Texas Data Privacy and Security Act
Texas privacy law applying to businesses conducting business in Texas, granting consumer data rights, and requiring recognition of universal opt-out signals.
Definitions
Defines core terms for the Texas Data Privacy and Security Act, including consumer, controller, processor, personal data, sensitive data, and consent.
Applicability of Chapter
Applies only to a person that conducts business in Texas (or produces a product or service consumed by Texas residents) and that processes or engages in the sale of personal data. Uniquely among state privacy laws, the TDPSA has no numeric consumer-count threshold; instead it excludes small businesses as defined by the United States Small Business Administration — though § 541.107 still bars even an exempt small business from selling sensitive data without the consumer's consent.
Consumer’s Personal Data Rights; Request to Exercise Rights
Consumers exercise their rights by submitting a request to the controller, and a parent or legal guardian may exercise them on behalf of a known child (subsection (a)). A controller must comply with an authenticated request to confirm/access, correct, and delete personal data, obtain a portable copy, and opt out of targeted advertising, the sale of personal data, and profiling that produces a legal or similarly significant effect (subsection (b)).
Controller Duties; Transparency
Sets out controller duties: data minimization limited to what is adequate, relevant, and reasonably necessary for the disclosed purposes (subsection (a)(1)) and reasonable administrative, technical, and physical data security (subsection (a)(2)). Subsection (b) prohibits processing data for incompatible purposes without consent, unlawful discrimination against consumers, and processing a consumer's sensitive data without consent (or, for a known child, other than in accordance with COPPA). The privacy-notice content requirements are set out separately in § 541.102.
Methods for Submitting Consumer Requests
Section 541.055 governs the methods a controller must provide for consumers to submit requests. Its authorized-agent provision (subsection (e)) implements a universal opt-out signal as a technology-based agent designation: a consumer may designate an agent via an internet link, a browser setting or extension, or a global device setting (e.g., GPC) to signal intent to opt out of targeted advertising and the sale of personal data (§ 541.051(b)(5)(A)–(B)). Controllers must honor such a signal, verified with commercially reasonable effort, starting January 1, 2025 — six months after the Act's general July 1, 2024 effective date.
Enforcement by the Attorney General; Civil Penalties
The Texas Attorney General has exclusive authority to enforce the TDPSA (§ 541.151), and there is no private right of action (§ 541.156). Before bringing an action, the Attorney General must give written notice and a 30-day opportunity to cure, which does not expire (§ 541.154). A person who fails to cure, or who breaches a written cure statement, is liable for a civil penalty of up to $7,500 per violation, plus injunctive relief and the Attorney General's reasonable attorney's fees and investigative expenses (§ 541.155).
Legal notice: This reference library is for informational purposes only and does not constitute legal advice. Excerpts are reproduced from official public sources and are current as of June 2025. Laws and regulations change: always verify against the authoritative source and consult a qualified attorney.