Clym Logo

Texas Data Privacy and Security Act: What Businesses Need to Know

Published
Updated

Texas TDPSA business compliance guide

This guide explains how the TDPSA applies to businesses processing Texas residents’ personal data, including consumer rights, opt-outs, GPC signals, sensitive data, and practical review steps.

Summarize full article with:

The Texas Data Privacy and Security Act is already in effect, and it applies differently from many other US privacy laws. Instead of using a fixed revenue or consumer-count threshold, the TDPSA focuses on whether your business processes or sells personal data of Texas residents and whether you qualify as a small business under federal SBA standards.

That broader structure means some businesses that fall outside California, Colorado, or Virginia thresholds may still need to review their Texas privacy obligations.

This guide explains who the TDPSA applies to, what it requires, and what practical steps your business can take.

Key takeaways
  • In effect since July 1, 2024. The TDPSA applies to any business that processes or sells personal data of Texas residents, unless a specific exemption applies.
  • No fixed revenue or consumer count threshold. Unlike most US state privacy laws, the TDPSA does not use a dollar or data-volume trigger. Scope is shaped by the federal SBA small business definition instead.
  • SBA-defined small businesses are largely exempt, but they cannot sell sensitive personal data without first obtaining consumer consent.
  • Sensitive data under the TDPSA includes precise geolocation and financial data, two categories not treated as sensitive under the Colorado Privacy Act.
  • Businesses must honor GPC signals and other recognized universal opt-out mechanisms as of January 1, 2025.
  • The TDPSA includes an active 30-day cure period. Businesses have time to correct violations before the Texas AG pursues civil penalties.

What is the Texas Data Privacy and Security Act?

The Texas Data Privacy and Security Act (TDPSA) is a comprehensive state privacy law that gives Texas residents rights over their personal data and places legal obligations on businesses that collect and process it.

Signed into law on June 18, 2023, and effective since July 1, 2024, the TDPSA is one of the broadest state privacy laws in the United States in terms of who it covers. The full text of HB 4 is publicly available on the Texas Legislature's website.

Unlike the California Consumer Privacy Act (CCPA) or the Colorado Privacy Act, the TDPSA does not set a specific annual revenue threshold or a fixed number of consumers to determine scope. Instead, it applies to any business that processes or sells personal data of Texas residents and does not qualify as a small business under the US Small Business Administration guidelines.

In structure, the TDPSA is closer to the Virginia-style privacy law model than to the CCPA.

However, its lack of fixed revenue or consumer-count thresholds can make its scope broader for many businesses.

Does the TDPSA apply to your business?

The TDPSA applies to any person or entity that meets all three of the following:

  • Conducts business in Texas or produces products or services consumed by Texas residents
  • Processes or sells personal data
  • Is not a small business as defined by the US Small Business Administration

There is no minimum revenue threshold and no minimum number of Texas consumers. If your business operates in Texas, or your website or app attracts Texas residents as users, and you process their personal data, you may be in scope.

The SBA small business size standards vary by industry. If your business qualifies as an SBA small business, most TDPSA obligations do not apply. There is, however, one important exception: even SBA-defined small businesses cannot sell sensitive personal data without first obtaining explicit consent from the consumer. If you are unsure whether your business qualifies as an SBA small business, the SBA's official size standards table is the starting point.

You should review TDPSA applicability if:

  • You operate in Texas, sell to Texas residents, or have Texas website/app users.
  • You collect, process, or sell personal data.
  • You do not clearly qualify as an SBA-defined small business.

What does the TDPSA mean for your website?

For most businesses, TDPSA readiness starts with the website. If your website uses analytics tools, advertising pixels, retargeting scripts, forms, or other third-party tracking technologies, review how those tools collect and use data from Texas visitors.

Under the TDPSA, your website should be able to:

  • Display a clear privacy notice explaining what data you collect, how you use it, and who you share it with
  • Provide a visible, accessible mechanism for Texas visitors to opt-out of the sale of their personal data and targeted advertising
  • Honor browser-based opt-out signals, including Global Privacy Control (GPC), as of January 1, 2025
  • Support consumer rights requests and respond within the required timeframes

If you sell personal data or use it for targeted advertising, Texas visitors must be able to exercise opt-out rights through a clear link or control on your website.

This is a specific legal requirement, not an optional design choice.

Who is exempt from the TDPSA?

The TDPSA includes both entity-level and data-level exemptions. Do not assume your business is exempt without checking both categories.

Entity-level exemptions

  • Texas state agencies and local government bodies
  • Nonprofits (unlike the Colorado Privacy Act, nonprofits are fully exempt from the TDPSA)
  • Institutions of higher education
  • SBA-defined small businesses, except for the prohibition on selling sensitive personal data

Data-level exemptions

The following data types are excluded from TDPSA obligations:

  • HIPAA: protected health information held by covered entities and business associates
  • GLBA: financial data governed by the Gramm-Leach-Bliley Act
  • FERPA: student educational records maintained by educational institutions
  • Employment records maintained for HR purposes
  • Publicly available information

This is different from Colorado, where nonprofits can be covered if they meet the CPA’s thresholds. Texas nonprofits may still need to review other privacy, health, financial, or sector-specific laws.

Consumer rights under the TDPSA

The TDPSA gives Texas residents five categories of rights over their personal data.

Right

What it means

Right to access

Request confirmation of whether a business processes your data, and obtain a copy

Right to correction

Request that the inaccurate personal data be corrected

Right to deletion

Request that personal data be deleted

Right to portability

Receive personal data in a portable, machine-readable format

Right to opt-out

Opt-out of the sale of personal data, targeted advertising, and profiling that produces decisions with significant legal or similar effects

Businesses generally have 45 days to respond to a consumer rights request. That deadline can be extended by a further 45 days with notice to the consumer.

If a request is denied, the business must inform the consumer and provide an appeal process. An appeal must receive a response within 60 days.

If your business receives a high volume of privacy rights requests, a structured data subject request workflow can help manage intake, identity verification, deadlines, and appeals.

What data is considered sensitive under the TDPSA?

The TDPSA designates certain data categories as sensitive. Processing sensitive personal data generally requires opt-in consent from the consumer before processing begins.

Sensitive data categories under the TDPSA

Racial or ethnic origin

Religious beliefs

Mental or physical health condition or diagnosis

Sex life or sexual orientation

Citizenship or immigration status

Genetic data that could uniquely identify an individual

Biometric data processed for identification purposes

Personal data from a known child under 13

Precise geolocation (within 1,750 feet of a person's location)

Financial information that can be used to identify an individual, including account numbers or credit card numbers

Two categories are particularly important compared to other state privacy laws. Precise geolocation data (defined as within 1,750 feet) and financial data, including account and credit card numbers, are treated as sensitive under the TDPSA. Neither is a sensitive category under the Colorado Privacy Act.

If your website or app collects precise location data or financial information from Texas visitors, review whether opt-in consent is required before that processing begins.

Opt-out of sale and universal opt-out signals under the TDPSA

The TDPSA gives Texas residents the right to opt-out of:

  • The sale of their personal data to third parties
  • The use of their data for targeted advertising
  • Profiling that produces decisions with significant legal or similar effects on the consumer

Since January 1, 2025, businesses subject to the TDPSA must also honor recognized universal opt-out signals. The most common example is the Global Privacy Control (GPC), a browser-based signal that automatically communicates a consumer's opt-out preference when they visit a website.

When your website receives a valid GPC signal from a Texas visitor, it must treat that signal as a formal opt-out request. The consumer should not need to take any additional steps, fill out a form, or navigate to a separate page.

For a side-by-side view of how the TDPSA compares to other active US state privacy laws on opt-out requirements, cure periods, and enforcement, see Clym's US state privacy law comparison guide.

When do you need a data protection assessment?

The TDPSA requires businesses to conduct data protection assessments before processing personal data in certain higher-risk ways. A data protection assessment should document the purpose of the processing, the potential risks it creates for consumers, and the safeguards in place to reduce those risks.

Assessments are required before:

  • Using personal data for targeted advertising
  • Selling personal data
  • Processing sensitive personal data
  • Profiling individuals when that profiling could have significant effects on the consumer

Assessments should be reviewed and updated if the processing activity changes in a material way, such as a new purpose or a new data source.

The Texas Attorney General can request to review data protection assessments, so these should be treated as real compliance records rather than one-time paperwork.

These assessments should be specific to the processing activity, not a generic policy document.

TDPSA enforcement and penalties

The Texas Attorney General has exclusive authority to enforce the TDPSA. There is no private right of action, which means consumers cannot sue businesses directly for TDPSA violations.

Before taking formal enforcement action, the Texas AG must give businesses a 30-day cure period to correct a violation. This is still active under the TDPSA and has no expiration date.

This distinguishes it from several other state laws: California no longer has a general cure period, and Colorado's 60-day cure period expired on January 1, 2025.

If a business does not correct a violation within the cure period, the AG can pursue civil penalties of up to $7,500 per violation.

Texas has also signaled active privacy enforcement through the Attorney General’s office, so businesses should treat the cure period as a chance to fix issues, not as a reason to delay review.

How to work toward TDPSA compliance

If your business already has privacy infrastructure in place for the CCPA or GDPR, some of that work may also support your TDPSA obligations. The main areas to review are:

  1. Confirm whether the TDPSA applies
  2. Map Texas personal data and third-party sharing
  3. Update your privacy notice
  4. Review consent, opt-out, and GPC handling.
  5. Honor GPC and other opt-out signals
  6. Set up consumer rights and appeal workflows.
  7. Document data protection assessments for high-risk processing.
  8. Review your sensitive data practices.

How Clym can help with Texas data privacy requirements

The TDPSA can affect several parts of your privacy setup, from website opt-outs and GPC signals to privacy notices, sensitive data consent, and consumer rights requests.

Clym helps teams manage these workflows from one platform. You can show location-based consent and opt-out experiences for Texas visitors, recognize Global Privacy Control signals, manage privacy rights requests, maintain privacy and cookie notices, and scan your website for cookies and trackers that may need review.

Clym does not guarantee compliance. Your TDPSA obligations depend on your specific data practices, legal interpretations, and internal processes. The platform gives your team tools to support privacy operations and work toward applicable requirements.

How does the TDPSA compare to other US privacy laws?

If your business already operates under the CCPA, Colorado Privacy Act, or GDPR, you need to know where the TDPSA diverges, not just what it says on its own. The differences below are the ones most likely to affect your existing privacy programme.

Feature

TDPSA (Texas)

CCPA/CPRA (California)

CPA (Colorado)

GDPR (EU)

Effective date

July 1, 2024

January 1, 2020

July 1, 2023

May 25, 2018

Applicability threshold

No revenue/data volume floor; SBA small business exemption

$25M+ revenue or 100K+ consumers

100K+ consumers or 25K+ with data sales

Any processor of EU resident data

Applies to nonprofits?

No

No

Yes

Yes

Sensitive data consent

Opt-in required

Opt-out (limit use)

Opt-in required

Opt-in (explicit)

Precise geolocation as sensitive?

Yes (within 1,750 ft)

No

Yes

Yes

Financial data as sensitive?

Yes (account/card numbers)

No

No

No

Universal opt-out / GPC required?

Yes (from Jan 1, 2025)

Yes

Yes (UOOM/GPC)

No formal requirement

Data protection assessments

Required

Required (PIAs)

Required

Required (DPIAs)

Cure period

30 days (currently active)

No cure period

None

None

Private right of action?

No

Limited (data breaches)

No

Yes

Max penalty per violation

$7,500

$7,500 (intentional)

$20,000

Up to 4% of global revenue

Enforcement body

Texas AG only

CPPA + AG

AG + district attorneys

National DPAs

DSR response window

45 days

45 days

45 days

30 days

Conclusion

The Texas Data Privacy and Security Act is now in effect and can apply broadly because it does not rely on fixed revenue or consumer-count thresholds. Businesses that serve Texas residents should review whether they are in scope, especially if they collect personal data through websites, apps, forms, analytics tools, advertising pixels, or third-party trackers.

The most important areas to review are your privacy notice, opt-out experience, GPC handling, consumer rights workflow, sensitive data processing, and data protection assessments. If you already have privacy infrastructure for California, Colorado, or GDPR, those processes may provide a useful starting point for addressing TDPSA requirements.

Frequently asked questions

The TDPSA applies if your business conducts business in Texas or produces products or services consumed by Texas residents, and you process or sell personal data. The law does not use a fixed revenue or consumer count threshold. Businesses classified as small businesses under the US Small Business Administration standards are largely exempt, though they may still have obligations if they sell sensitive personal data.

Businesses classified as small businesses under the federal Small Business Act are exempt from most TDPSA obligations. The SBA defines small business size standards by industry, based on employee count or annual revenue. However, even SBA-defined small businesses are still prohibited from selling sensitive personal data without first obtaining explicit consent from the consumer.

Texas residents have the right to access their personal data, request corrections, request deletion, receive data in a portable format, and opt-out of the sale of their data, targeted advertising, and profiling that produces significant legal or similar effects. Businesses have 45 days to respond to a rights request, extendable by another 45 days.

The TDPSA required businesses to honor recognized universal opt-out signals, including Global Privacy Control (GPC), beginning January 1, 2025. When a Texas visitor sends a GPC signal through their browser, the business must treat it as a formal opt-out request for data sales and targeted advertising.

The Texas Attorney General enforces the TDPSA and can impose civil penalties of up to $7,500 per violation. Before pursuing penalties, the AG must give the business a 30-day cure period to correct the violation. There is no private right of action: consumers cannot bring lawsuits directly against businesses for TDPSA violations.

The TDPSA is generally considered less stringent than the CCPA and the Colorado Privacy Act. Key differences include: the TDPSA uses an SBA-based small business exemption rather than fixed data-volume or revenue thresholds; nonprofits are exempt under the TDPSA but not under the CPA; the TDPSA treats precise geolocation and financial data as sensitive categories, which the CPA does not; and the TDPSA still has an active 30-day cure period, whereas Colorado's expired on January 1, 2025, and California has no general cure period.