TDPSA Compliance Checklist for Texas Businesses in 2026

The Texas Data Privacy and Security Act has been in effect since July 2024. Since January 2025, the universal opt-out mechanism requirement has also been active. Enforcement authority rests solely with the Texas Attorney General’s office. The next regular Texas legislative session isn’t until 2027, which means the law on the books today is exactly what you’re being held to for the foreseeable future.

Most Texas businesses with 50 or more employees that collect customer or employee personal data fall under the TDPSA. If your company processes the personal data of Texas residents, you’re almost certainly covered. The question isn’t whether the law applies to you. The question is whether you’ve taken the compliance steps.

Who the TDPSA Covers

The TDPSA applies to any entity that conducts business in Texas or produces a product or service consumed by Texas residents, and that processes or engages in the sale of personal data. Unlike some state privacy laws, it doesn’t have a revenue threshold that exempts smaller businesses. If you’re collecting names, email addresses, browsing behavior, purchase history, or employee records from Texas residents, you’re in scope.

Certain entities are exempt: those already subject to HIPAA, the Gramm-Leach-Bliley Act, or FERPA regulations have carve-outs for data covered under those frameworks. But if you handle any personal data outside those specific regulatory umbrellas, the TDPSA still applies to that data.

The Consumer Rights You Must Support

Under the TDPSA, Texas residents have five core rights regarding their personal data that your business must be able to fulfill:

Right to know. Consumers can ask whether you’re processing their personal data and get a copy of it. You need systems that can identify what data you hold on a specific individual and produce it in a portable format.

Right to correct. If a consumer’s data is inaccurate, they can request corrections. Your systems need a process to receive, verify, and implement correction requests.

Right to delete. Consumers can request deletion of their personal data. This means you need to know where all personal data lives across your systems, including backups and third-party processors.

Right to data portability. When consumers request their data, you must provide it in a readily usable format. PDF dumps of database records don’t satisfy this requirement.

Right to opt out. Consumers can opt out of the processing of their personal data for targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects.

You must respond to verified consumer requests within 45 days, with one 45-day extension if reasonably necessary.

The Universal Opt-Out Requirement

Since January 2025, your website must recognize and honor Global Privacy Control (GPC) browser signals. This is the universal opt-out mechanism specified under the TDPSA. When a user visits your site with GPC enabled in their browser, your site must treat that as a valid opt-out request for targeted advertising and data sales.

This isn’t optional or aspirational. It’s a requirement that’s been active for over a year. If your website uses tracking cookies, advertising pixels, or analytics tools that share data with third parties, and you’re not detecting and honoring GPC signals, you’re in violation right now.

Implementing GPC recognition requires changes to your website’s consent management platform and any tag management systems you use. The technical implementation isn’t complex, but it requires someone who understands how your tracking and analytics stack works.

Data Protection Assessments

The TDPSA requires documented data protection assessments for specific processing activities. You must conduct and maintain assessments for:

• Processing personal data for targeted advertising
• Sale of personal data
• Processing sensitive personal data (racial or ethnic origin, religious beliefs, health data, biometric data, geolocation, data from known children)
• Profiling that presents a risk of unfair or deceptive treatment, financial or physical injury, or intrusion on solitude or seclusion

These assessments must identify and weigh the benefits of the processing against potential risks to the consumer, factoring in the use of de-identification and other safeguards. They’re not a one-time exercise. As your data processing activities change, your assessments need to be updated.

If you’re processing any sensitive personal data, including employee health information, biometric data from access systems, or precise geolocation from company devices, you need an assessment on file.

The AG Enforcement Reality

The Texas Attorney General has exclusive enforcement authority over the TDPSA. There is no private right of action, meaning consumers can’t sue you directly for violations. However, the AG’s office can impose civil penalties of up to $7,500 per violation, and each affected consumer can constitute a separate violation.

For a business with 500 customers whose data was mishandled, that’s a potential exposure of $3.75 million. The AG’s office has sole enforcement authority and has been active in consumer protection enforcement.

With no legislative session until 2027, the AG’s office has a stable regulatory environment to build enforcement cases. They don’t need to wait for new rules or amendments. Everything they need to bring actions is already law.

Your TDPSA Compliance Checklist

This is the practical list you can hand to your IT provider or work through internally. Each item addresses a specific TDPSA requirement.

Privacy Policy and Disclosures

• [ ] Update your privacy policy to disclose all categories of personal data you process
• [ ] List the purposes for each category of data processing
• [ ] Disclose whether you sell personal data or use it for targeted advertising
• [ ] Provide clear instructions for consumers to exercise their rights
• [ ] Include contact information for submitting data subject requests
• [ ] Disclose any third parties you share personal data with, by category

Consumer Rights Infrastructure

• [ ] Implement a verifiable process for receiving and authenticating consumer requests
• [ ] Build or configure systems to search, compile, and export a consumer’s personal data
• [ ] Establish a process for correcting inaccurate personal data across all systems
• [ ] Create a deletion workflow that covers primary databases, backups, and third-party processors
• [ ] Set up tracking to ensure responses within the 45-day window
• [ ] Document your appeals process for denied requests

Universal Opt-Out (GPC)

• [ ] Audit your website for all tracking technologies (cookies, pixels, tags, analytics)
• [ ] Implement GPC signal detection on your website
• [ ] Configure your consent management platform to honor GPC signals automatically
• [ ] Verify that GPC detection actually suppresses targeted advertising and data sharing
• [ ] Test the implementation with a browser that has GPC enabled

Data Protection Assessments

• [ ] Inventory all processing activities that involve sensitive personal data
• [ ] Identify any targeted advertising or data sale activities
• [ ] Document a data protection assessment for each qualifying activity
• [ ] Include a risk-benefit analysis with consumer impact considerations
• [ ] Schedule regular reviews as processing activities change

Vendor and Processor Management

• [ ] Review all vendor agreements for data processing terms
• [ ] Ensure contracts with data processors include TDPSA-required provisions
• [ ] Verify that processors can support consumer deletion and access requests
• [ ] Confirm that processors will honor opt-out signals passed through from your systems
• [ ] Document the chain of data sharing for each category of personal data

Staff Training and Response

• [ ] Train customer-facing staff to recognize and route data subject requests
• [ ] Document internal procedures for each type of consumer request
• [ ] Assign responsibility for managing and responding to requests within deadlines
• [ ] Conduct periodic testing of your response processes

How Your IT Provider Fits In

Most of the TDPSA’s requirements have a technical implementation component. Your privacy policy describes what your systems do. Your consumer rights processes depend on your data architecture. The GPC requirement is a website configuration issue. Data protection controls are IT infrastructure decisions.

An IT provider that understands compliance requirements can help you implement the technical controls: configuring consent management platforms, deploying data discovery tools that map where personal data lives, setting up secure processes for handling data subject requests, and monitoring that your security controls remain effective over time.

The companies that handle TDPSA compliance well are the ones that treat it as a technical project with legal requirements, not a legal project with technical footnotes. The data security policy framework you already have in place provides the foundation. The TDPSA adds specific requirements on top of that framework for how you handle Texas residents’ data.

Where Things Stand in 2026

The TDPSA doesn’t have a grace period in 2026. It’s been law for nearly two years. The universal opt-out requirement has been active for over a year. If your website isn’t honoring GPC signals, that’s been a compliance gap since January 2025.

The AG’s enforcement posture means that if they bring cases, they’ll have a large window of non-compliance to point to. Businesses that can demonstrate they’ve been working toward compliance, even if imperfectly, are in a fundamentally different position than businesses that haven’t started.

The compliance checklist above is manageable. Most items are documentation and configuration tasks, not major technology investments. Start with the privacy policy update and the GPC implementation. Those are the most visible gaps. Then work through the AI data governance practices and vendor reviews.