TDPSA: Guide to Requirements + Website Compliance

TL;DR:

What is TDPSA? The Texas Data Privacy and Security Act (TDPSA) is a state privacy law that gives Texas residents rights over their personal data and requires organizations to implement reasonable security safeguards across the full data lifecycle, including websites and third-party tools.
Who does TDPSA apply to? TDPSA applies to organizations that do business in Texas or target Texas residents, process or sell personal data, and do not qualify as a small business under SBA standards.
What are the common causes of TDPSA compliance failures? Most failures result from organizations not properly honoring consumer opt-out requests, maintaining incomplete or outdated privacy disclosures, lacking visibility into 3rd party script data processing, or an absence of reasonable security safeguards.
Why is website monitoring essential for TDPSA compliance? Since personal data is often collected, shared, or exposed in the browser by web scripts that your team doesn’t fully control, monitoring the client-side and third party data trackers is critical to preventing data leakage and demonstrating compliance

Running a business today means holding the keys to a lot of other people’s information. Since data breaches are no longer rare, regulators are raising the bar on how you handle that information. The Texas Data Privacy and Security Act is one clear example of that shift.

Many companies were already careful, but TDPSA makes protection non-optional and spells out the consequences when safety is ignored. Notably, much of the sensitive data is accessed, processed, or exposed on the client side through browsers and third-party scripts that quietly run on your website. This lack of visibility leaves you susceptible to TDPSA violations.

In this article, we discuss what TDPSA is, whether it applies to your organization, common reasons for TDPSA violations, and why you cannot ignore client-side security for full TDPSA compliance.

What is the Texas Data Privacy and Security Act?

The Texas Data Privacy and Security Act (TDPSA) is a consumer privacy law that gives Texas residents specific rights over their personal information. It was signed into law on June 18, 2023.

It requires organizations (controllers) to limit data collection to only what is needed for a specific “purpose(s)”. The law gives Texans the right to find out whether and how a business is using their personal information. They can also access, correct, delete, or request a copy of their data and choose to opt out of targeted advertising, data sales, and profiling.

TDPSA violations can attract civil penalties of up to $7,500 per violation, and enforcement authority rests exclusively with the Texas Attorney General.

Does TDPSA Apply to My Organization?

Eligibility criteria for TDPSA (Texas Data Privacy and Security Act) showing how to determine whether TDPSA applies to an organization — Simplified eligibility criteria under the Texas Data Privacy and Security Act (TDPSA)

TDPSA applies to your organization if you meet all three conditions below:

a. You do business in Texas or produce goods or services that residents of Texas consume (this can include online products/services that reach Texas consumers).

b. You process or sell “personal data” of those Texas residents. Here, personal data means any information linked or reasonably linkable to an identified or identifiable person. Unlike California’s CCPA or Colorado’s CPA, the TDPSA does not include a revenue/consumer-count threshold to determine applicability.

c. You are not a “small business” under the United States Small Business Administration’s rules.

If you respond true to all three above, TDPSA’s main privacy protections and business obligations apply to your organization.

Exceptions to TPDSA

There are certain exceptions, regardless of these conditions. These include:

State agencies and political subdivisions, nonprofit organizations, institutions of higher education (public or private), financial institutions regulated by the Gramm-Leach-Bliley Act, HIPAA-covered healthcare entities and their business associates, and some utility and regulated service providers.

What Are The TDPSA Key Requirements?

These are some of the core requirements for organizations under TDPSA:

Disclose personal data practices clearly

TDPSA requires you to explain what personal data is collected, why it is collected, how it is used, and with whom it is shared.

You must clearly notify customers about how you will use and process their data in easy-to-understand language.

You must collect explicit opt-in consent before processing sensitive data such as precise geolocation or biometric information. The law prohibits relying on implied, bundled, or buried consent. In other words, the user agreement must be specific and unambiguous.

Respond to consumer rights requests within required timelines

TDPSA enables consumers to access, correct, delete, or obtain copies of their data, and to opt out of specific processing. Organizations receiving any of these requests must fulfill them within 45 days, with only one limited extension when justified.

Enable opt-out from data sales, targeted advertising, and profiling

Organizations must clearly inform consumers when these activities occur and provide a real, functioning opt-out mechanism that stops the processing.

Opt-out mechanisms must work across all data flows, including those triggered on the client side. If tracking scripts or pixels continue sending data after an opt-out, the organization remains in violation of TDPSA.

Manage and monitor vendors and processors

Businesses must establish contracts that limit data use and actively oversee vendor behavior. This includes understanding what data processing activities vendors are performing on user website sessions.

The Client-Side is the Modern Privacy Risk Surface

Client-side risks for TDPSA illustrating how client-side activity can impact Texas Data Privacy and Security Act compliance — Client-side risks for TDPSA, highlighting how browser-side data collection and scripts can affect compliance with the Texas Data Privacy and Security Act.

The client-side has become a primary privacy risk surface for violations of data protection laws such as the TDPSA. This is because most personal data is increasingly collected and transmitted through the user’s browser.

Third-party scripts are a TDPSA privacy compliance risk

Third-party scripts run in a user’s browser but are still the responsibility of the organization that placed them on the site.

Modern organizations run several scripts, most of which are installed by different teams for different purposes.
These scripts often run unchecked, collecting personal data such as IP addresses, identifiers, form inputs, or behavioral signals.
Under TDPSA, the organization is the “controller” because it decides to use those scripts and benefits from them. Even if a third-party vendor collects the data, the controller remains responsible for how the personal data is “processed.”
If scripts collect data beyond what is disclosed in the privacy notice, organizations risk violating TDPSA's purpose limitation and transparency rules, including unintended “targeted advertising” or “data sale”.

Client-side attacks are a TDPSA privacy data breach risk

Client-side attacks occur when malicious or compromised code runs in the browser. This can happen through a hacked third-party library, a poisoned script update, or an injected tag.
If an organization does not monitor or control what runs on the client side, it may be unable to show that it took reasonable technical steps to protect personal data.
Client-side breaches also make it challenging to respond to consumer rights requests.
Further, if leaked data cannot be traced or deleted, the controller may fail to meet access, deletion, or opt-out obligations.

No, cookie banners alone are not enough for TDPSA compliance. A banner may collect consent, but it has limited control over what scripts actually do once the page loads.

Cookie banners also do not prevent “accepted” cookies & scripts from collecting more data than necessary or sending it to unexpected recipients.

CMP and cookie banners are valuable elements of a website compliance stack, but on their own they do not address requirements around security safeguards or maintaining visibility into how data is shared between different jurisdictions.

Where TDPSA Compliance Failures Typically Happen

Where TDPSA compliance failures happen across websites and data flows under the Texas Data Privacy and Security Act — Where TDPSA compliance failures happen, showing common breakdown points under the Texas Data Privacy and Security Act.

TDPSA compliance failures generally happen when organizations assume data handling is simpler than it really is.

In a typical organization, personal data moves through many systems, teams, and vendors, with each handoff introducing risk. Without clear systems and processes to store, handle, and cut off access to this data, organizations run the risk of TDPSA violations.

Below are some common reasons for TDPSA compliance failures:

Many companies collect or sell precise location data and other sensitive information. This sometimes happens without explicit user consent.

With the TDPSA, the state of Texas has attempted to curb this practice.

Under the law, transparency is paramount. If data is shared with third parties or used for purposes that are not clearly disclosed, the organization is no longer meeting its obligations, even if the omission was unintentional.

One of its first, and also most notable, enforcement actions was when the state's Attorney General sued Allstate and its data arm, Arity, for gathering, using, and selling Texans' cellphone location and movement data without proper permissions.

2. Inadequate Security Safeguards

TDPSA requires reasonable security practices. That includes understanding where data is exposed. Many organizations focus their security efforts on servers and databases. However, they ignore integrations, third-party tools, and website elements that handle data processing of user data.

Those unmonitored surfaces can lead to unintended exposure of sensitive data through misconfigured code or malicious injections that skim PII.

The FTC's actions and guidance on tracking pixels (seen in the GoodRx and BetterHelp cases) show that client-side leakage of health or location information triggers enforcement.

These are also precisely the kinds of technical failures that TDPSA treats as failures to properly secure and limit data processing.

3. Not being transparent about data sales and targeted advertising

Texas Attorney General Ken Paxton commented on the Allstate incident,

“The personal data of millions of Americans was sold to insurance companies without their knowledge or consent in violation of the law. Texans deserve better and we will hold all these companies accountable.”

Even if you exchange consumer personal data for value, such as analytics, ad targeting, or enrichment, it still counts.

Regulators want to know if consumers understand that their behavior, location, or other identifiers are being used to profile them or serve targeted ads. If a company does not plainly disclose this processing and suggest an opt-out mechanism, Texas treats it as a violation, regardless of whether the company believes the practice is standard marketing.

Vague language like “we may share data with partners” will not suffice. If targeted advertising or data sales occur, they must be explicitly disclosed.

4. Failure to honor opt-out requests

Privacy notices can be deceptive. Many websites tell users they can opt out of data sales or targeted advertising. However, those opt-outs may lead to broken links, non-functional forms, or systems that ignore browser-based signals like Global Privacy Control.

Regulators do not view this as a minor technical issue but a denial of consumer rights.

The Sephora enforcement action in California illustrates this clearly.

Sephora told users they could opt out of data sales but continued sending data to advertising partners. Regulators treated this as a violation of consumer rights, requiring the beauty brand to pay a $1.2 million penalty.

Texas is also enforcing similar requirements under TDPSA.

Official TDPSA Resources & Government Links

Here are the key official resources where you can read the law and get authoritative guidance on the Texas Data Privacy and Security Act (TDPSA):

Texas Attorney General, TDPSA Main Page: This is the official page from the Office of the Attorney General explaining the Texas Data Privacy and Security Act. It covers the basic overview of rights, obligations, and who must comply.
Texas Business and Commerce Code, Chapter 541 – Full Statutory Text: This is the official text of the statute as codified in the Texas Business & Commerce Code. It includes all definitions, consumer rights, controller duties, notice requirements, enforcement rules, and more.

Texas State Law Library, TDPSA Background and Links to Bill Text: This page offers a public library summary and directs to the actual bill text and definitions in Chapter 541 of the Texas Business and Commerce Code.

TDPSA Timelines

June 18, 2023: The Texas Data Privacy and Security Act (TDPSA) was signed into law.

July 1, 2024: Most provisions of the TDPSA become effective. These include core obligations such as data processing duties, privacy notices, consumer rights responses, data protection assessments, and security requirements.

January 1, 2025: Controllers must recognize universal opt-out methods that allow consumers to use global signals and tools to express their privacy preferences. These may include browser settings, extensions, or device-level opt-out links.

Why TDPSA Was Introduced

TDPSA was introduced to protect the personal data of Texas residents at a time when data breaches have become an everyday reality.

A Texas House Committee Report from November 2022 notes that the threat posed by companies that own and trade consumer data without the consumer’s knowledge is real. It even names specific companies mishandling consumer data.

This report analyzes privacy laws already passed by other US states, such as California and Virginia, and makes a case for similar legislation in Texas.

In the report’s own words,

“Texas should consider passing legislation that gives consumers more control over their data. Important provisions for a strong law would include consumers having the right to correct and delete their information.”

How cside Helps Organizations Achieve TDPSA Compliance

cside Privacy Watch helps close a major privacy gap that many traditional security tools miss: what actually executes in the user’s browser.

Visibility Into Website Data Collection

cside provides a clear view into which scripts operate on your website, what data they access, and where that data is sent. This helps teams maintain accurate records of data collection and supports clear, up-to-date privacy disclosures.

Data Minimization Through Continuous Monitoring

As third-party tools change over time, they can begin collecting more data than originally intended. cside surfaces these changes as they happen, allowing teams to identify unnecessary data collection.

Support for Reasonable Security Safeguards

TDPSA requires organizations to implement reasonable measures to protect personal data. cside monitors for suspicious script behavior, unauthorized changes, and data exfiltration patterns to prevent data leaks from client-side attacks.

Oversight of Third-Party Tools

Many compliance failures originate with third-party vendors. cside validates that third party scripts are behaving the way they were intended within your privacy expectations.

Audit-Ready Documentation and Evidence

cside maintains detailed records of script activity, configuration changes, and data handling behavior. These logs provide defensible evidence that organizations can rely on during audits or regulatory inquiries.

You can start on our free forever plan or book a demo to learn more about the client-side requirements of U.S. state laws like the TDPSA.