On this pageDoes the Texas Data Privacy and Security Act apply to your business?
State Law Practice Note

Texas Consumer Privacy Law (TDPSA)

The Texas Data Privacy and Security Act gives Texas consumers rights over their personal data and imposes notice, consent, contracting, and security duties on businesses that are not small businesses — with no revenue threshold, exclusive Attorney General enforcement, and no private right of action.

Lawyer Harvard Law '18 (J.D.) MIT '13 (S.B.) Former Ropes & Gray (6 yrs) Admitted in NY Last reviewed
More details about this document
Editor
, OpenAgreements editor
Feedback
Report a correction
Errata
View reported errata
License
CC BY 4.0
Authorities relied on
Primary lawTex. Bus. & Com. Code § 541.002

Does the Texas Data Privacy and Security Act apply to your business?

Probably, if you handle Texans' personal data and are not a small business. Unlike California, Texas sets no revenue or data-volume threshold. The TDPSA applies to a person that does business in Texas or produces a product or service consumed by Texas residents, that processes or sells personal data, and that is not a small business as defined by the U.S. Small Business Administration .

This makes the small-business test the practical gatekeeper rather than a dollar figure. The SBA size standards are industry-specific (by revenue or headcount), so applicability turns on your NAICS classification, not a single statewide number. Two further limits matter: the statute reaches only a consumer acting in an individual or household context — not employees or business contacts — and it carries entity-level and data-level exemptions (state agencies, GLBA financial institutions, HIPAA-covered entities, nonprofits, higher education, and FCRA, DPPA, and FERPA data). One carve-out has a sting in its tail: even a small business that is otherwise exempt may not sell sensitive personal data without prior consumer consent.

Sources for this answer

Primary law

A.1 Tex. Bus. & Com. Code § 541.002

The TDPSA applies to a person that does business in Texas or produces a product or service consumed by Texas residents, processes or sells personal data, and is not a small business as defined by the U.S. Small Business Administration — with no revenue or volume threshold.

This chapter applies only to a person that: (1) conducts business in this state or produces a product or service consumed by residents of this state; (2) processes or engages in the sale of personal data; and (3) is not a small business as defined by the United States Small Business Administration, except to the extent that Section 541.107 applies to a person described by this subdivision.

See Tex. Bus. & Com. Code § 541.002(a).

What must your Texas privacy policy contain?

The TDPSA prescribes the contents of the privacy notice directly. A controller must provide a reasonably accessible and clear privacy notice that lists the categories of personal data processed (including any sensitive data), the purposes of processing, how consumers exercise and appeal their rights, the categories of personal data shared with third parties and the categories of those third parties, and a description of the methods for submitting requests .

For a template privacy policy, treat section 541.102 as a checklist: each of its six items must appear on the face of the policy, not be scattered through product UX. Two Texas-specific drafting points go beyond the generic list. First, if you sell personal data to third parties or process it for targeted advertising, you must clearly and conspicuously disclose that processing and how a consumer can opt out of it . Second, if you sell sensitive or biometric personal data, the statute requires the policy to carry fixed, word-for-word notice sentences saying so — there is no room to paraphrase them.

Sources for this answer

Primary law

B.1 Tex. Bus. & Com. Code § 541.102

A controller must provide a reasonably accessible and clear privacy notice listing the categories of personal data processed, the purposes, how to exercise and appeal rights, third-party sharing categories, and the request methods.

A controller shall provide consumers with a reasonably accessible and clear privacy notice that includes: (1) the categories of personal data processed by the controller, including, if applicable, any sensitive data processed by the controller; (2) the purpose for processing personal data;

See Tex. Bus. & Com. Code § 541.102(a).

Primary law

B.2 Tex. Bus. & Com. Code § 541.103

A controller that sells personal data or processes it for targeted advertising must clearly and conspicuously disclose that processing and how a consumer may opt out.

If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose that process and the manner in which a consumer may exercise the right to opt out of that process.

See Tex. Bus. & Com. Code § 541.103.

What must your contracts with processors say?

Whenever a processor handles personal data on your behalf, the TDPSA requires a written contract that governs the processing — making a data processing agreement a statutory requirement, not a best practice .

Section 541.104 then specifies what that contract must contain: clear processing instructions, the nature and purpose of the processing, the types of data and duration, the parties' rights and obligations, and processor commitments to confidentiality, to delete or return data at the controller's direction, to make available the information needed to demonstrate compliance, to cooperate with assessments, and to bind any subcontractors by written contract to the same terms. A compliant template DPA tracks each of these elements.

Sources for this answer

Primary law

C.1 Tex. Bus. & Com. Code § 541.104

Processing carried out by a processor must be governed by a written contract between the controller and the processor.

A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller.

See Tex. Bus. & Com. Code § 541.104(b).

Do you need consent to process sensitive data?

Yes. The TDPSA requires opt-in consent before processing a consumer's sensitive data, and for a known child it requires handling the data in accordance with the federal Children's Online Privacy Protection Act . Sensitive data includes data revealing race or ethnicity, religion, health diagnoses, sexuality, or immigration status; genetic or biometric data used to identify a person; data from a known child; and precise geolocation.

Consent under the statute means a clear affirmative act reflecting a freely given, specific, informed, and unambiguous agreement — so pre-checked boxes and buried terms do not qualify. Selling sensitive data triggers an additional, non-negotiable disclosure: the controller must include the statute's exact sensitive-data and biometric sale-notice sentences in its notice .

Sources for this answer

Primary law

D.2 Tex. Bus. & Com. Code § 541.102(b)

A controller that sells sensitive personal data must include a fixed statutory notice to that effect in its privacy notice.

If a controller engages in the sale of personal data that is sensitive data, the controller shall include the following notice

See Tex. Bus. & Com. Code § 541.102(b).

Can a consumer sue your business under the TDPSA?

No. The TDPSA expressly provides that it may not be construed as a basis for, or as being subject to, a private right of action — so consumers cannot sue under it . Enforcement is exclusively the Texas Attorney General's, who may seek civil penalties of up to $7,500 per violation after a 30-day cure period .

The practical consequence is that TDPSA exposure is regulatory, not class-action driven. The Attorney General must give written notice identifying the alleged violations and a 30-day window to cure before suing; a business that cures and certifies it has done so avoids the penalty. That posture is already live — the Attorney General has brought and announced TDPSA actions, including a suit over the covert sale of precise-geolocation driving data — so the cure period is a real off-ramp, not a reason to defer compliance.

Sources for this answer

Primary law

E.1 Tex. Bus. & Com. Code § 541.156

The TDPSA bars any private right of action; only the Attorney General may enforce it.

This chapter may not be construed as providing a basis for, or being subject to, a private right of action for a violation of this chapter or any other law.

See Tex. Bus. & Com. Code § 541.156.

Primary law

E.2 Tex. Bus. & Com. Code § 541.155

After the cure period, a violator is liable for a civil penalty of up to $7,500 per violation, recoverable by the Attorney General.

A person who violates this chapter following the cure period described by Section 541.154 or who breaches a written statement provided to the attorney general under that section is liable for a civil penalty in an amount not to exceed $7,500 for each violation.

See Tex. Bus. & Com. Code § 541.155(a).