RatedWithAI

RatedWithAI

Accessibility scanner

Privacy LawJuly 14, 2026

Texas TDPSA AI Compliance 2026: No Consumer Floor, No Small-Business Pass

Every other state privacy law exempts you until you hit a consumer-count number. Texas doesn't work that way — the Data Privacy and Security Act applies unless you qualify as an SBA-defined small business, and even then the sensitive-data consent rule still reaches you. If your AI product has Texas users, "we're too small" is not the safe assumption it is elsewhere.

No Headcount Floor
Coverage turns on SBA small-business status, not a consumer number
Consent Survives Exemption
Even exempt small businesses can't sell sensitive data without consent
3 Opt-Out Rights
Profiling, targeted advertising, and sale of personal data

Does TDPSA Apply to Your AI Product?

TDPSA applies to a business that conducts business in Texas or produces products or services consumed by Texas residents, processes or engages in the sale of personal data, and does not qualify as a "small business" under the SBA's industry-specific size standards. There is no separate 100,000-consumer or 25,000-consumer trigger like CCPA, VCDPA, or most of the other 2023-25 state laws.

This matters most for early-stage AI SaaS companies that assume a small user base keeps them out of scope. Under TDPSA, the relevant question is your SBA size classification — which is based on employee count or revenue thresholds set per industry code — not how many Texas consumers your product has signed up.

The Small-Business Exemption Has a Hole

A business that does qualify as small under the SBA standard is exempt from most of TDPSA's obligations — but not all of them. Even exempt small businesses cannot sell sensitive data, which under TDPSA includes precise geolocation, biometric and genetic data, health information, and data revealing racial or ethnic origin, religious beliefs, citizenship status, or sexual orientation, without first obtaining the consumer's consent.

For AI companies that monetize inferred sensitive attributes through data partnerships, this means the small-business shield doesn't cover the highest-risk category of data anyway — sensitive-data consent applies regardless of company size.

Profiling opt-out

Consumers can opt out of profiling used to further decisions producing legal or similarly significant effects — credit, employment, housing, healthcare, insurance, and education outcomes.

Targeted advertising opt-out

Consumers can opt out of having their personal data used for targeted advertising, including AI-driven ad personalization models.

Sale of data opt-out

Consumers can opt out of the sale of their personal data to third parties, a category that increasingly includes data-licensing deals with AI model developers.

Universal opt-out mechanism

TDPSA requires businesses to honor a recognized universal opt-out signal (such as Global Privacy Control) for opt-out preference by 2025 for targeted advertising and sale — build this into your consent layer rather than a per-site toggle only.

Biometric Data: A Separate, Stricter Layer

Texas also has its own dedicated biometric statute (the Capture or Use of Biometric Identifier Act, or CUBI), which sits alongside TDPSA and imposes its own consent and retention-limit requirements for biometric identifiers — separate from, and generally stricter than, TDPSA's sensitive-data provisions. AI products doing facial recognition, voiceprint analysis, or biometric verification for Texas users need to satisfy both statutes independently, not just TDPSA's general sensitive-data consent rule.

TDPSA Compliance Checklist for AI Companies

1. Scope Determination
  • Determine your SBA size-standard classification for your specific industry code
  • Don't assume a small Texas user base equals exemption — the trigger is SBA size, not consumer count
  • Reassess SBA status as headcount or revenue changes
2. Sensitive Data (Applies Even If Exempt)
  • Inventory sensitive data categories, including AI-inferred sensitive outputs
  • Confirm no sensitive data sale occurs without explicit prior consent
  • Separately satisfy CUBI's biometric consent and retention-limit rules if using facial or voice recognition
3. Opt-Out Infrastructure
  • Build opt-out flows for profiling, targeted advertising, and data sale
  • Honor recognized universal opt-out signals (e.g. Global Privacy Control)
  • Document which AI-driven decisions fall into the legal-or-significant-effect category
4. Enforcement Readiness
  • Track Texas AG enforcement activity and AI-specific inquiries
  • Retain documentation supporting your scope and exemption determinations
  • Confirm consumer rights request handling meets response-time requirements

See where your AI product is exposed

RatedWithAI helps SaaS and platform teams surface compliance and trust gaps across their web properties. Start with a free scan to understand how your product presents to users and regulators alike.

Scan Your Product for Free →

Frequently Asked Questions

How is TDPSA's scope different from CCPA or VCDPA?

CCPA and VCDPA exempt you until you cross a consumer-count or revenue threshold. TDPSA instead exempts you based on whether you qualify as a small business under SBA size standards for your industry — a classification tied to employee count or revenue that has nothing to do with how many consumers your product has. A tiny AI startup with a huge freemium user base could be SBA-small and exempt from most TDPSA obligations, while a boutique consulting-style AI tool with a small user base but high headcount could be in full scope.

If we're SBA-exempt, do we need to worry about TDPSA at all?

Mostly no, with one exception: the sensitive-data sale consent requirement applies regardless of small-business status. If your AI product processes or monetizes sensitive categories like biometric, health, or precise location data, you still need consumer consent before selling it, even if every other TDPSA obligation is waived.

Does Texas's biometric law (CUBI) replace the need to look at TDPSA?

No — they're separate statutes that both apply. CUBI governs the capture and use of biometric identifiers specifically, with its own consent and retention rules, while TDPSA covers the broader personal data lifecycle including profiling opt-outs and sale restrictions. An AI product doing facial or voice recognition on Texas users needs to satisfy both.

Related Guides