TDPSA

Texas Data Privacy and Security Act

Flag of US
Texas, United StatesOpt-outState
Back to Regulations Guide

Key Facts

Effective Date
July 1, 2024
Enacted
June 18, 2023
Enforcing Authority
Texas Attorney General
Consent Model
Opt-out
Fulfillment Time
45 days
Applies To
Any non-small-business (SBA-defined) processing personal data of Texas residents — no revenue or consumer volume thresholds

Overview

The TDPSA is the broadest US state privacy law in terms of applicability — it has no revenue thresholds and no minimum consumer data volume thresholds. Any non-small-business (as defined by the SBA) that processes personal data of Texas residents must comply, capturing far more businesses than any other state law.

What This Means for Your Website

  • GPC signals must be honored since January 2025
  • Opt-in consent is required for sensitive data
  • No revenue or consumer volume thresholds — nearly all businesses are subject
  • Only SBA-defined small businesses are exempt (but cannot sell sensitive data)
  • A permanent 30-day cure period applies before enforcement
  • Consumer requests must be fulfilled within 45 days

Key Requirements

The Texas AG enforces the TDPSA with penalties up to $7,500 per violation. The law's breadth is unique — it applies to individuals as well as businesses, with only SBA-defined small businesses exempt. GPC/UOOM signal honoring has been mandatory since January 2025. Data protection assessments are required for high-risk processing.

How ConsentStack Handles This

ConsentStack detects Texas visitors, honors GPC signals automatically, and applies the TDPSA's opt-out model with opt-in for sensitive data — ensuring compliance with the broadest US state privacy law.

Penalties

Up to $7,500 per violation.

Maximum Fine
USD7,500 per violation

Key Requirements

  • Honor GPC/universal opt-out signals since January 2025
  • Opt-in consent for sensitive data
  • Privacy notice with required disclosures
  • Consumer rights: access, correct, delete, portability, opt-out
  • Data protection assessments for high-risk processing

Notable Provisions

  • Broadest applicability — no revenue or consumer volume thresholds
  • GPC/UOOM honored since January 2025
  • Applies to individuals as well as businesses
  • Small businesses cannot sell sensitive data

US State Specifics

Cure Period
30 days
Private Right of Action
No
Global Opt-out Required
Yes
Sensitive Data Opt-in
Yes
Children Provisions
Under 13 data is sensitive requiring opt-in consent.

Other North America Regulations

CPRACalifornia, United States
The CPRA is the most comprehensive US state privacy law with a dedicated enforcement agency (CPPA). Cross-context behavioral advertising via cookies constitutes sharing personal information, triggering opt-out obligations. GPC signals must be honored as valid opt-out requests.
PIPEDACanada (Federal)
Canada's federal private-sector privacy law based on 10 fair information principles. Requires express consent for sensitive data and implied consent for less sensitive data. OPC guidance addresses cookies and online behavioral advertising. The CPPA replacement bill died January 2025; a new bill is expected.
MODPAMaryland, United States
The most restrictive US state privacy law. Sensitive data may only be processed when strictly necessary to deliver a requested service — and sale of sensitive data is completely prohibited even with consent. Under-18 sale and targeted advertising are prohibited regardless of consent. Strictest data minimization in the US.
Quebec Law 25Quebec, Canada
The most GDPR-like privacy law in the Americas. Requires explicit, granular consent per purpose before deploying ANY tracking technology. Implied consent is explicitly prohibited for cookies and tracking. Features extraterritorial scope, mandatory PIAs, and GDPR-level penalties (4% worldwide turnover). The strictest cookie consent requirements in North America.
CPAColorado, United States
Colorado's CPA features the highest per-violation penalties among US state privacy laws at $20,000. Must honor GPC signals since July 2024. Participated in a joint GPC enforcement sweep with California and Connecticut in September 2025. The cure period was eliminated in January 2025.
CTDPAConnecticut, United States
Connecticut's CTDPA features a unique consent revocation mechanism for sensitive data and some of the strongest children's data protections. The cure period was eliminated January 2025. The 2025 amendments prohibit sale of children's data or use for targeted advertising even with consent.

Frequently Asked Questions

Why is the TDPSA considered the broadest US state privacy law?

The TDPSA has no revenue or consumer volume thresholds — any non-small-business processing Texas residents' data must comply, capturing far more businesses than any other state.

Must websites honor GPC signals in Texas?

Yes, since January 2025. ConsentStack automatically detects and honors GPC signals for Texas visitors.

Does the TDPSA have a cure period?

Yes. A permanent 30-day cure period applies, giving businesses time to fix violations before enforcement action.

What are the TDPSA penalties?

Up to $7,500 per violation, enforced by the Texas Attorney General.

Stay compliant with TDPSA

ConsentStack helps you implement Opt-out consent for Texas, United States automatically.

Get started