief, and recovery of reasonable attorney fees and court costs. Tex. Bus. & Com. Code § 541.155.

The per-violation framing matters. A business that processes precise geolocation data of 45,000 Texas consumers without consent does not face a single $7,500 fine. Depending on how the AG counts violations, the exposure could be measured in hundreds of millions of dollars.

The AG has already demonstrated its enforcement intent. In January 2025, the AG filed the first enforcement action by any state attorney general to enforce a comprehensive data privacy law, suing Allstate and its data analytics subsidiary Arity for allegedly paying mobile app developers to secretly embed tracking software that collected precise geolocation data from more than 45 million Americans, including Texans, and selling that data to insurance companies without consumer knowledge or consent. The case directly targets sensitive-data consent and notice obligations, which the Allstate lawsuit signals are the AG's enforcement priority.

The practical takeaway: build your sensitive-data consent mechanisms and mandatory sale notices before you receive an AG notice letter, not after. The cure period is a last resort, not a compliance plan.

Related guides

• What Is the TDPSA? Texas Data Privacy and Security Act
• TDPSA Consumer Rights: Your Texas Data Privacy Rights
• Texas Data Privacy Laws: TDPSA & Consumer Rights Guide (2026)
• Texas Biometric Privacy Laws: Collection, Consent & Penalties (2026)
• US State Privacy Laws Comparison Chart (2026)

Sources

• Tex. Bus. & Com. Code ch. 541 (TDPSA full text). https://statutes.capitol.texas.gov/Docs/BC/htm/BC.541.htm
• Texas H.B. 4 (88th Legislature, enrolled), TDPSA original bill text. https://capitol.texas.gov/tlodocs/88R/billtext/html/HB00004F.htm
• Texas Attorney General, Texas Data Privacy and Security Act consumer information page. https://www.texasattorneygeneral.gov/consumer-protection/file-consumer-complaint/consumer-privacy-rights/texas-data-privacy-and-security-act
• Texas AG Press Release: Paxton Sues Allstate and Arity for Unlawfully Collecting, Using, and Selling Over 45 Million Americans' Driving Data. https://www.texasattorneygeneral.gov/news/releases/attorney-general-ken-paxton-sues-allstate-and-arity-unlawfully-collecting-using-and-selling-over-45
• Texas Department of Information Resources, TDPSA implementation page. https://dir.texas.gov/technology-legislation/texas-data-privacy-and-security-act
• Texas State Law Library, Texas Data Privacy and Security Act spotlight (July 2024). https://www.sll.texas.gov/spotlight/2024/07/texas-data-privacy-and-security-act/
• U.S. Small Business Administration, Size Standards overview (SBA small-business definition used in § 541.002). https://www.sba.gov/federal-contracting/contracting-guide/size-standards
• U.S. SBA, Table of Small Business Size Standards (13 C.F.R. Part 121). https://www.sba.gov/document/support-table-size-standards
• Tex. Bus. & Com. Code ch. 510, Texas Data Broker Registration Law (formerly ch. 509, redesignated eff. September 1, 2025). https://statutes.capitol.texas.gov/Docs/BC/htm/BC.510.htm