TDPSA Explained: What Texas's New Privacy Law Means for Your Online Store

The Texas Data Privacy and Security Act (TDPSA) went into effect on July 1, 2024, and it's one of the broadest state privacy laws in the country. Unlike California's CCPA, which has revenue and consumer-count thresholds, the TDPSA has no minimum revenue requirement — meaning it can apply to businesses of any size.

If you sell anything online and have customers in Texas, you need to pay attention.

Who Does the TDPSA Apply To?

The TDPSA applies to any business that:

Operates in Texas or targets Texas residents, AND
Processes personal data of Texas consumers

That's it. There's no "$25 million revenue" threshold like CCPA. There's no "100,000 consumers" minimum like Virginia's VCDPA. If you collect personal data from people in Texas — and nearly every online store does — the TDPSA likely applies to you.

The only exemptions are for small businesses as defined by the SBA, but even those businesses must comply with data sale and sensitive data provisions.

What Does the TDPSA Require?

1. Privacy Notice

You must provide a clear, accessible privacy policy that discloses:

What categories of personal data you collect
Why you collect it (the "purpose")
What categories of third parties you share data with
How consumers can exercise their rights
Whether you sell personal data or use it for targeted advertising

2. Consumer Rights

Texas consumers have the right to:

Access their personal data
Delete their personal data
Correct inaccurate data
Obtain a copy of their data in a portable format
Opt out of data sale, targeted advertising, and profiling

You must respond to consumer requests within 45 days (with a possible 45-day extension).

3. Opt-Out Requirements

If you sell personal data or use it for targeted advertising, you must:

Provide a clear opt-out mechanism
Honor Global Privacy Control (GPC) signals from browsers
Not use dark patterns to make opting out confusing or difficult

4. Data Protection

You must implement reasonable security measures to protect personal data. This includes:

Encryption of data in transit (HTTPS)
Access controls
Regular security assessments for high-risk processing

5. Sensitive Data

"Sensitive data" under the TDPSA includes:

Racial or ethnic origin
Religious beliefs
Health or mental health data
Biometric data
Geolocation data
Data from children under 13

You cannot process sensitive data without explicit opt-in consent.

How Is the TDPSA Different from CCPA?

| | TDPSA (Texas) | CCPA (California) |

|---|---|---|

| Revenue threshold | None | $25 million |

| Consumer threshold | None | 50,000+ consumers |

| Applies to small stores | Yes | Only if they meet thresholds |

| GPC required | Yes | Yes |

| Right to delete | Yes | Yes |

| Right to opt out of sale | Yes | Yes |

| Enforcement | TX Attorney General | CA Attorney General + private lawsuits |

| Fines | Up to $7,500 per violation | Up to $7,500 per intentional violation |

The key difference: CCPA only catches bigger businesses. TDPSA catches everyone.

What This Means for Your Online Store

If you run a Shopify, WooCommerce, BigCommerce, or Squarespace store and ship to Texas (or have Texas visitors), here's your compliance checklist:

Privacy policy that covers all TDPSA disclosure requirements
Cookie consent banner with opt-out for non-essential cookies
"Do Not Sell or Share" link in your footer if you use advertising trackers
GPC support — your site should detect and honor browser GPC signals
Response process for consumer data requests (access, delete, correct)
Sensitive data consent — explicit opt-in before collecting any sensitive categories

How to Check Your Compliance

The fastest way to see where your store stands is to scan it. ClearConsent checks your site against all 19 active US state privacy laws — including the TDPSA — in under 60 seconds. It detects your trackers, cookies, privacy policy gaps, and missing opt-out mechanisms, then tells you exactly what to fix.

Scan your site free — no signup required.