Applies to any business that processes or sells personal data of Texas residents, except businesses meeting the federal SBA small-business definition. There is no consumer-count threshold.
Effective
2024-07-01
Penalty max
$7,500
Cure period
30 days
Honor GPC
Required
Overview
The Texas Data Privacy and Security Act (TDPSA) took effect July 1, 2024. It is one of the broadest state privacy laws in the country because it has no minimum consumer threshold — applicability is based on whether you do business in Texas and process personal data, with a carve-out only for small businesses meeting the federal SBA definition (which varies by industry, typically $40M revenue or fewer than 500 employees). The Texas AG has a permanent 30-day cure period, but has signaled aggressive enforcement, opening investigations against major retailers and e-commerce platforms. Penalties can reach $7,500 per violation, and the AG can also seek injunctive relief and recover attorney fees. Notably, the TDPSA requires explicit opt-in consent (not opt-out) for the sale of sensitive personal data such as precise geolocation, racial origin, health data, sexual orientation, and biometric identifiers.
Who it applies to
Small businesses meeting the federal SBA size definition (typically <$40M revenue) are exempt — but this is industry-specific.
Applies to any business that conducts business in Texas or produces products/services targeted to Texas residents AND processes or sells personal data, UNLESS it qualifies as a small business under the SBA definition (generally < $40M revenue depending on industry).
Consumer rights
Right to access
Consumers can request a copy of the personal data you hold about them.
Right to correction
Consumers can request you correct inaccurate personal data.
Right to deletion
Consumers can request you delete their personal data, subject to limited exceptions.
Right to portability
Consumers can request a machine-readable copy of their data to transfer elsewhere.
Right to opt out of sale
Consumers can opt out of the sale of their personal data to third parties.
Right to opt out of targeted advertising
Consumers can opt out of personalized ad targeting based on their behavior.
Right to opt out of profiling
Consumers can opt out of automated profiling for decisions with legal or similarly significant effects.
What this means for e-commerce
The Texas AG has been the most aggressive enforcer in the country in early 2025–2026, opening investigations against multiple e-commerce businesses for failing to provide clear opt-outs and for selling sensitive data without consent. Unlike California, Texas does not have a revenue threshold — most e-commerce businesses doing business in Texas are covered unless they meet the federal SBA small-business definition. The TDPSA requires a specific notice on your site if you sell sensitive personal data or biometric data: 'NOTICE: We may sell your sensitive personal data.'
Penalties & enforcement
Enforced by the Texas Attorney General. Penalties range from $0 to $7,500 per violation.
Texas provides a 30-day cure period (permanent). The AG must give you written notice of an alleged violation and time to fix it before bringing an enforcement action.
Compliance checklist
Determine whether you qualify as an SBA small business (most e-commerce sellers do not)
Add a 'Your Privacy Choices' or equivalent opt-out link in your site footer
Add the required Texas-specific notice if you sell sensitive personal data: 'NOTICE: We may sell your sensitive personal data.'
Add the required Texas-specific notice if you sell biometric data: 'NOTICE: We may sell your biometric personal data.'
Configure your site to honor Global Privacy Control (GPC) signals
Obtain opt-in consent before processing or selling sensitive personal data
Update privacy policy with TDPSA-required disclosures
Respond to consumer requests within 45 days
Does the TDPSA apply to your business?
Run a free 60-second compliance check across all state privacy laws — including Texas.
BriefStack is for informational purposes only and does not constitute legal advice. For decisions specific to your business, consult a qualified attorney.