Texas Data Privacy and Security Act (TDPSA)
A practical compliance guide for website owners. Learn what Texas's privacy law requires and how to implement it on your site.
Who Must Comply
Conducts business in Texas or produces products/services consumed by Texas residents, AND is not a small business as defined by the SBA
What Your Website Must Do
| Requirement | Status |
|---|---|
| Cookie consent banner | Recommended |
| Do Not Sell link | Required |
| Do Not Share link | Required |
| Honor GPC browser signals | Required |
| Universal opt-out mechanism | Not required |
| Sensitive data opt-in consent | Required |
Required Links & Notices
The TDPSA requires the following links or notices to be visible on your website:
- 1Do Not Sell or Share My Personal Data
- 2Privacy Policy
Enforcement & Penalties
Key Things to Know
Texas is the second-largest US state and its privacy law (effective July 2024) applies broadly — it covers all businesses except small businesses as defined by the SBA, with no revenue threshold. This means many more businesses are covered compared to California's CCPA.
Notable: Texas requires honoring universal opt-out mechanisms including GPC. The law also has unique provisions for biometric data with a separate private right of action for biometric data violations.
How to Configure LegalBanner for TDPSA
- 1
Create your site
Sign up for free and add your website domain in the dashboard.
- 2
Set consent mode to "Opt-out"
In Settings, select the consent mode that matches Texas's requirements.
- 3
Install the snippet
Add the one-line script tag to your website. The banner, opt-out links, and GPC support are automatic.
- 4
Generate your Privacy Policy
Use the built-in policy wizard to generate a TDPSA-compliant privacy policy.
Set up TDPSA compliance in 5 minutes
LegalBanner handles Texas privacy requirements automatically — cookie banner, opt-out links, and GPC support included.
Frequently Asked Questions
Does the Texas TDPSA require a cookie banner?
The TDPSA does not require opt-in cookie consent. However, you must provide clear opt-out mechanisms for targeted advertising and sale of personal data. A cookie preference center is recommended for compliance.
Does Texas require honoring GPC signals?
Yes. The TDPSA requires controllers to honor universal opt-out mechanisms, which includes GPC signals. This requirement took effect July 1, 2024.
What makes the Texas law different from other state privacy laws?
The TDPSA has no revenue threshold — it applies to all non-small businesses operating in Texas. It also has separate provisions for biometric data with a private right of action, unique among state privacy laws.
What are the penalties for TDPSA violations?
The Texas AG can impose penalties up to $7,500 per violation. Businesses receive a 30-day cure period before enforcement action. There is no general private right of action, except for biometric data violations.
Does the TDPSA apply to small businesses?
No. The TDPSA exempts small businesses as defined by the US Small Business Administration (SBA). The SBA definition varies by industry but generally covers businesses with fewer than 500 employees.