Texas Privacy Law
Effective July 1, 2024
TDPSA — The Texas Data
Privacy and Security Act
TDPSA gives Texas residents the right to access, correct, delete, port, and opt out of the processing of their personal data — enforceable by the Texas Attorney General with civil penalties up to $7,500 per violation.
What Is TDPSA
Your Texas privacy rights, explained.
The Texas Data Privacy and Security Act (TDPSA) became effective on July 1, 2024, making Texas one of the largest states to grant comprehensive data privacy rights to its residents. Since January 1, 2025, the law also recognizes authorized-agent opt-out signals like Global Privacy Control (GPC), allowing tools and services to submit opt-out requests on your behalf.
Unlike California's Delete Act, Texas did not create a centralized delete registry. You have the right to request deletion — but you still have to exercise it against each data broker individually, or use an authorized agent service that handles the submissions for you.
Your five core rights
Right to Access
Confirm whether a business holds your data and get a copy of what they have.
Right to Correct
Fix inaccurate personal data a business is processing about you.
Right to Delete
Request deletion of personal data a business has collected from or about you.
Right to Portability
Obtain a copy of your personal data in a portable, readily usable format.
Right to Opt Out
Opt out of targeted advertising, sale of personal data, and consequential profiling.
Universal Opt-Out
Since Jan 2025, TDPSA recognizes authorized opt-out signals like Global Privacy Control.
Who has to comply with TDPSA
TDPSA applies to any business that conducts business in Texas or produces products or services consumed by Texas residents. That's a broader test than most state privacy laws — a company doesn't have to be headquartered in Texas to be covered. Small businesses (as defined by the federal Small Business Administration) are generally exempt, but even small businesses must obtain consent before selling sensitive data.
The 45-day response timeline
Businesses must respond to your TDPSA request within 45 days. They may request a single 45-day extension for complex requests, but they must notify you within the original window. After the response window closes, the data must actually be deleted or corrected — not just tagged or de-prioritized.
How It Compares
Texas vs. California: what's different, what's the same
If you've read about California's privacy framework, you'll recognize most of TDPSA's structure. Texas borrowed heavily from Virginia's VCDPA (which in turn borrowed from California). But there are meaningful differences that affect how Texas residents exercise their rights in practice.
Feature
Texas (TDPSA)
California (CCPA + SB362)
Right to Delete
Yes, 45-day response
Yes, 45-day response
Centralized Delete Registry
No — per-broker requests
Yes — DROP (Aug 1, 2026)
Authorized Agent Framework
Opt-out signals (Jan 2025)
Full deletion + opt-out
Universal Opt-Out (GPC)
Required since Jan 2025
Required
Private Right of Action
No — AG only
Limited (breach only)
Max Civil Penalty
$7,500 per violation
$7,500 per intentional
30-Day Cure Period
Yes
Removed Jan 2023
The biggest practical difference: California does the hard work for you via the DROP registry. Texas makes you do it yourself. That's why most Texas residents don't actually exercise their deletion rights — the friction is too high when you're facing 500+ broker opt-out forms. An authorized agent service removes that friction by submitting opt-out requests on your behalf.
Enforcement & Penalties
How TDPSA gets enforced
The Texas Attorney General has exclusive enforcement authority under TDPSA. There is no private right of action — individuals cannot sue businesses directly for TDPSA violations. Instead, the AG investigates complaints and brings enforcement actions.
Before filing an enforcement action, the AG must provide a written notice of the alleged violation and give the company a 30-day cure period. If the violation is not cured within 30 days, or if the written cure statement is false, civil penalties can reach $7,500 per violation, plus reasonable attorney's fees and investigative expenses.
In 2024, the Texas AG notified over 100 companies of apparent failure to comply with the Texas Data Broker Act — a signal that Texas privacy enforcement is active and escalating. The AG has also brought actions against major companies including Allstate for alleged unlawful collection and sale of cell phone location data from 45 million Americans.
The Honest Version
What TDPSA doesn't give you
We believe in plain talk. Here's what TDPSA does not give Texas residents:
- No private lawsuits. Enforcement is AG-only. You cannot personally sue a business for ignoring your TDPSA request.
- No centralized delete system. Unlike California's DROP, there's no one-click "delete from all Texas brokers" infrastructure. Per-broker opt-outs remain the default path.
- Opt-out signals, not full deletion agency. The January 2025 authorized-agent framework covers opt-out signals (stop selling, stop targeted ads) rather than creating the broad deletion-agent role California has.
- 30-day cure period. When a business violates TDPSA, they get 30 days to fix it before penalties apply. That can slow enforcement timelines.
- Small business exemption. Companies meeting the SBA's small business definition are generally exempt from TDPSA — though they still must get consent before selling sensitive data.
These limitations don't make TDPSA ineffective. It's a genuine step forward for Texas privacy rights. But knowing exactly what the law does and doesn't do helps you exercise your rights realistically.