What Is the TDPSA? Texas Data Privacy and Security Act

The Texas Data Privacy and Security Act (TDPSA), codified at Tex. Bus. & Com. Code ch. 541, took effect July 1, 2024. Signed by Governor Greg Abbott on June 18, 2023, it gives Texas residents rights over their personal data and sets a coverage threshold found nowhere else in U.S. state privacy law: instead of a revenue floor or data-volume minimum, it simply covers every business that is not a U.S. Small Business Administration small business.

As of 2026, the Texas Attorney General holds exclusive enforcement authority over the TDPSA and may seek civil penalties up to $7,500 per violation. Businesses that receive a written violation notice have 30 days to cure before any action can proceed.

What the TDPSA is: statute, enactment, and effective dates

The Texas Data Privacy and Security Act is Texas's first comprehensive consumer data privacy law. It is codified at Texas Business and Commerce Code Chapter 541, Sections 541.001 through 541.204, and was enacted as House Bill 4 during the 88th Legislative Session. Governor Greg Abbott signed HB 4 on June 18, 2023. The main body of the law took effect July 1, 2024, giving businesses roughly a year to prepare after enactment.

One specific provision took effect on a later date. Section 541.055(e), which requires controllers to honor universal opt-out signals submitted by a consumer's authorized agent through qualifying technology, became effective January 1, 2025. The enrolled bill text expressly states: "The Act takes effect July 1, 2024, except for Section 541.055(e), Business & Commerce Code...takes effect January 1, 2025." That staggered structure gave businesses additional time to implement the technical mechanisms needed to detect and honor browser-level opt-out preferences before the requirement kicked in.

Texas joins more than 20 states that have enacted comprehensive data privacy legislation as of mid-2026. What makes the TDPSA stand apart from that group is not its effective date or its consumer rights (those are largely in line with the national pattern) but how it defines which businesses it covers. The SBA small-business threshold is a design choice no other state legislature has replicated, and it has significant practical consequences for mid-size companies that would not be covered by the CCPA.

For the full compliance framework covering controller and processor obligations, data protection assessment requirements, and privacy notice content requirements, see the Texas data privacy laws parent page.

Who the TDPSA covers: the SBA small-business threshold

The TDPSA's applicability test is unique among U.S. state privacy laws. Under Section 541.002(a), the law applies to any person that: (1) conducts business in Texas or produces a product or service consumed by residents of Texas; AND (2) processes or engages in the sale of personal data; AND (3) is not a small business as defined by the U.S. Small Business Administration.

The statute's own language is direct: "This chapter applies only to a person that: (1) conducts business in this state or produces a product or service consumed by residents of this state; (2) processes or engages in the sale of personal data; and (3) is not a small business as defined by the United States Small Business Administration."

That third prong is the differentiator. Compare it with California's approach under the CCPA, which requires that a for-profit business meet at least one of three quantitative thresholds: more than $25 million in annual gross revenue, processing the personal information of 100,000 or more California consumers or households, or deriving 50% or more of annual revenue from selling or sharing personal information. A company that earns $10 million per year and handles data for 40,000 Californians is not subject to the CCPA. The same company, if it processes personal data of any Texas residents and does not qualify as an SBA small business, is subject to the TDPSA.

The U.S. Small Business Administration publishes size standards by NAICS industry code. The thresholds vary widely: a company in a professional services sector may be "small" at fewer than 150 employees, while a manufacturing firm may qualify up to 1,500 employees or $47 million in receipts. Because the TDPSA outsources the size determination to federal SBA standards, a company's TDPSA coverage status can turn on its specific industry classification, not just its headcount or revenue in the abstract. Businesses operating across multiple NAICS codes should identify which standard governs their primary activities.

The practical upshot: many mid-size data brokers, software-as-a-service companies, and analytics firms that do not meet the CCPA's revenue floor are nonetheless covered by the TDPSA as soon as they process data relating to even a small number of Texas residents.

Categorical exemptions under Section 541.002(b)

In addition to the SBA small-business exclusion, Section 541.002(b) lists categorical entity exemptions that remove certain types of organizations from the TDPSA's reach regardless of size or data volume. The following entity types are exempt:

• State agencies and political subdivisions of Texas
• Financial institutions and their affiliates subject to the Gramm-Leach-Bliley Act (GLBA)
• HIPAA-covered entities and business associates
• Nonprofit organizations
• Institutions of higher education
• Electric utilities, power generation companies, and retail electric providers regulated under Texas Utilities Code

These exemptions mean that hospitals, banks, credit unions, insurance companies regulated under GLBA, universities, charities, and state government bodies all operate outside the TDPSA even if they handle large volumes of Texas resident data. A HIPAA-covered health system, for example, is exempt from TDPSA obligations on the same patient data it holds, though it remains subject to HIPAA's own data rights and security obligations.

Controllers that are partially exempt (for example, a company that operates both a HIPAA-regulated health division and a non-regulated consumer division) should apply the TDPSA only to the data that falls outside the exempt category. The statute does not grant a whole-organization exemption based on partial regulatory overlap.

The small-business exception and the sensitive-data carve-out

Businesses that qualify as SBA small businesses are exempt from most TDPSA requirements. They do not need to respond to consumer access, correction, deletion, or portability requests. They do not need to provide a privacy notice that conforms to Section 541.102's content requirements. They do not need to honor universal opt-out signals.

But the exemption is not total. Section 541.107(a) creates a targeted obligation that applies specifically to small businesses: "A person described by Section 541.002(a)(3) may not engage in the sale of personal data that is sensitive data without receiving prior consent from the consumer."

In plain terms, if a small business wants to sell sensitive personal data, it must first get the consumer's opt-in consent. There is no size-based pass on this requirement. The legislature drew a line between operational obligations (which only apply to non-SBA businesses) and protective rights over the most sensitive categories of data (which apply even to the smallest covered entity that sells data).

Sensitive data under Section 541.001 of the statute includes: data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status; genetic or biometric data processed for the purpose of uniquely identifying an individual; personal data collected from a known child under 13; and precise geolocation data within a radius of 1,750 feet. A small business that collects and sells, for example, location data from users near a medical facility, or that monetizes health-related survey responses, cannot simply claim the SBA exemption and proceed without consent.

The five consumer rights under the TDPSA

Texas residents covered by the TDPSA hold five rights against covered controllers under Section 541.051(a)(1) through (5):

1. Right of access. A consumer may confirm whether a controller is processing their personal data and receive a copy of that data in a portable and readily usable format.
2. Right of correction. A consumer may require a controller to correct inaccurate personal data about them, taking into account the nature and purpose of the processing.
3. Right of deletion. A consumer may request deletion of personal data provided by or collected about them, subject to limited exceptions where the controller can demonstrate a lawful basis for continued retention.
4. Right of portability. A consumer may obtain a copy of their personal data in a readily usable digital format that permits transfer to another controller without hindrance, to the extent technically feasible.
5. Right to opt out. A consumer may opt out of three categories of processing: targeted advertising directed at that consumer; the sale of the consumer's personal data to third parties; and profiling that produces a legal or similarly significant effect, such as decisions affecting access to credit, employment, education, insurance, or housing.

Controllers must respond to an authenticated consumer rights request within 45 days of receipt. If the controller needs additional time, it may extend the response period by one additional 45 days (90 days total) when reasonably necessary, provided it notifies the consumer of the extension within the initial 45-day window. If the controller denies a request, it must notify the consumer and explain the basis for the denial. The consumer then has the right to appeal the denial, and the controller must respond to the appeal within 60 days with a written explanation if the appeal is again denied.

For the full compliance framework covering controller and processor obligations, data protection assessment requirements, and consumer rights response procedures, see the Texas data privacy laws parent page.

Universal opt-out signals: what the TDPSA requires as of January 1, 2025

Section 541.055(e), effective January 1, 2025, requires controllers to honor opt-out preferences expressed through an authorized agent using qualifying technology. The statute describes this technology as including "a link to an Internet website, an Internet browser setting or extension, or a global setting on an electronic device, that allows the consumer to indicate the consumer's intent to opt out of the processing" of their personal data for targeted advertising or sale.

This statutory language covers opt-out technologies that operate at the browser or device level rather than requiring the consumer to visit each website individually to click an opt-out button. The Global Privacy Control (GPC), a browser-based signal developed by privacy advocates and supported by a growing number of browsers and extensions, fits within this description. The statute does not name GPC by brand, but the technical description encompasses GPC-type signals: a global browser or device setting through which a consumer has indicated an intent to opt out.

One requirement limits which signals qualify. Section 541.055(f)(2) states that the technology must "require the consumer to make an affirmative, freely given, and unambiguous choice to opt out of the processing" and may not rely on a default setting. A browser configured out of the box to send a do-not-process signal, without any deliberate action by the user, does not meet this standard. The signal must reflect something the consumer actively chose to enable.

Controllers may decline to honor a signal only if they cannot verify, using commercially reasonable effort, that the consumer is a Texas resident or that the authorized agent has authority to act on the consumer's behalf. This narrow exception prevents controllers from ignoring all GPC-type signals simply because residency verification is imperfect.

Texas's universal opt-out requirement is comparable in effect to California's mandate that covered businesses honor GPC signals, but the Texas rule is grounded in a statutory provision rather than a regulatory interpretation. Virginia's VCDPA, by contrast, does not require controllers to honor universal opt-out signals even as of mid-2026, making Texas's statutory mandate broader on this point than Virginia's framework.

Sensitive and biometric data: opt-in consent and mandatory sale notices

The TDPSA imposes two distinct layers of protection for sensitive personal data, and both layers apply to any covered controller, not just those that handle large volumes of data.

The first layer is the consent requirement. Section 541.101(b)(4) prohibits any covered controller from processing sensitive data about a consumer "without obtaining the consumer's consent, or, in the case of processing the sensitive data of a known child, without processing that data in accordance with the Children's Online Privacy Protection Act." This is an opt-in standard: before any sensitive data may be processed, the controller must affirmatively obtain the consumer's agreement. There is no default-on processing with an opt-out path for sensitive categories.

Sensitive data under Section 541.001 includes: (1) data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status; (2) genetic or biometric data processed for the purpose of uniquely identifying an individual; (3) personal data collected from a known child under 13; and (4) precise geolocation data within a radius of 1,750 feet. The biometric category specifically covers facial recognition templates, fingerprints, voice prints, iris scans, and similar identifiers: any data processed to uniquely identify a person by biological characteristics.

The second layer is the notice requirement. When a controller sells sensitive personal data, Section 541.102(b) requires it to post a specific statutory notice in the same location and manner as its privacy notice: "NOTICE: We may sell your sensitive personal data." The statute does not give controllers discretion to phrase this differently or embed it in boilerplate language. When a controller sells biometric personal data specifically, Section 541.102(c) requires a separate additional notice: "NOTICE: We may sell your biometric personal data." Both notices must appear in the same location as the privacy notice, not buried in a terms-of-service footnote, but displayed alongside the primary disclosure document.

These two requirements interact: a controller that sells sensitive data must both obtain opt-in consent before the processing and post the statutory notice. The consent and the notice serve different functions. Consent authorizes the processing; the notice informs consumers that a sale may occur. Both must be in place before the sale begins.

TDPSA enforcement: AG-exclusive, 30-day cure, up to $7,500 per violation

Enforcement of the TDPSA belongs exclusively to the Texas Attorney General. Section 541.156 states that the chapter "may not be construed as providing a basis for, or being subject to, a private right of action for a violation of this chapter or any other law." No consumer may sue a covered business directly under Chapter 541, no matter how clear or willful the violation. All enforcement runs through the AG's office.

Before the AG may file any enforcement action, Section 541.154 requires the office to provide written notice to the alleged violator identifying the specific provision(s) of Chapter 541 at issue and giving the business 30 days to cure the violation. The statute's language is precise: the AG "must notify violators in writing not later than the 30th day before bringing the action, identifying the specific provisions of this chapter the attorney general alleges have been or are being violated." If the business cures the violation and provides written documentation within that 30-day window, no enforcement action may proceed for that violation.

The cure period under the TDPSA is permanent, with no sunset date. This is a meaningful distinction from some other state privacy laws that began with cure provisions and later eliminated them. Colorado's privacy law, for example, started with a cure period that expired January 1, 2025; Connecticut's cure period also expired. The Texas legislature embedded no expiration into the cure mechanism, making it a durable feature of the enforcement landscape. A business that discovers a TDPSA compliance gap and corrects it before the AG files suit can avoid penalties for that specific violation.

If the violation is not cured within 30 days, or if the business subsequently violates a written cure statement it previously provided to the AG, Section 541.155(a) authorizes civil penalties of up to $7,500 for each violation. The AG may also recover reasonable expenses, court costs, and attorney fees. The $7,500 cap applies per violation. For a business that systematically denied consumer deletion requests across thousands of accounts, the per-violation accumulation can become significant.

Data protection assessments are also an enforcement target. Section 541.105(a) requires controllers to document assessments for high-risk processing activities including targeted advertising, selling personal data, certain profiling, and sensitive data processing. These assessments apply only to processing activities that began after the July 1, 2024 effective date and are not retroactive. The AG may request documentation of assessments during an investigation, making them both a compliance requirement and a potential enforcement exhibit.

For the controller and processor obligations, privacy notice content requirements, vendor contract mandates, and data protection assessment documentation rules, see the Texas data privacy laws parent page.

TDPSA vs. CCPA: the key differences

The TDPSA and California's CCPA are the two most-compared U.S. state privacy laws for companies operating nationally. Our state data privacy law comparison page covers the full multistate picture, but three distinctions between the TDPSA and California's CCPA matter most in practice.

Coverage threshold. The CCPA applies to for-profit businesses meeting at least one of three quantitative thresholds: more than $25 million in annual gross revenue, data on 100,000 or more California consumers or households, or 50% or more of annual revenue from selling or sharing personal information. The TDPSA sets no revenue floor and no data-volume floor. Its only size filter is SBA small-business status. A company that earns $18 million per year and processes data for 30,000 Texas residents is not covered by the CCPA but is covered by the TDPSA, provided it is not an SBA small business in its industry. Conversely, a very large SBA-ineligible company that handles minimal Texas data may be covered by the TDPSA while a smaller high-volume California company is covered by the CCPA. The two laws cast different nets.

Universal opt-out. Both the TDPSA and the CCPA/CPRA now require covered businesses to honor browser and device-level opt-out signals submitted by consumers. California's obligation was established through regulatory guidance by the California Privacy Protection Agency interpreting the CPRA. Texas's obligation is written directly into the statute at Section 541.055(e), effective January 1, 2025. The practical effect is similar, but the legal basis differs: Texas's universal opt-out requirement rests on a clear statutory command; California's rests on agency interpretation of a broader opt-out mandate.

Private right of action. The CCPA retains a limited private right of action for consumers whose unencrypted and nonredacted personal information is exposed in a data breach caused by a business's failure to implement reasonable security procedures. Consumers may seek statutory damages of $100 to $750 per consumer per incident, or actual damages if higher. The TDPSA has no private right of action of any kind. A Texas resident whose data is sold without consent, whose deletion request is ignored, or whose sensitive data is processed without consent cannot sue the covered business directly under Chapter 541. All enforcement runs exclusively through the AG.

Related guides

• TDPSA Consumer Rights: Your Texas Data Privacy Rights
• TDPSA Compliance Checklist for Businesses (2026)
• Texas Data Privacy Laws: TDPSA & Consumer Rights Guide (2026)
• Texas Biometric Privacy Laws: Collection, Consent & Penalties (2026)
• US State Privacy Laws Comparison Chart (2026)

Sources