Skip to content

Texas Data Privacy and Security Act

A guide to the Texas Data Privacy and Security Act (TDPSA) effective July 2024.

Apidly TeamFebruary 19, 2026
texastdpsaprivacy

Overview

The Texas Data Privacy and Security Act (TDPSA), signed into law in June 2023 and effective July 1, 2024, establishes comprehensive data privacy rights for Texas residents and obligations for businesses that collect and process their personal data. Texas is the largest state by population to enact a comprehensive privacy law, and the TDPSA reflects a consumer-friendly approach with broad applicability.

Unlike several other state privacy laws, the TDPSA does not include revenue thresholds for applicability, which means it can apply to businesses of virtually any size. This broad scope makes it one of the more far-reaching state privacy laws in the United States.

Who Does It Apply To?

The TDPSA applies to:

  • Any person or entity that conducts business in Texas or produces a product or service consumed by Texas residents
  • Organizations that process or engage in the sale of personal data
  • Entities that are not small businesses as defined by the US Small Business Administration

The TDPSA does not apply to:

  • State agencies and political subdivisions
  • Financial institutions subject to the Gramm-Leach-Bliley Act
  • Covered entities and business associates under HIPAA
  • Nonprofit organizations
  • Institutions of higher education

The absence of specific revenue or data volume thresholds means that even mid-sized businesses serving Texas consumers must evaluate their compliance obligations under the TDPSA.

Key Requirements

Privacy Notice

Organizations must provide consumers with a clear and accessible privacy notice that includes:

  • The categories of personal data processed
  • The purposes of processing
  • How consumers can exercise their rights
  • The categories of personal data shared with third parties
  • The categories of third parties with whom data is shared

Consent for Sensitive Data

Processing sensitive data requires the consumer's affirmative consent. Sensitive data under the TDPSA includes:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis
  • Sexuality or citizenship status
  • Genetic or biometric data
  • Personal data of a known child
  • Precise geolocation data

Data Protection Assessments

Organizations must conduct and document data protection assessments for processing activities that present a heightened risk of harm to consumers. These include:

  • Processing personal data for targeted advertising
  • Sale of personal data
  • Processing sensitive data
  • Processing for profiling that presents a reasonably foreseeable risk of harm

Data Minimization

Organizations must limit their collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purpose. Personal data must not be processed for purposes that are not reasonably necessary or compatible with the disclosed purpose without obtaining additional consent.

Universal Opt-Out Mechanism

The TDPSA requires controllers to recognize universal opt-out mechanisms, such as the Global Privacy Control (GPC), that allow consumers to opt out of the sale of personal data and targeted advertising through their browser settings.

Individual Rights

Texas residents have the following rights under the TDPSA:

  • Right to know: Confirm whether a controller is processing their personal data and access that data
  • Right to correct: Request correction of inaccuracies in their personal data
  • Right to delete: Request deletion of personal data provided by or obtained about the consumer
  • Right to data portability: Obtain a copy of their personal data in a portable and readily usable format
  • Right to opt out: Opt out of the processing of personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects

Enforcement and Penalties

The Texas Attorney General has exclusive enforcement authority for the TDPSA:

  • Cure period: Before taking enforcement action, the Attorney General must provide a 30-day notice and opportunity to cure the alleged violation. This cure period is set to expire on January 1, 2026, after which the Attorney General may pursue enforcement without providing an opportunity to cure.
  • Civil penalties: Violations can result in civil penalties of up to $7,500 per violation
  • Injunctive relief: The Attorney General can seek injunctive relief to stop ongoing violations
  • No private right of action: Individual consumers cannot sue businesses directly under the TDPSA. Enforcement is limited to the Attorney General's office.

How Apidly Helps

Apidly provides comprehensive TDPSA compliance support:

  • Privacy notice generation creates compliant privacy notices that include all required disclosures about data categories, purposes, third-party sharing, and consumer rights
  • Sensitive data identification scans your data processing activities to identify where sensitive data categories are involved and ensures affirmative consent is obtained before processing
  • Data protection assessment templates guide you through the required assessments for targeted advertising, data sales, sensitive data processing, and profiling activities
  • Universal opt-out integration connects with Global Privacy Control and other recognized opt-out mechanisms so your systems automatically honor consumer preferences
  • Consumer rights management automates the intake, verification, and fulfillment of consumer requests for access, correction, deletion, and data portability within the required response timelines