Does my e-commerce site comply with the Texas Data Privacy and Security Act?

If you sell products or services to Texas residents and you don't qualify for the small-business exemption (under 250 employees AND under $30M revenue), you're subject to the TDPSA. Most US e-commerce stores with national reach satisfy the consumer-base requirement automatically. Scantra's free scan checks the visible portion of TDPSA compliance — privacy notice presence, opt-out mechanism, sensitive-data disclosure language.

Do I need a 'Do Not Sell' link if I'm based in Texas?

Yes if you sell personal data of Texas residents, and effectively yes if you share data with advertising or analytics vendors (the TDPSA's 'targeted advertising' definition is broad). You also need the capitalized disclosure 'NOTICE: We may sell your sensitive personal data' when applicable. The capitalized format is a statutory requirement, not a recommendation.

What about Texas biometric privacy?

Tex. Bus. & Com. Code § 503.001 requires informed consent before capturing biometric identifiers and prohibits sale or disclosure with limited exceptions. The statute applies to face geometry — which means face-recognition login, ID verification photos, and photo-tagging features in social products all need consent flows. Violations carry up to $25,000 per occurrence.

When does the Texas AI law affect my business?

TRAIGA takes effect January 1, 2026, and applies if you deploy a 'high-risk' AI system to make consequential decisions about Texans in housing, employment, financial services, healthcare, education, or government services. If your business is in any of those verticals and uses automated decisioning, the TRAIGA disclosure and human-review obligations apply.

What's the difference between TDPSA and California's CCPA?

Three big differences. First: TDPSA has a much lower applicability threshold — California's $25M/100k-resident triggers don't appear in TDPSA, so smaller businesses are caught. Second: TDPSA requires opt-IN consent for sensitive data, where CCPA only requires the option to opt OUT. Third: TDPSA's enforcement is solely with the Texas AG; CCPA has both the AG and the CPPA agency, plus a private right of action for breaches.

Scantra

SEO & Compliance Monitor

Texas Website Compliance Requirements

high risk

Texas's primary website law is the Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024 — a comprehensive privacy law modeled on Virginia's VCDPA but with a notably lower applicability threshold. Texas also has one of the country's strictest biometric statutes and a 2025 AI governance law.

Last reviewed 2026-06-01 · Risk rating rationale: The TDPSA threshold (processing data of any Texas resident, with limited carve-outs for small businesses) catches far more sites than California's CCPA. The Texas AG has been actively staffing privacy enforcement since 2024.

Find out in 10 seconds whether your site meets Texas's requirements

Scantra runs a free, no-account, 9-check audit of your homepage covering privacy policy, contact info, CCPA-style opt-out, security headers, accessibility, and SEO basics. Most Texas sites we scan fail at least three.

Run a free scan →

No credit card · Email required so we can send you the full results.

Key Texas laws affecting websites

The statutes most likely to apply to a commercial website serving Texas residents. Click a citation to read the official text where available.

TDPSA

— Texas Data Privacy and Security Act· Effective 2024

Applies to: Any person who conducts business in Texas OR produces a product or service consumed by Texas residents, AND processes personal data — with a small-business exemption for entities with fewer than 250 employees and gross revenue under $30M (subject to caveats).

What your website must do

Publish a reasonably accessible, clear, and meaningful privacy notice
Provide consumer rights: access, correction, deletion, portability, opt-out of sale + targeted advertising + profiling
Honor universal opt-out signals (Global Privacy Control) by January 1, 2025
For sensitive personal data, obtain opt-in consent before processing
Disclose if you sell sensitive personal data — must say so in capital letters

Citation: Tex. Bus. & Com. Code Ch. 541 · Official source ↗

Texas Biometric Act

— Capture or Use of Biometric Identifier Act· Effective 2009

Applies to: Anyone who captures a biometric identifier (retina/iris scan, fingerprint, voiceprint, hand or face geometry) of a Texas resident for a commercial purpose.

What your website must do

Provide notice before capturing the biometric identifier
Obtain consent to the capture
Do not sell, lease, or otherwise disclose the identifier except in narrow exceptions
Destroy the identifier within a reasonable time, not to exceed one year after the purpose ends

Citation: Tex. Bus. & Com. Code § 503.001

TRAIGA

— Texas Responsible AI Governance Act· Effective 2026

Applies to: Developers and deployers of high-risk AI systems used to make consequential decisions (housing, employment, financial services, healthcare, education, government services) about Texas residents.

What your website must do

Disclose to the consumer when a high-risk AI system makes a consequential decision about them
Provide an explanation of the principal factors used and their relative importance
Offer a path to human review for adverse decisions
Maintain documentation of impact assessments

Citation: Tex. Bus. & Com. Code Ch. 552 (forthcoming)

Texas compliance by topic

Consumer data protection

State-specific rule applies

What your site has to disclose, ask consent for, and allow consumers to do with their personal information.

The TDPSA gives Texas residents the standard set of modern privacy rights — access, correction, deletion, portability, opt-out. The notable feature is the broad applicability: unlike Virginia or Colorado, Texas doesn't require a high revenue threshold, so the small-business exemption is the only relief and it's narrower than it sounds.