The Texas Data Privacy and Security Act is no longer a future obligation. The Act took effect July 1, 2024, and its last deferred provision, the authorized-agent and universal opt-out mechanism in Section 541.055(e), took effect January 1, 2025. Every operative clause is now live.

That changes the posture question. The question is no longer "when do we need to be ready." It is "are we doing what Chapter 541 of the Business & Commerce Code actually requires, clause by clause."

The TDPSA is often filed under "another Virginia-model state privacy law." Structurally that is fair. But two design choices make it distinct, and both trip up teams who scope it from a comparison chart instead of the text: there is no revenue or processing-volume threshold, and the small-business "exemption" is not a full exemption.

This piece walks the statute as it now stands. Each requirement below traces to a specific section you can pull and read yourself.

Who Does the TDPSA Apply To, and Why Is There No Revenue or Record-Count Threshold?

Most US state privacy laws gate applicability on numbers. California, Colorado, Virginia and the rest tie coverage to revenue figures or to how many consumers' data you process. The TDPSA does not.

Section 541.002(a) sets a three-part test. The chapter applies only to a person that:

  1. conducts business in Texas, or produces a product or service consumed by Texas residents;
  2. processes or engages in the sale of personal data; and
  3. is not a small business as defined by the United States Small Business Administration.

Read part three carefully. The threshold is not a dollar amount or a record count that you control through your own data practices. It is the SBA's size standard, which turns on industry-specific employee counts and revenue figures set by federal regulation. A mid-size firm well under any other state's coverage numbers can be squarely in scope here.

The practical consequence: if you scoped the TDPSA out because you fall under a CCPA or VCDPA threshold, that reasoning does not transfer. The TDPSA asks a different question entirely.

Section 541.002(b) then carves out entity-level exemptions familiar from the model: state agencies and political subdivisions, financial institutions and data subject to the Gramm-Leach-Bliley Act, HIPAA covered entities and business associates, nonprofits, institutions of higher education, and certain electric utilities. These are entity and data exemptions, not a general grace for being small.

What Is the Small-Business Carve-Out, and Why Must Small Businesses Still Get Consent to Sell Sensitive Data?

This is the clause most likely to be misread, and the misread is expensive.

Section 541.002(a)(3) excludes a small business as defined by the SBA. So far that reads like a clean exemption. It is not. The same subsection ends with a carve-back: "except to the extent that Section 541.107 applies."

Turn to Section 541.107. Subsection (a) states that a person described by Section 541.002(a)(3), the small business, may not engage in the sale of personal data that is sensitive data without receiving prior consent from the consumer. Subsection (b) makes a violation subject to the penalty under Section 541.155.

So the accurate framing is this. A small business is relieved of the general controller and processor duties of the chapter. It is not relieved of the sensitive-data sale restriction. If a small business sells sensitive data, it must obtain prior consumer consent, and failure to do so is enforceable on the same penalty footing as any other violation.

Treating the small-business status as a blanket exemption is the kind of loose reading that surfaces during an enforcement inquiry, not before it. The statute drew a single bright line through the exemption, and it runs through sensitive data.

Which Consumer Rights Must Controllers Honor, and on What Response Clock?

Section 541.051(b) sets out the consumer rights a controller must honor on an authenticated request. A consumer may:

→ confirm whether a controller is processing their personal data, and access that data → correct inaccuracies, taking into account the nature of the data and the purposes of processing → delete personal data provided by or obtained about the consumer → obtain a portable copy of data the consumer previously provided, where the data is available in a digital format and to the extent technically feasible → opt out of processing for targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect

The response clock is in Section 541.052(b). A controller must respond without undue delay and no later than the 45th day after receipt of the request. The controller may extend the response period once, by an additional 45 days, when reasonably necessary given the complexity and number of requests, provided it informs the consumer of the extension and the reason within the initial 45-day period.

Two operational points follow directly from the text. First, the extension is not automatic. It is conditioned on notifying the consumer inside the first 45 days. Miss that notice window and you have lost the extension, not merely delayed it. Second, Section 541.052(d) requires the controller to respond free of charge at least twice annually per consumer, with a narrow exception for requests that are manifestly unfounded, excessive, or repetitive, where the controller bears the burden of demonstrating that characterization.

The mechanism for receiving requests matters too. Section 541.055(a) requires a controller to establish two or more secure and reliable methods for consumers to submit requests. Section 541.055(b) prohibits forcing a consumer to create a new account to exercise rights, though an existing account may be required.

How Does the Appeal Process Work, and When Does the Attorney General Enter the Picture?

If a controller declines to act on a request, Section 541.052(c) requires it to inform the consumer, no later than the 45th day after receipt, of the justification for declining and provide instructions on how to appeal under Section 541.053.

Section 541.053 then governs the appeal. The controller must establish an appeal process that is conspicuously available and similar to the process for submitting the original request. Under Section 541.053(c), the controller must inform the consumer in writing of any action taken or not taken on the appeal, no later than the 60th day after receipt of the appeal, including a written explanation of the reasons for the decision.

Section 541.053(d) is the clause that connects the private process to the regulator. If the controller denies an appeal, it must provide the consumer with the online mechanism described by Section 541.152 through which the consumer may contact the attorney general to submit a complaint.

That is the enforcement architecture in miniature. There is no private right of action under the TDPSA. The denied-appeal pathway routes the consumer to the attorney general, who holds the enforcement authority. A controller's appeal-denial language is, in effect, the doorway to a regulator complaint, and it should be drafted with that in mind.

What Counts as Sensitive Data, and When Is Consent Required Before Processing?

Sensitive data carries the heaviest obligation in the chapter, so its boundary matters.

Section 541.001(29) defines sensitive data as a category of personal data that includes:

→ personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status → genetic or biometric data processed for the purpose of uniquely identifying an individual → personal data collected from a known child → precise geolocation data

"Precise geolocation data" is itself defined, in Section 541.001(21), as location data accurate within a radius of 1,750 feet. "Known child" means a child, defined as an individual younger than 13, where the controller has actual knowledge of, or wilfully disregards, the child's age.

The operative duty is in Section 541.101(b)(4). A controller may not process the sensitive data of a consumer without obtaining the consumer's consent. Where the sensitive data is that of a known child, the controller must instead process it in accordance with the Children's Online Privacy Protection Act.

Note the verb. This is consent before processing, not merely consent before sale. The sale restriction in Section 541.107 is the floor that even small businesses sit on. The processing restriction in Section 541.101(b)(4) is the broader rule that binds every controller in scope. And "consent" is not a buried clause in a terms-of-use document. Section 541.001(6) defines it as a clear affirmative act that is freely given, specific, informed, and unambiguous, and expressly excludes acceptance of broad terms of use and agreement obtained through dark patterns.

What Is the Universal Opt-Out / Global Privacy Control Mechanism, and When Did It Take Effect?

This is the provision that took effect later than the rest of the Act, and it is now live.

Section 541.055(e) allows a consumer to designate another person as an authorized agent to opt out, on the consumer's behalf, of the processing of personal data for targeted advertising and the sale of personal data. The designation may be made using a technology, including a link to an internet website, an internet browser setting or extension, or a global setting on an electronic device.

That is the statutory basis for honoring a universal opt-out signal, the Global Privacy Control being the obvious real-world example. A controller must comply with an opt-out request received from an authorized agent if it can verify, with commercially reasonable effort, the identity of the consumer and the agent's authority to act.

Section 541.055(f) constrains how the technology behaves. It may not unfairly disadvantage another controller. It may not use a default setting; it must require the consumer to make an affirmative, freely given, and unambiguous choice to indicate intent to opt out. And it must be consumer-friendly and easy to use by the average consumer.

On timing, be precise. The Act took effect July 1, 2024. Section 7(b) of H.B. No. 4 deferred only Section 541.055(e), the authorized-agent provision, to January 1, 2025. Both dates are now in the past. The universal opt-out obligation is no longer a roadmap item; it is an operative requirement your front-end consent infrastructure has to satisfy today.

What Are the Controller and Processor Duties: Privacy Notice, Data Minimization, Contracts, and Data Protection Assessments?

Beyond rights handling, the chapter imposes standing duties on the data lifecycle itself.

Data minimization and security. Section 541.101(a) requires a controller to limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the disclosed purposes, and to establish and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the data.

Privacy notice. Section 541.102(a) requires a reasonably accessible and clear privacy notice that includes the categories of personal data processed, the purposes of processing, how consumers may exercise and appeal rights, the categories of personal data shared with third parties and the categories of those third parties, and a description of the request methods under Section 541.055. If a controller sells sensitive data, Section 541.102(b) requires the posted notice "NOTICE: We may sell your sensitive personal data." Section 541.102(c) imposes a parallel notice for the sale of biometric data.

Processor contracts. Section 541.104(b) requires that controller-processor processing be governed by a contract specifying clear processing instructions, the nature and purpose of processing, the type of data and duration, the rights and obligations of both parties, and a set of processor commitments: confidentiality, deletion or return of data at the controller's direction, making information available to demonstrate compliance, allowing and cooperating with reasonable assessments, and flowing the same requirements down to any subcontractor by written contract.

Data protection assessments. Section 541.105(a) requires a controller to conduct and document a data protection assessment for each of: processing for targeted advertising, the sale of personal data, profiling that presents a reasonably foreseeable risk of certain enumerated harms, the processing of sensitive data, and any processing that presents a heightened risk of harm to consumers. The assessment must weigh the benefits of processing against the risks to the consumer's rights, as Section 541.105(b) sets out. These assessments are not filed routinely; under Section 541.105(c) a controller must make them available to the attorney general pursuant to a civil investigative demand. Section 541.105(f) allows an assessment conducted for another law of reasonably comparable scope and effect to satisfy this requirement.

That last clause is the bridge to every other regime you operate under. A GDPR DPIA, a Colorado data protection assessment, a Virginia assessment, all overlap heavily with the TDPSA's assessment trigger list. The work is largely the same work. The risk is doing it five times in five tools, with five sets of evidence that drift apart.

Mapping the TDPSA Against the Regimes You Already Carry

The TDPSA is one obligation set among many that touch the same data. Its sensitive-data consent rule, its assessment triggers, its processor-contract terms, and its privacy-notice content all have close analogues in GDPR, in the other US state privacy laws, and in sector rules. The accurate move is not to treat Texas as a standalone project but to see where its requirements are already satisfied by controls you have, and where Texas adds a genuinely new obligation, such as the "We may sell your sensitive personal data" notice or the SBA-based scope test.

That is the case for source-grounded mapping. Every obligation traced to a verbatim quote from the legal text, with overlaps across regimes resolved once rather than re-assessed per framework. No AI hallucinations, no "it depends" that turns out to mean "we did not read the section."

Map your TDPSA obligations against every other privacy regime you are subject to. Answer once, assess everywhere, at aegis-grc.com.

FAQ: TDPSA Scope, Deadlines, and Enforcement

Does the TDPSA have a revenue or data-volume threshold? No. Section 541.002(a) applies the chapter to any person that does business in Texas or serves Texas residents, processes or sells personal data, and is not a small business as defined by the US Small Business Administration. There is no revenue figure or record-count trigger, which distinguishes it from CCPA and the Virginia-model laws.

Are small businesses fully exempt under the TDPSA? No. A small business as defined by the SBA is excluded from the general duties under Section 541.002(a)(3), but Section 541.107 still bars it from selling sensitive data without prior consumer consent, and a violation carries the Section 541.155 penalty.

When did the universal opt-out mechanism take effect? The Act took effect July 1, 2024. The authorized-agent and universal opt-out provision in Section 541.055(e) took effect January 1, 2025 under Section 7(b) of H.B. No. 4. Both are now operative.

How long does a controller have to respond to a consumer request? No later than the 45th day after receipt, under Section 541.052(b), with one permitted 45-day extension if the consumer is informed within the initial 45-day period. Appeals must be answered no later than the 60th day after receipt under Section 541.053(c).

Is there a private right of action under the TDPSA? No. Enforcement runs through the Texas attorney general. On a denied appeal, Section 541.053(d) requires the controller to give the consumer the online mechanism under Section 541.152 to submit a complaint to the attorney general.