What rights do Texas residents have under the TDPSA?

Under the TDPSA, Texas residents have the right to: Access and confirm whether their personal data is being processed Correct inaccuracies in their personal data Request deletion of personal data Obtain a portable copy of their data Opt out of the sale of personal data, targeted advertising, and certain profiling activities Businesses must provide clear, accessible ways for consumers to exercise these rights.

What notices are required under the TDPSA?

Businesses must provide up-to-date privacy notices explaining: What personal data is collected How the data is used, shared, or sold How consumers can exercise their rights If a business sells sensitive or biometric data, it must also display specific statutory notices, such as: “NOTICE: We may sell your sensitive personal data.”

How does the TDPSA differ from other U.S. privacy laws?

The TDPSA differs from laws like the California Consumer Privacy Act (CCPA) in several important ways, including: Applicability trigger TDPSA: Applies to businesses conducting business in Texas or producing products/services consumed by Texas residents (as a result captures more businesses) CCPA: Applies only if specific revenue, data volume, or revenue-from-data thresholds are met Revenue threshold TDPSA: None (subject to small business exceptions) CCPA: Yes (annual gross revenue exceeding $26.2M for the preceding calendar year) Data minimization standard TDPSA: Data collected and processed must be adequate, relevant, and reasonably necessary. CCPA: Broader purpose limitation, less prescriptive minimization language Sensitive data (including children’s) TDPSA: Opt-in required and display of notice and link if sensitive personal data is sold: “NOTICE: We may sell your sensitive personal data.” CCPA: Opt-in required and display of link if sensitive personal information is processed: “Limit the Use of My Sensitive Personal Information” Enforcement TDPSA: Exclusively by the Texas Attorney General CCPA: California Attorney General and the California Privacy Protection Agency (CCPA or CalPrivacy) Cure period TDPSA: 30-day right to cure. Does not expire. CCPA: Generally none Private right of action (individual lawsuits for violations) TDPSA: No CCPA: Yes (only for data breaches) Small business exemption TDPSA: Yes (independent for-profit companies

Manage privacy requirements of the Texas Data Privacy and Security Act (TDPSA)

Handle privacy notices, opt-outs, and evolving U.S. state privacy rules with the Usercentrics Consent Management Platform (CMP). Display a fully customizable cookie banner that supports Texas TDPSA requirements — without breaking analytics, ads, or revenue.

Start free Contact Sales

What is the TDPSA?

The Texas Data Privacy and Security Act (TDPSA) is a comprehensive consumer privacy law that took effect on July 1, 2024. It governs how businesses collect, process, share, and sell the personal data of Texas residents, granting individuals new rights and placing obligations on covered companies. The TDPSA generally does not rely on revenue or data-volume thresholds, which significantly broadens its scope.

Common TDPSA questions and answers

TDPSA at a glance

Effective date: July 1, 2024
Applies to: Most businesses serving Texas residents (generally no revenue or data-volume thresholds)
Texas consumers have rights of access, correction, deletion, portability, non-discrimination, and to opt out of certain data uses.
Small business carve-out: Many obligations do not apply to qualifying small businesses
Key requirements: Privacy notices, opt-outs, opt-in required for sensitive/children’s data
Enforcement: Texas Attorney General, up to $7,500 per violation
Cure period: Businesses receive a 30-day right to cure after notice before enforcement action

REQUIREMENTS

What does the TDPSA require from businesses?

To meet TDPSA requirements, businesses must provide clear, up-to-date privacy notices that explain how personal data is collected, used, shared, or sold. They must offer easy-to-use opt-out mechanisms, such as a cookie banner, for the sale of personal data, targeted advertising, and certain profiling activities, and obtain affirmative opt-in consent before processing sensitive personal data, including children’s data.
Businesses are also expected to respond to consumer rights requests, and put reasonable security measures in place to protect personal data throughout its lifecycle.

RISKS

What are the risks of ignoring the TDPSA?

Failing to meet TDPSA requirements can expose businesses to enforcement action by the Texas Attorney General, including civil penalties of up to $7,500 per violation. Beyond fines, gaps in consent handling, opt-out controls, or required notices can increase legal exposure, disrupt advertising and data-driven revenue, and undermine customer trust. As privacy expectations rise across the U.S., inadequate data practices may also lead to reputational damage, reduced user engagement, and lost business opportunities in the Texas market.

How a cookie banner helps your website perform

Reliable tracking you can trust

Analytics and ads behave predictably based on real user choices. A well-configured cookie banner helps prevent broken tracking, data gaps, and last-minute fixes — your insights stay dependable.

Less work, fewer surprises

Automatic cookie scanning and updates keep your banner accurate as your site and legal requirements change. Less manual upkeep, fewer headaches, and more time for your team to focus on growth.

A better first impression

A clear, customized cookie banner keeps your visitors informed and gives them clear choices. The result: less friction, more trust, and mitigated legal risk from the very first visit.

Protect revenue as privacy rules change

A flexible cookie banner and consent management platform helps you adapt as privacy expectations and state laws evolve — and as your company grows. You stay in control of tracking and monetization without scrambling to rework setups or risking interruptions.

“Customers appreciate the ability to know what is being shared and that we are transparent with where it’s shared. Our internal teams are satisfied that we now provide users with a solution that helps us reach compliance with US privacy laws and mitigate our exposure to fines related to noncompliance.”

Andrew Scheidl

— Web Developer at DaBella

Read full review

Get your websites and apps ready for Texas privacy rules

Make it easy to provide website visitors and app users with clear notice and real choice — without disrupting analytics or ads. Try Usercentrics for free and address legal and operational risk as privacy expectations evolve.

start free

Your questions answered

Talk to our privacy experts

Usercentrics helps Texas businesses give visitors clear notice and meaningful choice — without slowing down websites or apps, analytics, or advertising. Whether you’re preparing for TDPSA requirements or managing multiple U.S. and global privacy laws, we’ll help you protect your business and find the right setup for your website.

Stable tracking and marketing performance as privacy rules evolve
Automated setup and updates that minimize ongoing maintenance
Address legal and operational risk with a single, scalable platform

Contact sales

Contact chat bubble at the bottom right corner of a chat illustration

Learn more

Checklist

May 29, 2025

Texas Data Privacy and Security Act (TDPSA) Checklist

Our TDPSA compliance checklist will help you achieve and maintain privacy compliance. Build user trust and achieve high opt-in rates.

Article

Feb 7, 2025

U.S. data privacy laws by state: rights and requirements

In 2025 more US state privacy laws will come into effect than in any previous year, though federal legislation remains stalled. We compare what US state-level data privacy laws mean for consumers and businesses.

Article

Jan 16, 2026

COPPA Compliance: key requirements for 2026

Compliance with the Children’s Online Privacy Protection Act (COPPA) is required for any business handling the personal information of children under age 13 in the United States. This article discloses the key provisions of COPPA to help organizations take the necessary steps to achieve and maintain compliance and build trust with families.

Frequently asked questions

The Texas Data Privacy and Security Act (TDPSA) applies to most businesses that conduct business in Texas or offer products or services consumed by Texas residents and that process or sell personal data. Unlike some other U.S. privacy laws, the TDPSA does not include revenue or data-volume thresholds, which means it applies to a much broader range of companies, though it does exclude small businesses as defined by the U.S. Small Business Administration for many obligations.

Under the TDPSA, Texas residents have the right to:

Access and confirm whether their personal data is being processed
Correct inaccuracies in their personal data
Request deletion of personal data
Obtain a portable copy of their data
Opt out of the sale of personal data, targeted advertising, and certain profiling activities

Businesses must provide clear, accessible ways for consumers to exercise these rights.

Violations of the TDPSA may result in civil penalties of up to $7,500 per violation. Before enforcement action is taken, businesses are granted a 30-day period to cure alleged violations after receiving notice. The Texas Data Privacy and Security Act does not provide a private right of action; enforcement is handled exclusively by the Texas Attorney General.

Businesses must provide up-to-date privacy notices explaining:

What personal data is collected
How the data is used, shared, or sold
How consumers can exercise their rights

If a business sells sensitive or biometric data, it must also display specific statutory notices, such as: “NOTICE: We may sell your sensitive personal data.”

The TDPSA differs from laws like the California Consumer Privacy Act (CCPA) in several important ways, including:

Topic	TDPSA	CCPA
Applicability trigger	Applies to businesses conducting business in Texas or producing products/services consumed by Texas residents (as a result captures more businesses)	Applies only if specific revenue, data volume, or revenue-from-data thresholds are met
Revenue threshold	None (subject to small business exceptions)	Yes (annual gross revenue exceeding $26.2M for the preceding calendar year)
Data minimization standard	Data collected and processed must be adequate, relevant, and reasonably necessary.	Broader purpose limitation, less prescriptive minimization language
Sensitive data (including children’s)	Opt-in required and display of notice and link if sensitive personal data is sold: “NOTICE: We may sell your sensitive personal data.”	Opt-in required and display of link if sensitive personal information is processed: “Limit the Use of My Sensitive Personal Information”
Enforcement	Exclusively by the Texas Attorney General	California Attorney General and the California Privacy Protection Agency (CCPA or CalPrivacy)
Cure period	30-day right to cure. Does not expire.	Generally none
Private right of action (individual lawsuits for violations)	No	Yes (only for data breaches)
Small business exemption	Yes (independent for-profit companies <500 employees)	Generally no, subject to revenue requirements