Privacy Law Status

Your Rights as a Texas Resident

The Texas Data Privacy and Security Act grants Texas residents comprehensive rights over their personal information, establishing protections that put individuals in control of how their data is collected, used, and shared by businesses. These rights apply to all Texas residents acting in individual or household contexts, though they do not extend to employment or commercial activities.

• Right to know what data is collected: You have the right to confirm whether a business is processing your personal data and to access detailed information about what personal data has been collected about you, including the sources of that information, the purposes for processing, and the categories of third parties with whom your data is shared[8][10]. Businesses must respond to these requests within 45 days and provide the information in a readily accessible format that allows you to understand exactly what data they hold about you.
• Right to delete personal information: You can request that businesses delete personal data they have collected about you, whether you provided that information directly or they obtained it from other sources[8][11]. This right applies broadly to personal information held by businesses, though certain exemptions may apply for legal compliance, fraud prevention, or other legitimate business purposes. When you exercise this right, businesses must delete your information and instruct their service providers to do the same.
• Right to opt out of data sales: You have the right to direct businesses to stop selling your personal data to third parties, including for advertising purposes or other commercial uses[8][10]. This right extends to both traditional data sales and sharing arrangements that may not involve direct monetary exchange but provide value to the business through data sharing partnerships. Beginning January 1, 2025, businesses must also honor opt-out preferences expressed through browser settings or device configurations.
• Right to correct inaccurate data: When you discover that a business holds inaccurate personal information about you, you have the right to request correction of those errors[8][11]. Businesses must consider the nature of the personal data and the purposes for processing when evaluating correction requests, and they must make reasonable efforts to correct inaccuracies when verification is possible. This right helps ensure that decisions made about you based on your personal data are founded on accurate information.
• Right to non-discrimination: Businesses cannot discriminate against you for exercising any of your privacy rights under the TDPSA[8]. This means they cannot deny goods or services, charge different prices, provide different quality of service, or otherwise retaliate against you simply because you chose to access, delete, or opt out of certain data processing activities. This protection ensures that privacy rights are meaningful and accessible to all consumers.

Additionally, the law provides special protections for sensitive data, requiring businesses to obtain your explicit consent before processing information that reveals your racial or ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship status, genetic or biometric identifiers, or precise geolocation data[1][5]. Parents and legal guardians can exercise these rights on behalf of children under 13, and the law includes enhanced protections for children’s data consistent with federal COPPA requirements.

Business Requirements

The Texas Data Privacy and Security Act establishes comprehensive obligations for businesses that collect and process Texas residents’ personal data, creating a framework designed to ensure transparency, accountability, and respect for consumer privacy rights.

• Which companies must comply: The law applies to businesses that conduct operations in Texas or produce products or services consumed by Texas residents, while also processing or engaging in the sale of personal data, excluding only small businesses as defined by the federal Small Business Administration[1][6]. Unlike other state privacy laws, Texas does not set revenue thresholds or data processing volume requirements, potentially capturing more businesses under its requirements. Specific exemptions apply to state agencies, nonprofit organizations, higher education institutions, financial institutions subject to Gramm-Leach-Bliley Act protections, healthcare entities covered by HIPAA, and electric utility companies[1][5].
• Notice and transparency requirements: Businesses must provide clear, accessible privacy notices that explain their data collection and processing practices, including the types of personal information collected, purposes for processing, categories of data shared with third parties, and whether they sell sensitive personal information[2][8]. These notices must be written in plain language that consumers can easily understand and must be prominently displayed on business websites and mobile applications. Companies must also provide specific additional notices when selling sensitive data or biometric information, ensuring consumers have clear information about these higher-risk processing activities.
• Consumer request response procedures: Companies must establish at least two secure and reliable methods for consumers to submit privacy rights requests and must respond to these requests within 45 days, with the possibility of a single 45-day extension when reasonably necessary[2][3]. Businesses must also establish an appeals process that is conspicuously available and similar to the initial request process, allowing consumers to challenge denials of their rights requests. When denying requests, companies must provide clear justification and instructions for appealing the decision, and if they deny appeals, they must provide information about how consumers can file complaints with the Texas Attorney General[3].
• Security and breach notification rules: The law requires businesses to implement reasonable data security practices to protect personal information from unauthorized access, use, or disclosure[5][8]. Companies must assist controllers with security obligations and breach notifications under existing Texas law, ensuring that data protection extends throughout the business relationship chain. Processors must maintain confidentiality obligations and ensure that any subprocessors they engage provide similar protections for personal data, creating accountability throughout the data processing ecosystem.

Businesses must also conduct data protection impact assessments for high-risk processing activities, including profiling that presents reasonably foreseeable risks of unfair or discriminatory treatment, processing sensitive data, or engaging in targeted advertising[12]. These assessments help companies identify and mitigate privacy risks before they impact consumers. The law also requires explicit opt-in consent for processing sensitive data, moving beyond the opt-out model for the most personal categories of information and ensuring that consumers actively agree to such processing rather than having it imposed by default.

Practical Impact

The Texas Data Privacy and Security Act creates meaningful changes in how businesses handle personal information, translating legal requirements into practical protections that affect Texas residents’ daily digital experiences.

• How these laws protect residents in daily life: The TDPSA provides tangible benefits when you shop online, use social media, search the internet, or interact with apps and websites. Companies must now clearly explain what information they collect about your browsing habits, purchases, location, and personal preferences, and they cannot use sensitive information like health data, biometric identifiers, or precise location without your explicit permission[1][5]. When businesses want to sell your information to data brokers or advertising companies, they must provide easy ways to opt out, and starting in 2025, your browser or device settings can automatically communicate your opt-out preferences[2]. This means less unwanted targeted advertising, fewer invasive data collection practices, and more control over your digital footprint.
• What to do if rights are violated: If you believe a business has violated your privacy rights under the TDPSA, you can file a complaint through the Texas Attorney General’s online complaint portal, which has already received over 1,000 privacy-related complaints since the law took effect[9]. The Attorney General’s office has established a dedicated privacy enforcement team that investigates violations and can issue civil investigative demands to companies, require disclosure of data protection assessments, and pursue legal action when necessary[12][8]. Before filing formal enforcement actions, the Attorney General must provide businesses with a 30-day cure period to address violations, but companies that fail to cure violations face civil penalties of up to $7,500 per violation[3][8].
• Limitations and gaps in protection: While the law generally does not provide a private right of action for most violations and relies on Attorney General enforcement, there is a limited right for consumers to seek civil damages specifically for violations involving sensitive data. Additionally, the law exempts small businesses from most requirements, though they still need consent for selling sensitive data, and it excludes employment and business-to-business contexts, meaning workplace privacy remains largely unprotected[1][5]. The law also contains various exemptions for data already regulated by federal laws like HIPAA, FERPA, and the Fair Credit Reporting Act, creating potential gaps where some personal information may have limited protection[5][8].

Despite these limitations, the law represents a significant step forward in privacy protection for Texas residents. The Attorney General’s aggressive enforcement approach, including major settlements with companies like Meta for $1.4 billion and Google for $1.375 billion, demonstrates that the law has real teeth and can produce meaningful accountability for privacy violations[13]. The establishment of a specialized privacy enforcement team and the high volume of consumer complaints suggest that the law is creating new avenues for privacy protection that didn’t exist before, even if the protections aren’t perfect or comprehensive.

Comparison Context

Texas’s approach to data privacy protection places it among the leading states in comprehensive privacy legislation, though with some distinctive features that set it apart from other state privacy regimes.

• How Texas compares to leading privacy states: Texas’s law shares many core features with privacy laws in California, Virginia, Colorado, and other states, including similar consumer rights to access, delete, and correct personal information, as well as opt-out rights for data sales and targeted advertising[1][4]. However, Texas distinguishes itself through its broad applicability standard that focuses on conducting business in the state rather than revenue thresholds, potentially covering more companies than laws in other states[6]. Texas also provides exclusive enforcement authority to the Attorney General rather than creating private rights of action like California’s law, and it includes unique exemptions for electric utility companies that reflect state-specific concerns[1][3]. The law’s aggressive enforcement approach has quickly established Texas as a national leader in privacy enforcement, with the Attorney General’s office conducting investigations into over 200 companies and achieving record-setting settlements within the law’s first year of operation[13].
• What residents might be missing compared to other states: Unlike California’s law, Texas does not provide residents with a private right to sue companies for privacy violations, instead relying entirely on Attorney General enforcement[3][8]. California residents also benefit from the California Privacy Rights Act’s more detailed data minimization requirements and stronger protections for cross-context behavioral advertising, while Texas residents must rely on the broader opt-out framework. Some states like California and Colorado have established specialized privacy agencies with dedicated rulemaking authority, while Texas enforcement operates through the existing Attorney General’s office structure[14]. Additionally, California’s law covers a broader range of entities and has been in effect longer, creating more established compliance practices and enforcement precedents that benefit California residents.

Despite these differences, Texas has demonstrated particularly aggressive enforcement compared to most other states with privacy laws. While states like Colorado and Virginia have comprehensive privacy laws, they have not pursued major enforcement actions at the scale seen in Texas[14]. The Texas Attorney General’s focus on major technology companies and data brokers, combined with significant monetary settlements, suggests that Texas residents may actually receive stronger practical protection through enforcement than residents of states with theoretically broader privacy laws but less active enforcement mechanisms. The establishment of specialized privacy enforcement teams and the high volume of consumer complaints processed also indicate that Texas has built more robust administrative infrastructure for privacy protection than many other states.

Action Steps for Residents

Texas residents can take several concrete steps to protect their privacy rights and make the most of the protections available under state law.

• Immediate steps to protect privacy: Review the privacy notices of websites, apps, and services you use regularly to understand what personal information they collect and how they use it, paying particular attention to data sharing and selling practices that you can opt out of[15]. Update your browser settings and device configurations to express your privacy preferences, especially when universal opt-out mechanisms become required on January 1, 2025[2]. Be especially cautious about sharing sensitive information like precise location data, health information, or biometric identifiers, as these require explicit consent under Texas law and carry higher privacy risks[1][5]. Consider using privacy-focused alternatives for services that collect extensive personal data, and regularly review and adjust privacy settings on social media platforms and mobile apps.
• How to exercise legal rights: Contact businesses directly to request access to your personal data, request corrections to inaccurate information, or ask for deletion of your data, keeping records of your requests and any responses[15][10]. Many companies now provide web forms or email addresses specifically for privacy requests, and they must respond within 45 days under Texas law[2]. If a company denies your request, use their appeals process to challenge the denial, and if they deny your appeal, you can file a complaint with the Texas Attorney General through their online privacy complaint portal[8]. When exercising opt-out rights, look for “Do Not Sell My Personal Information” links on websites and use those mechanisms to prevent data sales and targeted advertising[15].
• Resources for staying informed: Monitor the Texas Attorney General’s privacy enforcement actions and consumer alerts to stay informed about emerging privacy threats and company violations[13]. Follow updates from the Texas Department of Information Resources, which provides citizen education about the TDPSA and privacy rights[15][7]. Stay informed about legislative developments by following the Texas Legislature Online system and contacting your state representatives about privacy concerns or suggestions for strengthening privacy protections[16]. Consider subscribing to privacy advocacy organizations’ newsletters and alerts to stay current on best practices for protecting your personal information and changes in privacy law that might affect your rights.

Remember that privacy protection is an ongoing process rather than a one-time action. Regularly review your privacy settings, exercise your rights when appropriate, and stay informed about new privacy threats and protections. The Texas Attorney General’s office encourages residents to report privacy violations and has established infrastructure to handle these complaints, making it important to speak up when you encounter privacy problems that might affect not just you but other Texas residents as well.

Official Resources and Contact Information

Texas Legislature and Representatives

To contact your state legislators about privacy issues or other concerns, you can find your specific representatives through the Texas Legislature’s “Who Represents Me?” system at the Texas Legislature Online website. This system allows you to search by street address, ZIP code, county, or city to identify your Texas Senate and House representatives along with their contact information.

You can write to your state senator at: The Honorable [insert name of Senator], Texas Senate, P.O. Box 12068, Austin, Texas 78711-2068. For House representatives, write to: The Honorable [insert name of Representative], Texas House of Representatives, P.O. Box 2910, Austin, Texas 78768-2910. Phone numbers, room numbers, district office addresses, and email forms are available through individual legislator websites accessible from the main Texas Legislature site.

The Legislative Reference Library maintains a comprehensive list of chief elected officials of Texas, including current contact information for all state legislators. You can access the Texas Legislature Online system and general information about contacting legislators at https://lrl.texas.gov/genInfo/contactleg.cfm.

Texas Attorney General – Privacy Enforcement

The Texas Attorney General’s office has exclusive authority to enforce the Texas Data Privacy and Security Act and maintains dedicated resources for privacy protection and consumer complaints. You can file privacy-related complaints through their online portal, which has been specifically designed to handle TDPSA violations and other privacy concerns.

To file a privacy complaint with the Texas Attorney General, visit their consumer complaint portal and select the Privacy Complaint Form, which is specifically designed for complaints about unlawful collection, sharing, or mishandling of personal information by businesses. The general complaint form can be used for other consumer protection issues. You can access these complaint forms and learn more about the Texas Data Privacy and Security Act at https://www.texasattorneygeneral.gov/consumer-protection/file-consumer-complaint/consumer-privacy-rights/texas-data-privacy-and-security-act.

The Attorney General’s office also maintains general consumer complaint procedures at https://www.texasattorneygeneral.gov/consumer-protection/file-consumer-complaint. When filing complaints, do not include sensitive information like Social Security numbers, dates of birth, or financial account numbers. You should receive a confirmation email within 10 business days with a unique reference number for your complaint.

Texas Department of Information Resources

The Texas Department of Information Resources (DIR) provides educational resources about the Texas Data Privacy and Security Act and helps citizens understand their rights under the law. DIR has published citizen-friendly explanations of privacy rights and maintains current information about law implementation.

You can access information about your privacy rights and the TDPSA implementation through the DIR website at https://dir.texas.gov/technology-legislation/texas-data-privacy-and-security-act. DIR also publishes regular updates and reports on privacy law implementation, including comprehensive reports on the status of TDPSA enforcement and compliance.

For general information about Texas privacy rights, DIR maintains a citizen education page at https://dir.texas.gov/news/know-your-rights-under-texas-data-privacy-and-security-act. This resource explains the key rights available to Texas residents and provides practical guidance on exercising those rights.

Texas State Library and Archives Commission

For general information about state government and legislative processes, the Texas State Library and Archives Commission maintains the Legislative Reference Library, which provides comprehensive information about the Texas Legislature, including how to contact legislators and participate in the legislative process. You can access general legislative information and contact resources at https://www.sll.texas.gov/.

Sources and Citations

Last Updated August 2025. Written with contributions from both human authors and Perplexity AI. If you find incorrect or outdated information let us know at support@optery.com.