TermsBuilder
Back to Blog
March 26, 2026Updated March 27, 202610 min read

Texas Data Privacy and Security Act and What It Changes in Your Privacy Policy

Texas can require specific notice text and a clear opt out path when data sales, targeted advertising, or sensitive data are in scope.

Texas is one of the clearest state privacy laws for privacy policy drafting. The Texas Data Privacy and Security Act follows the omnibus pattern and also requires specific notice language in some situations.

When Texas applies, the law reaches the rights section, the appeal section, targeted advertising disclosures, and the notice text for sensitive or biometric data sales.

For online businesses using targeted advertising, data sales, or sensitive data, Texas requires a page and workflow that match the statute.

Coverage and the small business carveout come first

Texas starts from a different coverage structure than many other omnibus statutes. The law generally applies to a person that conducts business in Texas or produces a product or service consumed by Texas residents, processes or engages in the sale of personal data, and falls outside the small business definition used by the United States Small Business Administration.

The small business carveout is important, and Texas separately addresses small businesses that sell sensitive personal data. A business that expects the carveout to settle the issue should review whether sensitive data sales create a distinct notice problem.

Texas changes the notice itself

A Texas privacy notice has to do the familiar omnibus law work. It should describe the categories of personal data processed, the categories of personal data shared with third parties, the categories of third parties, and the way consumers can exercise and appeal their rights. That is the baseline.

Texas goes further when certain facts are present. If the controller sells sensitive personal data, the privacy notice has to include the statement NOTICE We may sell your sensitive personal data. If the controller sells biometric data, the notice has to include the statement NOTICE We may sell your biometric data. Those are specific Texas notice requirements that change the published language on the page.

Targeted advertising and sale disclosures need clear visibility

Texas also requires a controller that sells personal data to third parties or processes personal data for targeted advertising to clearly and conspicuously disclose that fact and explain how a consumer may opt out. For online businesses, that means your privacy policy and the footer path need to be coordinated, because a visible opt out path belongs alongside the disclosure.

If your business uses pixels, audience building, ad network tags, remarketing tools, or off site behavioral advertising, Texas reaches the page, the footer, the privacy choices path, and the request workflow behind them.

The appeal path is part of the Texas build

Texas requires a method for consumers to appeal a controller's refusal to take action on a privacy request. That means the request path and the appeal path need to be documented in your privacy policy and supported in the actual workflow. A business cannot state that Texas residents may appeal and then improvise the method when a denial is issued.

The policy has to identify how requests are submitted, how appeals work, and what the consumer should do next. If your site publishes rights language without a real path behind it, your policy creates confusion instead of clarity.

Texas needs its own review

Texas is broader, more likely to touch ordinary online operations, and more explicit about the notice text required when sensitive or biometric data is sold.

Texas merits separate review because the statute can require exact notice text in the privacy notice.

What to review before publishing a Texas privacy page

A Texas review should begin with scope, then move into the advertising stack, then move into the notice text itself. The business needs the facts before your policy can be trusted.

  • Confirm whether your business is inside the Act and whether the small business carveout changes the analysis
  • Map every use of targeted advertising and every data flow that may count as a sale to a third party
  • Check whether sensitive personal data or biometric data is sold and whether the required Texas notice sentence belongs in your policy
  • Publish a real opt out path for sale and targeted advertising activity
  • Document a real appeal path and make sure your privacy policy explains how to use it

Key Takeaways

  • Texas is one of the clearest state laws that can change the actual words on the page as well as the back end compliance analysis.
  • The law requires baseline notice content, a rights path, and an appeal path, and it adds specific notice text if sensitive or biometric data is sold.
  • Targeted advertising and sale disclosures need to be coordinated with a visible opt out path.
  • The Texas review should start with coverage and then move directly into your site's advertising stack, data sales analysis, and published notice text.

Primary Sources

Turn this into a real document

TermsBuilder uses an attorney-built questionnaire to turn these legal issues into Terms & Conditions and Privacy Policy pages that match the way your business operates.

Start your document set

Related Reading

Privacy Policy Requirements by State in 2026

State privacy laws change privacy policy drafting in different ways. Some states add website disclosure rules, some change the opt out path, and some require a separate notice.

Where to Put Privacy Policy and Do Not Sell or Share Links on Your Website

A privacy policy in the footer is the baseline, but some privacy links and notices need to appear closer to checkout, signup, and other collection points if you want your site disclosures to match the law and the way your business operates.