Under Texas’s TDPSA, businesses collecting cookie-based personal or sensitive data—especially for profiling, targeted ads, or data sales—must obtain explicit optin consent before setting such cookies. Are you prepared for cookie consent and compliance in Texas?
The Texas Data Privacy and Security Act (TDPSA), in effect from July 1, 2024 (with some optout requirements effective Jan 1, 2025), grants new consumer data rights and places obligations on businesses handling Texas residents' personal data.
To ensure compliance with TDPSA:
Conduct an audit:
Perform a full audit of data collection and sharing practices and identify personal data collected and its purposes
Update privacy policy:
Review and update privacy and cookie policies with TDPSA-specific disclosures.
Implement consent management:
Implement cookie consent banners and universal opt-out mechanisms (e.g., via Global Privacy Control)
Maintain records:
Keep records of consents and DPIAs
Maintain data security:
Keep data secure and report data breaches affecting >250 residents within 30 days
TDPSA applies to any entity that conducts business in Texas or offers products/services consumed by Texas residents, processes or sells personal data and is not a small business (per SBA definition: <500 employees)
Exemptions include: state agencies, nonprofits, HIPAAregulated entities, financial institutions under GLBA, utilities and higher-ed institutions.
Texas residents have the:
Consumers can access and confirm processing of personal data
Consumers can request to correct inaccuracies
Consumers can request that their personal data be deleted
Consumers have a right to port/download/transmit their information in a usable format
Consumers can opt out of the sale of personal data, targeted advertising, and profiling that produces legal/significant effect
Consumers can find out what third parties have received their data and confirm whether an entity is processing it
Controllers must respond to consumer requests within 45 days (extendable once by another 45 days) and at least twice per year for free.
Under the TDPSA, cookies that enable tracking, profiling or sale require optin. Sensitive data, such as precise geolocation, biometric, racial or health information, needs explicit consent before cookies are set. A privacy policy must be in place that discloses cookie use, data categories, purposes, sharing, and consumer rights.
The Texas Attorney General enforces the law. After giving written notice, an entity has a 30day cure period, after which uncured violations may result in civil penalties up to 7,500 USD per violation. There is no private right of action for consumers.
TDPSA Texas compliance demands that businesses align with data privacy best practice, such as:
Audit:
Conduct a data audit to identify all cookies and trackers on their websites
Categorize:
Categorize cookies (e.g., necessary, preference, analytics, marketing)
Implement consent management:
Ensure consent banners are implemented correctly with granular choices, enable users to withdraw consent at any time, and maintain consent logs
Check third-party contracts:
Review third-party data-sharing practices
The Texas TDPSA applies to controllers or processors doing business in Texas (or whose services are consumed by Texans), processing or selling personal data, and not small businesses; excludes nonprofits, state bodies, GLBA/HIPAA entities, utility providers, employment- or B2B-context data.
Any information linked or reasonably linkable to an identified or identifiable individual—e.g., name, IP, cookie IDs, pseudonymous data.
Data revealing race, religion, health, sexuality, citizenship, biometric/genetic information, child data (<13), or precise geolocation (<1,750 ft).
The Texas Attorney General’s Office has sole enforcement authority.
Exempt entities include state agencies, nonprofits, institutions under HIPAA/GLBA, utilities, higher-ed, small businesses (<500 employees) unless they sell sensitive data.
See the Texas AG Office website overview and the full text of the Act for more information.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
