Texas Privacy Law Overview
Texas enforces one of the broadest comprehensive privacy laws in the country. The Texas Data Privacy and Security Act (TDPSA) took effect on July 1, 2024, and is unusual because it has no revenue or consumer-count threshold — it applies to essentially every business operating in or targeting Texas that is not a federally defined small business. Texas also has an aggressive Attorney General who secured the largest single-state privacy settlement in U.S. history.
The Texas Data Privacy and Security Act (TDPSA)
The TDPSA gives Texans GDPR-style control over their personal data and imposes transparency, consent and data-protection duties on controllers. Its defining feature is reach: rather than a revenue or consumer-number threshold, it applies to any person who conducts business in Texas or produces products or services consumed by Texans, processes or sells personal data, and is not a small business as defined by the U.S. Small Business Administration. Even exempt small businesses may not sell sensitive personal data without consent.
TDPSA: Quick Overview
- Effective Date: July 1, 2024
- Citation: Tex. Bus. & Com. Code ch. 541
- Enforced By: Texas Attorney General
- Maximum Penalty: Up to $7,500 per violation
- Private Right of Action: No (enforcement by the state only)
- Right to Cure: 30 days (permanent right to cure)
Who Must Comply
The TDPSA applies to businesses that meet Texas's applicability thresholds:
- Conducts business in Texas or produces products/services consumed by Texas residents, and
- Processes or engages in the sale of personal data, and
- Is not a small business as defined by the U.S. Small Business Administration (no revenue or consumer-count minimum)
What makes Texas different: The absence of any numeric threshold makes the TDPSA one of the widest-reaching state privacy laws — small and mid-sized businesses that would be exempt under California or Virginia law are squarely covered in Texas.
Consumer Rights Under the TDPSA
Texas residents can exercise the following rights over their personal data:
- Right to access / confirm what data is held
- Right to correct inaccurate data
- Right to delete personal data
- Right to data portability
- Right to opt out of targeted advertising
- Right to opt out of the sale of personal data
- Right to opt out of profiling for significant decisions
Sensitive personal data: Businesses must obtain opt-in consent before processing sensitive data (such as health, biometric, precise-geolocation, or demographic data).
Sector-Specific Privacy Laws in Texas
Capture or Use of Biometric Identifier Act (CUBI)
Texas has prohibited the capture of biometric identifiers (fingerprints, voiceprints, retina/iris scans, hand or face geometry) for a commercial purpose without consent since 2009. CUBI carries penalties of up to $25,000 per violation and is enforced by the Attorney General — there is no private right of action.
Data Broker Registration (SB 2105)
Since September 1, 2023, data brokers that process the personal data of Texas residents must register annually with the Texas Secretary of State and maintain reasonable security practices.
Data Breach Notification in Texas
The Texas Identity Theft Enforcement and Protection Act requires businesses to notify affected residents of a breach of sensitive personal information without unreasonable delay and within 60 days of discovery.
- Deadline to notify residents: Without unreasonable delay and no later than 60 days after discovery
- Attorney General notice: Notify the Texas Attorney General if 250 or more Texans are affected, within 30 days
- Covered data: Name combined with sensitive identifiers (SSN, driver's license, financial-account or medical information, and more)
Recent Enforcement in Texas
- Meta biometric settlement (2024): Texas Attorney General Ken Paxton secured a $1.4 billion settlement with Meta over the unlawful capture of facial-geometry data under CUBI — the largest privacy settlement ever obtained by a single state.
- Active TDPSA enforcement: The Attorney General's office has a dedicated data-privacy team and has issued notices to data brokers and large platforms over opt-out and disclosure failures.
Federal Privacy Laws That Apply in Texas
Even where Texas law is silent, residents and businesses are covered by federal privacy statutes:
- HIPAA — health information held by providers, plans and their vendors
- GLBA — privacy and safeguards rules for financial institutions
- FERPA — student education records
- FCRA — consumer reporting agencies and background screening
- COPPA — online collection of data from children under 13
- FTC Act §5 — unfair or deceptive privacy and data-security practices
Texas Privacy Law FAQ
Does the TDPSA apply to small businesses in Texas?
Can I sue a company directly for a TDPSA violation?
What is the difference between CUBI and the TDPSA?
How a Texas Privacy Attorney Can Help
For Businesses
- Build and audit a privacy compliance program
- Draft privacy policies, notices and vendor contracts
- Respond to consumer rights requests
- Manage data-breach response and notification
- Defend regulatory investigations and enforcement
For Consumers
- Enforce your privacy rights against non-compliant businesses
- Pursue or join data-breach litigation
- File complaints with the Texas Attorney General
- Seek damages for identity theft and fraud
- Stop unlawful data sales and unwanted marketing
Need a Texas Privacy Attorney?
Whether you are a business working toward compliance or a Texas resident whose privacy has been violated, our network of Texas-licensed attorneys can help.
Find a Texas Privacy Attorney