TDPSA

Texas Data Privacy and Security Act

Texas Office of the Attorney General

Texas privacy law applying to businesses conducting business in Texas, granting consumer data rights, and requiring recognition of universal opt-out signals.

6Citations
0Audited
6Reference only
Jun 2025Last amended
Official source ↗Effective July 1, 2024
§ 541.001Reference

Definitions

Defines core terms for the Texas Data Privacy and Security Act, including consumer, controller, processor, personal data, sensitive data, and consent.

Scope
§ 541.002Reference

Applicability of Chapter

Applies only to a person that conducts business in Texas (or produces a product or service consumed by Texas residents) and that processes or engages in the sale of personal data. Uniquely among state privacy laws, the TDPSA has no numeric consumer-count threshold; instead it excludes small businesses as defined by the United States Small Business Administration — though § 541.107 still bars even an exempt small business from selling sensitive data without the consumer's consent.

Scope
§ 541.051Reference

Consumer’s Personal Data Rights; Request to Exercise Rights

Consumers exercise their rights by submitting a request to the controller, and a parent or legal guardian may exercise them on behalf of a known child (subsection (a)). A controller must comply with an authenticated request to confirm/access, correct, and delete personal data, obtain a portable copy, and opt out of targeted advertising, the sale of personal data, and profiling that produces a legal or similarly significant effect (subsection (b)).

Consumer RightsOpt-Out
§ 541.101Reference

Controller Duties; Transparency

Sets out controller duties: data minimization limited to what is adequate, relevant, and reasonably necessary for the disclosed purposes (subsection (a)(1)) and reasonable administrative, technical, and physical data security (subsection (a)(2)). Subsection (b) prohibits processing data for incompatible purposes without consent, unlawful discrimination against consumers, and processing a consumer's sensitive data without consent (or, for a known child, other than in accordance with COPPA). The privacy-notice content requirements are set out separately in § 541.102.

Privacy PolicyData CollectionConsentSensitive PI
§ 541.055Reference

Methods for Submitting Consumer Requests

Section 541.055 governs the methods a controller must provide for consumers to submit requests. Its authorized-agent provision (subsection (e)) implements a universal opt-out signal as a technology-based agent designation: a consumer may designate an agent via an internet link, a browser setting or extension, or a global device setting (e.g., GPC) to signal intent to opt out of targeted advertising and the sale of personal data (§ 541.051(b)(5)(A)–(B)). Controllers must honor such a signal, verified with commercially reasonable effort, starting January 1, 2025 — six months after the Act's general July 1, 2024 effective date.

Opt-OutGPC
§ 541.151Reference

Enforcement by the Attorney General; Civil Penalties

The Texas Attorney General has exclusive authority to enforce the TDPSA (§ 541.151), and there is no private right of action (§ 541.156). Before bringing an action, the Attorney General must give written notice and a 30-day opportunity to cure, which does not expire (§ 541.154). A person who fails to cure, or who breaches a written cure statement, is liable for a civil penalty of up to $7,500 per violation, plus injunctive relief and the Attorney General's reasonable attorney's fees and investigative expenses (§ 541.155).

Enforcement

Stop Guessing. Start Knowing.

Find out exactly where your website stands before a regulator does.

Get My Compliance Audit