The Texas Data Privacy and Security Act (TDSA), effective July 1, 2024, requires data protection assessments for high-risk AI processing and gives Texas consumers the right to opt out of profiling with legal or significant effects.
The TDSA applies to controllers conducting business in Texas or producing products or services consumed by Texas residents, that process the personal data of 100,000 or more Texas residents per year, or process the data of 25,000 or more Texas residents and derive more than 25 percent of gross revenue from selling personal data. The Texas Attorney General has exclusive enforcement authority with civil penalties of up to $7,500 per violation and a 30-day cure period.
Who This Applies To: Controllers processing personal data of 100,000+ Texas residents per year, or processing data of 25,000+ Texas residents and deriving 25%+ gross revenue from selling personal data. Small businesses as defined by the SBA are partially exempt from some provisions. Both in-state and out-of-state companies processing Texas consumer data are covered.
Texas entered the US data privacy landscape with the Texas Data Privacy and Security Act (HB 4, also referred to as TDSA), signed into law on June 18, 2023, and effective July 1, 2024. While the TDSA is primarily a comprehensive data privacy law rather than an AI-specific statute, it contains several provisions directly relevant to companies using artificial intelligence to process Texas consumer data. The AI-related provisions center on profiling rights, data protection assessments for targeted advertising and profiling, and sensitive data requirements that affect AI training and inference.
Texas is the second-largest state by both population and economy, and the TDSA's reach means most national companies with digital operations are likely covered. The law follows the Virginia CDPA model more closely than California's CCPA, emphasizing a controller-processor framework with Attorney General enforcement rather than a dedicated privacy agency. For how Texas compares to other state AI requirements, see our 2026 AI regulatory compliance guide. For California's contrasting approach, see our California AI laws guide.
This guide focuses specifically on the TDSA provisions relevant to AI and automated decision-making, the enforcement structure, and the compliance steps companies need to take to satisfy the law's requirements for AI-involved data processing.
What Texas AI-Related Laws Require
Consumer Rights Related to AI and Profiling
The TDSA grants Texas consumers several rights that directly affect how companies can use AI systems. Consumers have the right to opt out of the processing of personal data for purposes of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. Profiling is defined as any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual, including aspects concerning the individual's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. Consumers also have the right to access their personal data, the right to correct inaccuracies, the right to delete personal data, and the right to data portability. For AI systems, the access and correction rights mean that consumers can request to see what data an AI system holds about them and can correct inaccurate inputs that may affect AI-driven decisions.
Data Protection Assessments for AI Processing
The TDSA requires controllers to conduct and document data protection assessments (DPAs) for processing activities that present a heightened risk of harm to consumers. AI-related activities that trigger DPA requirements include processing personal data for purposes of targeted advertising, processing personal data for purposes of profiling where the profiling presents a reasonably foreseeable risk of unfair or deceptive treatment, financial or physical injury, a physical or other intrusion on the solitude or seclusion of the consumer, and other substantial injury to the consumer. Each DPA must identify and weigh the benefits of the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the consumer, factoring in the use of deidentified data, the reasonable expectations of the consumer, and the context of the processing relationship. DPAs must be made available to the Attorney General upon request during an investigation.
Sensitive Data and AI Training
The TDSA classifies certain categories of personal data as sensitive, requiring affirmative consumer consent before processing. Sensitive data categories include racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, personal data of a known child, and precise geolocation data. For AI systems, this means any model training, fine-tuning, or inference processing that uses sensitive data categories requires prior affirmative consent from the affected consumers. Companies cannot process sensitive Texas consumer data through AI systems based solely on notice-and-opt-out; they must obtain opt-in consent.
Data Minimization and Purpose Limitation
The TDSA requires controllers to limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed. Controllers must not process personal data for purposes that are not reasonably necessary to or compatible with the disclosed purposes, unless additional consent is obtained. For AI systems, this means companies cannot collect broad consumer data for a stated purpose and then repurpose that data for AI model training or profiling without providing additional notice and obtaining consent. This requirement limits the common practice of training AI models on historical consumer data that was originally collected for a different business purpose.
Key Dates and Enforcement Timeline
| Date | Requirement | Who | Status |
|---|---|---|---|
| June 18, 2023 | TDSA signed into law (HB 4) | All covered entities | Complete |
| July 1, 2024 | TDSA takes effect; all provisions enforceable | Controllers and processors | Active |
| July 1, 2024 | Consumer opt-out rights for profiling and targeted advertising must be operational | Controllers | Active |
| July 1, 2024 | Data protection assessments required for high-risk processing including AI profiling | Controllers | Active |
| 2025-2026 | Texas AG enforcement actions expected to increase as awareness and complaint volume grow | All covered entities | Active |
| 2026 Ongoing | Potential amendments as Texas legislature considers AI-specific provisions | All AI deployers | Monitor |
Penalties for Non-Compliance
The TDSA is enforced exclusively by the Texas Attorney General. There is no private right of action, meaning individual consumers cannot sue companies directly under the TDSA. This enforcement-only model is consistent with most state privacy laws outside California and Illinois.
The Attorney General can seek civil penalties of up to $7,500 per violation. As with other state privacy laws, each affected consumer and each violation instance can constitute a separate violation, meaning penalties can scale significantly for companies processing large volumes of Texas consumer data through AI systems. The AG can also seek injunctive relief requiring companies to stop non-compliant processing activities, which for AI systems could mean shutting down a profiling system or halting targeted advertising operations until compliance is achieved.
The TDSA includes a 30-day cure period. Before bringing an enforcement action, the Attorney General must provide written notice identifying the specific provisions alleged to have been violated. The controller then has 30 days to cure the violation. If the violation is cured within the 30-day window and the controller provides the AG with a written statement that the violation has been cured and no further violations will occur, the AG cannot bring an action for that specific violation. Unlike the Colorado AI Act's 90-day cure period, the TDSA's 30-day window is relatively short, requiring companies to have remediation processes ready before a violation notice arrives.
Companies should also note that the Texas AG has historically been active in data privacy enforcement under the Texas Deceptive Trade Practices Act, which remains available as a parallel enforcement tool. AI-related deceptive practices, such as making misleading claims about how AI systems use consumer data, could trigger DTPA enforcement in addition to TDSA penalties.
Compliance Checklist
- ☐ Determine TDSA applicability by verifying processing thresholds (100,000+ Texas residents or 25,000+ residents with 25%+ revenue from data sales)
- ☐ Inventory all AI systems that process Texas consumer personal data and identify those involving profiling or targeted advertising
- ☐ Implement consumer opt-out mechanisms for profiling that produces legal or similarly significant effects
- ☐ Conduct and document data protection assessments for each AI processing activity that involves profiling or targeted advertising
- ☐ Obtain affirmative consent before processing sensitive data categories through AI systems (biometric, health, racial/ethnic, geolocation)
- ☐ Verify data minimization controls ensure AI systems only process personal data adequate, relevant, and reasonably necessary for disclosed purposes
- ☐ Build consumer rights fulfillment workflows for access, correction, deletion, and portability requests related to AI-processed data
- ☐ Establish a 30-day cure process with pre-built remediation playbooks for rapid response to AG violation notices
Texas's AG-enforcement model and 30-day cure period create a narrower risk window than states with private rights of action, but the $7,500 per-violation penalty and the AG's enforcement track record make compliance essential. Contact PolicyGuard for help mapping TDSA requirements to your AI operations.
PolicyGuard helps companies like yours get AI governance documentation audit-ready in 48 hours or less.
Start free trial →How PolicyGuard Helps
PolicyGuard helps organizations comply with the TDSA's AI-related requirements through targeted capabilities:
- AI Processing Inventory: PolicyGuard identifies and catalogs all AI systems processing Texas consumer data, classifying each by risk level based on whether the system involves profiling, targeted advertising, or sensitive data processing. This inventory forms the foundation for determining which systems require data protection assessments.
- Data Protection Assessment Workflow: PolicyGuard provides DPA templates aligned to the TDSA's required balancing test, walking your team through benefit-risk analysis, deidentification evaluation, and consumer expectation assessment. Completed DPAs are stored with version history and can be produced to the Attorney General upon request.
- Consumer Rights Automation: PolicyGuard integrates TDSA consumer rights, including profiling opt-out, into your existing privacy request workflow. When a Texas consumer exercises their right to opt out of profiling, PolicyGuard routes the request to the appropriate AI system owners, tracks fulfillment, and documents compliance.
- Sensitive Data Consent Management: PolicyGuard tracks consent status for sensitive data processing across all AI systems, ensuring that no AI system processes sensitive Texas consumer data without documented affirmative consent. The platform alerts compliance teams when new AI tools or features introduce sensitive data processing that lacks required consent.
- Cure Period Readiness: PolicyGuard maintains a remediation playbook for TDSA violations, enabling your team to respond to AG notice letters within the 30-day cure window. Pre-built remediation workflows for common violation types mean your team can act immediately rather than spending the cure period determining what needs to be fixed.
FAQ
Does the TDSA apply to all businesses operating in Texas?
No. The TDSA applies to entities that conduct business in Texas or produce products or services consumed by Texas residents, and that process the personal data of 100,000 or more Texas residents per year, or process the data of 25,000 or more Texas residents and derive more than 25 percent of gross revenue from selling personal data. Small businesses as defined by the US Small Business Administration are exempt from certain provisions, though not from all TDSA requirements. Companies below these thresholds are not covered by the TDSA, though they may still face obligations under the Texas Deceptive Trade Practices Act for misleading AI-related representations.
What qualifies as profiling under the TDSA?
Profiling is defined as any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual. This includes AI systems that assess work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. The opt-out right specifically applies to profiling that produces decisions with legal or similarly significant effects on the consumer. Routine personalization of website content or product recommendations may constitute profiling but may not rise to the level of producing legal or similarly significant effects.
How detailed must data protection assessments be?
The TDSA requires DPAs to identify and weigh the benefits of the processing against the potential risks to consumers. The assessment must consider the use of deidentified data, the reasonable expectations of the consumer, the context of the processing, and the relationship between the controller and consumer. DPAs should be thorough enough to demonstrate genuine analysis rather than perfunctory compliance, as the AG can request them during investigations. Best practice is to document the specific AI system, its data inputs, the profiling or targeting logic, the consumer benefits, the identified risks, and the safeguards implemented to mitigate those risks.
Can we use Texas consumer data to train AI models?
The TDSA's data minimization and purpose limitation requirements mean you can only process personal data for purposes reasonably necessary to or compatible with the disclosed purposes of collection. If you collected consumer data for order fulfillment and now want to use it for AI model training, you need to assess whether model training is compatible with the original purpose. If it is not compatible, you must provide additional notice to the consumer and obtain consent before using their data for training. Sensitive data categories always require affirmative opt-in consent regardless of the original collection purpose.
How does the TDSA compare to other state privacy laws for AI compliance?
The TDSA follows the Virginia CDPA model with AG-only enforcement, a 30-day cure period, and controller-processor framework. Compared to California, the TDSA has higher applicability thresholds and no dedicated enforcement agency. Compared to Colorado's AI Act, the TDSA is a general privacy law with AI-relevant provisions rather than an AI-specific statute. Compared to Illinois BIPA, the TDSA has no private right of action, making litigation risk lower. Companies operating across multiple states should build a compliance program that satisfies the most demanding requirements and then adapts to each state's specific provisions. See our AI policy governance guide for framework approaches.
Texas's AI regulatory environment is still developing, and the legislature may add AI-specific provisions in future sessions. Companies that build strong TDSA compliance programs now will be positioned to absorb additional requirements as they emerge. Talk to PolicyGuard about building a Texas compliance program that covers current requirements and adapts to future legislation.
