Why the TDPSA Stands Apart from Other US State Privacy Laws
Texas signed its comprehensive data privacy law, the Texas Data Privacy and Security Act (TDPSA), into effect on 1 July 2024. On paper, it follows the same opt-out model seen in Virginia, Colorado, and Connecticut. In practice, two features set it apart: an unusually broad scope of applicability and an Attorney General who has moved quickly to enforce it.
Most US state privacy statutes gate applicability on revenue or data-processing volume. The TDPSA does neither. If a business conducts operations in Texas or produces a product or service consumed by Texas residents and processes or sells personal data, the law applies.
That breadth matters. Texas has roughly 30 million residents and is home to a vast range of online commerce. A mid-size ecommerce shop with no physical presence in Texas can still fall within the TDPSA's reach if it ships to Texan customers and drops a _fbp or _ga cookie along the way.
Scope and Applicability: No Revenue Threshold
Under laws like the CCPA, a business must meet at least one of several thresholds - annual revenue above 25 million USD, processing data of 100,000 or more consumers, or deriving 50 per cent of revenue from selling personal information. The TDPSA drops all of these.
The only meaningful carve-out is for small businesses as defined by the US Small Business Administration. Even that exemption has a catch: if a small business sells sensitive data, it must still obtain opt-in consent from the consumer before doing so.
State agencies and political subdivisions in Texas are excluded. So are entities already regulated under sector-specific federal laws such as HIPAA and the Gramm-Leach-Bliley Act, provided they comply with those frameworks.
Who Counts as a "Consumer" Under the TDPSA?
A consumer is a Texas resident acting in an individual capacity. The law does not cover individuals acting in a commercial or employment context. Job applicants, employees, and business-to-business contacts fall outside its scope, much like the exemptions found in other state privacy frameworks.
Consumer Rights and Opt-Out Obligations
The TDPSA grants Texas consumers five core rights over their personal data.
| Right | Description | Deadline to Respond |
|---|---|---|
| Access | Confirm whether data is being processed and obtain a copy | 45 days |
| Correction | Request correction of inaccurate personal data | 45 days |
| Deletion | Request deletion of personal data provided by the consumer | 45 days |
| Portability | Obtain data in a portable, readily usable format | 45 days |
| Opt-out | Opt out of sale, targeted advertising, or profiling | 15 days |
The opt-out right is where cookie consent becomes directly relevant. If your site uses tracking cookies for targeted advertising or sells data derived from them, you must provide a clear mechanism for Texan visitors to refuse that processing.
Universal Opt-Out Mechanisms and GPC
From 1 January 2025, businesses subject to the TDPSA must recognise universal opt-out signals such as the Global Privacy Control (GPC). A visitor arriving with the Sec-GPC: 1 header must be treated as having opted out of the sale of personal data and targeted advertising.
Ignoring that signal is not a grey area. The statute explicitly requires recognition of browser-level opt-out preferences. If your cookie management platform does not detect and honour GPC signals, you have a compliance gap.
Consent for Sensitive Data: Opt-In Required
While the TDPSA uses an opt-out model for most personal data, it switches to opt-in consent for sensitive categories. Sensitive data under the TDPSA includes:
- Racial or ethnic origin
- Religious beliefs
- Health diagnosis or mental health data
- Sexual orientation or citizenship status
- Genetic or biometric data
- Precise geolocation (within 1,750 feet)
- Personal data of a known child
Consent must be a "clear affirmative act" that is freely given, specific, informed, and unambiguous. The law explicitly excludes consent obtained through dark patterns or buried within broad terms of service.
This definition closely mirrors the GDPR standard. Pre-ticked boxes, implied consent through continued browsing, or bundled consent toggles will not satisfy it.
The AG's Enforcement Approach: Fast, Broad, and Well-Resourced
The Texas Attorney General holds exclusive enforcement authority over the TDPSA. There is no private right of action. Unlike the CCPA, consumers cannot sue businesses directly for violations.
That single-enforcer model has not slowed things down. On 13 January 2025, barely two weeks after the 30-day cure period expired, the Texas AG filed the first TDPSA lawsuit against the Allstate Corporation and its subsidiary Arity. The complaint alleged that Arity processed consumers' precise geolocation data without obtaining valid consent and failed to provide a functional opt-out mechanism.
The state sought more than one million USD in monetary relief, including up to 7,500 USD per individual TDPSA violation.
The 30-Day Cure Period - and Its Expiry
When the TDPSA first took effect on 1 July 2024, it included a mandatory 30-day cure period. Before filing an enforcement action, the AG had to issue a written notice of the alleged violation and give the business 30 days to fix it and submit documentation proving the cure.
That automatic cure window expired on 1 January 2025. The AG may still offer a cure opportunity at their discretion, but businesses no longer have a statutory right to one. This places the TDPSA in a more aggressive posture than several other state laws where cure periods remain in effect.
Investigations at Scale
Reports indicate the Texas AG's office has initiated investigations affecting over 100 companies. Areas of focus include AI-driven data collection, geolocation tracking, and processing that affects children or other sensitive populations. The office has also enforced the SCOPE Act, which targets online platforms accessible to minors.
TDPSA Compared with Other State Privacy Laws
The table below highlights how the TDPSA differs from peer statutes on key compliance points.
| Feature | TDPSA (Texas) | CCPA/CPRA (California) | VCDPA (Virginia) |
|---|---|---|---|
| Revenue threshold | None | 25 million USD | None (volume-based) |
| Data volume threshold | None | 100,000 consumers | 100,000 consumers or 25,000 with 50% revenue from sale |
| Small business exemption | Yes (SBA definition), except for sensitive data sales | No general SMB exemption | No general SMB exemption |
| Private right of action | No | Yes (data breaches only) | No |
| Cure period | Expired 1 Jan 2025 (AG discretion) | Removed under CPRA | Expired 1 Jan 2025 |
| GPC/universal opt-out | Required from 1 Jan 2025 | Required | Not mandated |
| Sensitive data consent | Opt-in | Opt-out with right to limit | Opt-in |
What This Means for Your Website
If your website sets cookies that enable targeted advertising, tracks visitors with tools like Google Analytics 4 or the Meta Pixel, or sells personal data to third parties, the TDPSA applies to you whenever a Texas resident visits.
Practical steps to reduce enforcement risk:
- Run a cookie scan to identify every cookie and tracking script on your site, including those injected by third-party tags.
- Ensure your cookie banner provides a genuine opt-out for sale and targeted advertising - not a link that redirects visitors elsewhere.
- Detect and honour the GPC signal. If a visitor's browser sends
Sec-GPC: 1, suppress targeted advertising and data sale cookies automatically. - Collect opt-in consent before processing any sensitive data categories, including precise geolocation.
- Publish a clear privacy notice that discloses what personal data you process, the purposes, and how consumers can exercise their rights.
- Respond to consumer rights requests within 45 days (15 days for opt-out requests).
The Allstate complaint underscores a specific risk: telling visitors they can opt out while providing a mechanism that does not actually work. The AG treated that as a standalone violation.
Frequently Asked Questions
Does the TDPSA apply to businesses outside Texas?
Yes. The law applies to any entity that conducts business in Texas or produces a product or service consumed by Texas residents, provided it processes or sells personal data. Physical presence in the state is not required.
Is there a revenue threshold for the TDPSA?
No. Unlike the CCPA, the TDPSA does not set a minimum annual revenue. The only general exemption is for small businesses as defined by the US Small Business Administration, and even they must obtain consent before selling sensitive data.
Do I need a cookie banner for Texas visitors?
If your site uses cookies for targeted advertising, profiling, or selling personal data, you must offer Texas visitors a way to opt out. A cookie banner with a clear opt-out mechanism is the most practical approach to meeting this requirement.
Does the TDPSA require opt-in consent for cookies?
Only when cookies process sensitive data, such as precise geolocation or health information. For standard analytics and advertising cookies, the model is opt-out. However, the opt-out mechanism must genuinely stop the tracking, not merely log a preference.
What are the penalties for TDPSA violations?
The Texas Attorney General can seek civil penalties of up to 7,500 USD per violation, injunctive relief, and recovery of attorney fees. In the first enforcement action, the state sought more than one million USD in combined penalties.
Does the TDPSA require recognising Global Privacy Control?
Yes. From 1 January 2025, businesses must treat a GPC signal as a valid opt-out of the sale of personal data and targeted advertising.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets or whether your opt-out mechanism actually blocks tracking scripts, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of Texas law.
