Applicability thresholds of state privacy laws often hinge on size or scale. TDPSA is different. It puts no revenue thresholds like CCPA or CPRA. So if your business operates in Texas or reaches the state’s residents, you’re most likely inside the scope already.
The law took effect on July 1, 2024, and by January 2025, the universal opt-out obligations became fully enforceable. That transition is what moved TDPSA from a policy update to a website-level requirement.
Even the exemption for small businesses is narrow and disappears if you sell sensitive data.
Once you fall inside that scope, the first compliance checkpoint isn’t your data map. It’s your website. The privacy notice, the opt-out UX, the way you handle browser signals like Global Privacy Control, and the moment you ask for consent to collect sensitive data all become observable evidence.
What you’ll learn:
- Why TDPSA applies to most websites and what brings you into scope.
- What Texas expects your website to disclose, collect, and enforce in real time.
- How to check your site’s actual behavior and spot compliance gaps early.
TDPSA applicability: Why most websites need to comply
The applicability criteria are pretty straightforward. If Texas residents can access your website, or consume your services, and you collect personal data through analytics, tracking technologies, or online forms, TDPSA likely applies.
Because when a page loads for a Texas resident, personal data flows via tracking technologies
before anyone fills out a form, as cookies, analytics tags, and session tools start operating immediately. That activity is what TDPSA anchors to.
It also applies to organizations that process or sell personal data and are not considered a small business under the SBA’s industry-specific standards.
But if you look closer, you’ll find another catch: those SBA thresholds vary by NAICS code, which means two companies of similar size may be treated differently. And even when a company qualifies as a small business, the exemption disappears if it sells sensitive personal data. For many modern digital businesses, that carve-out closes the door quickly.
So if you’ve been using California’s CCPA thresholds as a proxy for TDSPA scope, now is the time to reassess, as you may come under scope. Texas’s 30 million residents represent a market few businesses can afford to exclude, and compliance is your pass to tap into it.
What are the core website requirements under TDPSA
TDPSA’s website obligations all sit on a single foundation: knowing exactly what your site collects and why. Because every control hinges on it. Sensitive-data consent only works if you know the moment that data is captured. Data minimization depends on removing scripts that don’t serve an articulated purpose. And Consumer-rights fulfillment requires accurate records of what was collected and why.
Without clear visibility into browser-side data flows, meeting Texas’s expectations becomes difficult. So let’s zoom in on what obligations need to be really satisfied.
Privacy notice requirements
TDPSA requires a clear, accessible privacy notice that explains what categories of personal data are collected, why they are processed, which third parties receive them, and how consumers can exercise their rights.
On a website, this means that the notice reflects what the tracking technologies actually do,
And because Pixels, analytics tags, and embedded tools often collect more than teams realize, the notice needs to be grounded in observed behavior, not an assumed configuration.
Data Minimization
TDPSA requires that you collect only the data you truly need. On a website, that means reviewing every pixel, cookie, and tag to confirm it supports a purpose in your privacy notice. If it doesn’t, it creates a minimization issue.
Texas focuses on whether the site’s real behavior matches the intent you publish.
Consumer Rights
TDPSA grants all residents of Texas a set of rights over their personal data, such as the right to access their information, correct inaccuracies, delete data they no longer want retained, and request a portable copy.
These sets of rights are further augmented with the choice to opt out of targeted advertising and the sale of personal data. However, these rights only work if organizations know what they collected and where it went.
And that becomes even more crucial because websites need a reliable path to receive these requests and respond within 45 days. Without an accurate picture of what data was collected through the site and where it was moved. Otherwise, responding to these rights becomes guesswork.
Sensitive data consent
TDPSA also places explicit consent requirements on sensitive categories such as health information, precise geolocation, racial or ethnic origin, religious beliefs, and biometric data.
Thus, if a website collects any of these categories through forms, embedded services, or third-party tools, consent must appear before collection occurs. The timing matters. Texas wants the decision point to precede the data flow, not follow it.
TDSPA’s shift to universal opt-out signals
TDPSA has always given Texans the right to opt out of the sale of personal data and targeted advertising. However, since January 1, 2025, it now also requires businesses to recognize universal opt-out mechanisms for the sale of personal data and targeted advertising. This means honoring Global Privacy Control (GPC) signals sent by consumers’ browsers.
How should your website behave?
TDSPA’s intentions are clear; the opt-out is no longer just a link in a footer. It should be a real-time instruction that the site must enforce the moment the signal appears.
Thus, when a visitor arrives with a universal opt-out signal, advertising and targeting scripts can’t continue operating as usual. Pixels that transmit identifiers must stop. Third-party tags used for audience building or cross-site profiling must be suppressed or reconfigured.
TDSPA also prohibits dark UX patterns
Texas also expects the opt-out experience to be simple and free of dark patterns. Interfaces cannot steer users toward staying opted in or make it difficult to confirm an opt-out choice.
The permanent 30-day cure period offers room to fix issues, but it does not excuse designs that frustrate the exercise of rights. And because GPC can be tested from the outside, the website becomes the most visible point of compliance.
This makes your website infrastructure all the more essential. Universal opt-out compliance only works when the browser signal triggers real changes in how the site behaves. Storing a preference is not enough as TDPSA expects the underlying tracking technologies to adjust in real time, which means the business needs infrastructure that connects those signals to the scripts running in the browser. Without that link, the opt-out exists in policy but not in practice.
TDPSA website compliance checklist
TDPSA doesn’t just mandate controls on paper. It expects the notice, the choices, and the enforcement to reflect the site’s real behavior at that initial point of interaction. So here’s a checklist to help you align your implementation with regulator expectations and build a defensible compliance.
| Requirement | Website Implementation | Compliance Check |
| Privacy notice | Disclose categories of data collected, their purpose, retention logic, and third-party sharing based on observed browser behavior | Does the notice match what the site collects on load? |
| Purpose specification | Define why data is collected and how each script supports an articulated purpose | Is every script tied to a documented purpose before data is collected? |
| Data minimization | Collect only data that is adequate, relevant, and necessary for stated purposes | Do any tags collect more than their declared purpose allows? |
| Retention governance | Establish and document retention periods for all categories of data collected via the site | Does retention align with what vendors and scripts actually store? |
| Classification of processing (Sale / Targeted Advertising / Profiling) | Classify each script and vendor relationship to determine if their activity constitutes sale, targeted advertising, or profiling | Have you mapped which technologies must stop when GPC is present? |
| Global privacy control / Universal opt-out | Detect and honor browser and device-based opt-out signals; treat them as authorized-agent requests | Does GPC stop ad and targeting scripts in real time? |
| Opt-out mechanism | Provide a simple, accessible opt-out method that avoids dark patterns | Is opt-out as easy as opt-in, and consistent with what the browser actually sees? |
| Sensitive data consent | Gather explicit opt-in consent before collecting sensitive personal data | Does sensitive data collection stay blocked until consent is obtained? |
| Consumer rights response | Provide a way to exercise access, correction, deletion, and portability rights within 45 days | Can you account for all data collected across first- and third-party scripts? |
| Security safeguards | Apply reasonable administrative, technical, and physical safeguards to personal data | Are scripts handling sensitive data appropriately secured? |
| Processor contracts | Use contracts that impose TDPSA-compliant processing limits and security controls. | Do vendor agreements support deletion, access rights, and processing constraints? |
mandates radical transparency regarding the data you collect and technical enforcement of a consumer’s right to opt out of the sale of that data or targeted advertising.
How AlphaPrivacy AI enables TDPSA compliance
At its core, the Texas Data Privacy and Security Act (TDPSA) requires businesses to be transparent to customers and honor their data privacy rights and opt-out consents.
This means your controls must be active and preemptive. They need to honor Global Privacy Control (GPC) signals the instant a user arrives and block tracking technologies before they activate.
AlphaPrivacy AI by Feroot bridges the gap. Rather than relying on static policies and controls, our AI-powered platform provides active, continuous governance of your digital footprint. It automatically maps jurisdictional requirements to your client-side environment and dynamically adapts its behavior to remain compliant.
Here is how AlphaPrivacy AI operationalizes TDPSA compliance for your business:
Uncover every tracker to eliminate compliance drift
The TDPSA requires your privacy notice to accurately reflect the specific categories of data you process. However, modern websites are dynamic, often running third-party scripts that change without the marketing team’s knowledge.
AlphaPrivacy AI continuously monitors your website’s client-side environment, identifying every tracking pixel, analytics tool, and third-party script. This visibility ensures your privacy notice matches your actual data collection processes, eliminating the risk of unintentional non-compliance.
Guarantee true opt-outs with GPC enforcement
Under the TDPSA, recognizing a Universal Opt-Out Mechanism (UOOM) is not optional. Websites have to honor GPC signals by blocking data collection scripts in real-time. That’s what AphaPrivacy AI does.
It turns the opt-out into immediate behavior change, stopping data sharing before it occurs.
Secure sensitive data from unauthorized collection
The TDPSA places strict consent requirements on “sensitive data,” which includes precise geolocation, health-related browsing information, and biometric data.
AlphaPrivacy AI identifies all attempts by tracking scripts to access these specific high-risk categories and blocks them in real-time. Thus, ensuring that appropriate consent is obtained before any sensitive data is transmitted to third parties.
Easily scale to a mult-state compliance program
While Texas is a priority, it is likely just one component of your regulatory landscape.
AlphaPrivacy AI automatically maps jurisdictional requirements to your digital footprints, allowing you to comply with varied compliance requirements across states, provinces, and countries.
In other words, you can comply with CPRA, CPA, CCPA, VCDPA, and TDSPA with no extra hassle with AlphaPrivacy AI. That’s one solution to handle over 22+ state laws.
Streamline audits with automated documentation
The Texas Attorney General is authorized to request evidence of your compliance, specifically regarding data protection assessments. Alphaprovacy AI simplifies it by automatically documenting what technologies operate on your website, how GPC signals are honored, and how consent is enforced.
This provides you with technical proof to support your compliance attestations, turning vague assurances into verifiable evidence for regulators and internal stakeholders.
Know if you’re TDPSA compliant or not. Schedule a demo to see how AlphaPrivacy AI can highlight and fix gaps in your privacy law compliance.
FAQ
Does TDPSA apply to my website if I don’t have a physical presence in Texas?
Yes. TDPSA applies if your website is accessible to Texas residents and collects personal data through tracking technologies, analytics, or forms. Physical presence in Texas is not required. The moment a Texas resident loads your page and cookies, pixels, or analytics scripts activate, you’re processing personal data under TDPSA’s scope. With 30 million residents, Texas is hard to exclude from a digital business model, and the law assumes most websites can’t practically block access by state. If you operate a consumer-facing website with standard tracking technologies, you’re likely covered.
What qualifies as a “small business” exempt from TDPSA?
TDPSA uses SBA industry-specific size standards, which vary by NAICS code. Two companies with similar revenue might be treated differently depending on their industry classification. More importantly, the exemption disappears entirely if you sell sensitive personal data. Since many websites collect health-related browsing data, precise geolocation, or biometric information through third-party tools without realizing it, the small business exemption is narrower than it appears. If you’re relying on this exemption, verify your NAICS code threshold and audit whether any scripts collect sensitive data categories. The safest approach is to assume coverage and build compliant infrastructure.
What is Global Privacy Control (GPC) and how do I honor it under TDPSA?
Global Privacy Control is a browser or device signal that communicates a user’s opt-out preference for data sales and targeted advertising. Under TDPSA (effective January 1, 2025), you must recognize and honor GPC signals automatically. This means when a visitor arrives with GPC enabled, your website must immediately suppress scripts used for targeted advertising, audience building, or cross-site profiling. Simply logging the preference is not enough. The underlying tracking technologies must adjust in real time, stopping data transmission before it occurs. GPC can be tested externally, making this one of the most visible compliance points regulators can verify without accessing your internal systems.
What counts as “sensitive data” under TDPSA and why does it matter?
TDPSA defines sensitive data as health information, precise geolocation (within a 1,750-foot radius), racial or ethnic origin, religious beliefs, biometric data, sexual orientation, citizenship status, genetic data, and data from a known child. The critical distinction is that collecting sensitive data requires explicit opt-in consent before collection occurs. Many websites inadvertently collect sensitive categories through health-related content tracking, precise geolocation via mobile browsers, or biometric data through certain analytics tools. If your site collects any sensitive category, consent must appear before the data flows, not after. This also eliminates the small business exemption if you sell this data, bringing many smaller organizations into full TDPSA scope.
How is TDPSA different from California’s CCPA or CPRA?
TDPSA has no revenue thresholds like California’s $25 million requirement or data volume minimums (50,000 consumers). If you process personal data and aren’t a small business under SBA standards (or if you sell sensitive data), you’re likely covered regardless of size. TDPSA also mandates universal opt-out mechanism recognition (like GPC) rather than making it optional. The law requires that opt-out signals trigger immediate behavioral changes in how scripts operate, not just preference storage. Texas also enforces stricter sensitive data consent requirements, requiring opt-in before collection rather than opt-out after. The practical result is that TDPSA brings more businesses into scope than CCPA while imposing more immediate technical enforcement obligations around opt-out signals.
What happens if I can’t respond to a consumer rights request within 45 days?
TDPSA allows one 45-day extension if the request is complex, but you must notify the consumer of the delay and reason within the initial 45-day period. The challenge is that fulfilling rights requests (access, deletion, correction, portability) requires knowing what data was collected through your website and where it went to third parties. If you can’t map which scripts collected what data or which vendors received it, responding becomes guesswork. Many organizations discover this gap when the first request arrives and they realize they lack visibility into client-side data flows. The solution is implementing continuous monitoring that tracks which technologies operate on your site, what data they access, and where it’s transmitted. Without this foundation, the 45-day window becomes a scramble rather than a routine process.
Does TDPSA have a private right of action or just attorney general enforcement?
TDPSA provides only attorney general enforcement, not a private right of action. However, this doesn’t reduce compliance urgency. Texas provides a 30-day cure period for violations, giving businesses time to remediate after notice from the AG. This cure period is permanent, unlike California’s temporary provision. The absence of private lawsuits reduces class action risk but doesn’t eliminate regulatory scrutiny. The Texas Attorney General can request compliance evidence, particularly data protection assessments and technical proof that GPC signals are honored. Because website behavior is externally observable (especially GPC compliance), the AG doesn’t need to access internal systems to identify potential violations. Consumer complaints can trigger investigations, making your website’s actual behavior your most visible compliance surface.
Can I use my existing cookie consent banner to comply with TDPSA?
It depends on what your banner actually does versus what it appears to do. TDPSA requires that opt-out mechanisms trigger real behavioral changes in how tracking technologies operate, not just log preferences. Many cookie banners store consent choices but don’t actually suppress scripts in real time or honor GPC signals automatically. If a user opts out of targeted advertising but your ad pixels continue firing, you’re not compliant even if the banner looks correct. TDPSA also prohibits dark patterns, meaning the opt-out experience must be as simple as opt-in, without steering users toward accepting cookies. The banner needs to connect to underlying script management that enforces choices immediately. Test your banner’s actual behavior with GPC enabled and verify that targeting scripts stop loading when they should. If your banner is cosmetic rather than functional, it creates liability rather than compliance.
