Texas doesn't make you show a cookie banner. What it makes you do is honor an opt-out, and since January 1, 2025, honor it automatically when a browser sends a Global Privacy Control signal. The Texas Data Privacy and Security Act (TDPSA) took effect on July 1, 2024, and the office enforcing it, the Texas Attorney General, has been busier than any other state privacy regulator. This guide covers when the TDPSA reaches your cookies, what you actually have to build, and what the penalties look like.
Does the TDPSA reach cookies?
The TDPSA regulates personal data, meaning information linked or reasonably linkable to an identified or identifiable individual. A cookie or device identifier that feeds an advertising profile is personal data. A strictly functional cookie that keeps a shopping cart alive usually isn't.
Two activities trigger the rules that matter for tracking:
- Sale of personal data. Texas defines a sale broadly, as sharing personal data for monetary or other valuable consideration. Loading a third-party advertising tag that passes identifiers to an ad network can count, even if no money changes hands.
- Targeted advertising. Using data collected across sites you don't own to serve ads based on someone's activity is squarely covered.
So the question isn't "do I use cookies," it's "do any of my cookies sell data or drive cross-context targeted ads." If they do, Texans get a right to opt out, and you have to make that right work.
The consent model: opt-out, not opt-in
This is the core difference from Europe. Under the GDPR you generally can't set an analytics or advertising cookie until the visitor says yes. Under the TDPSA you can set it by default, but you have to give Texans a clear way to say no, and you have to stop once they do.
In practice that means three things on your site: a privacy notice that describes the data you process and the categories of third parties you share it with, a visible opt-out link (the common label is "Your Privacy Choices" or "Your Opt-Out Rights"), and a mechanism that actually suppresses the sale and targeted-advertising cookies once someone opts out.
The universal opt-out mandate
Here's the part that trips people up. Since January 1, 2025, the TDPSA requires covered businesses to recognize a universal opt-out mechanism. In plain terms, if a Texan's browser sends the Global Privacy Control (GPC) signal, you have to treat it as an opt-out of sale and targeted advertising, automatically, with no extra clicks.
You can't make the visitor find your opt-out link if their browser already told you. The signal has to be detected server-side or client-side and applied before the tracking tags fire. A banner that ignores GPC is a banner that's out of compliance in Texas, and the AG has said the universal opt-out is an enforcement focus.
Sensitive data flips to opt-in
The opt-out model has one big exception. To process sensitive data, you need affirmative opt-in consent first. Texas counts precise geolocation, data revealing race or ethnicity, religious beliefs, health, sexual orientation, citizenship or immigration status, genetic and biometric data, and data from a known child as sensitive.
Precise geolocation matters for a lot of sites. If any tracker collects location within roughly 1,750 feet, that's sensitive, and default-on won't cut it. You need consent before it runs.
Who's actually covered
The TDPSA skips the revenue and record-count thresholds that most state laws use. It applies to any person who conducts business in Texas or produces a product or service consumed by Texas residents, processes or sells personal data, and is not a small business as defined by the US Small Business Administration. That last line is the only real carve-out, and it has a catch: even a small business can't sell sensitive data without consent. If you sell data, the small-business exemption mostly evaporates.
Penalties and enforcement
The Texas Attorney General has exclusive enforcement power. Civil penalties run up to $7,500 per violation, plus injunctive relief and recovery of the state's costs. The TDPSA gives you a 30-day cure period after written notice, and unlike most states, that right to cure doesn't sunset, it's permanent.
Don't let the cure period lull you. The AG launched a Data Privacy and Security Initiative in mid-2024 and has investigated hundreds of companies, from data brokers to car makers. The same office secured a $1.4 billion settlement from Meta in 2024 and $1.375 billion from Google in 2025 over biometric and location-tracking claims, the two largest single-state privacy settlements on record. Texas enforces. For how this compares elsewhere, see our penalties by country guide.
A practical setup for Texas traffic
- Inventory your cookies. Identify which ones sell data or drive targeted ads. Those are the ones an opt-out has to suppress.
- Publish an opt-out link. A visible "Your Privacy Choices" control that lets Texans opt out of sale and targeted advertising.
- Honor GPC automatically. Detect the signal and apply the opt-out before advertising tags load. This is mandatory, not optional. See our technical GPC guide.
- Gate sensitive data behind opt-in. Precise geolocation and the other sensitive categories need consent first.
- Keep records. Log opt-outs and GPC signals so you can show the AG the mechanism works.
How CookieBeam handles Texas
CookieBeam ships a US opt-out states framework preset built for laws like the TDPSA. A Texas visitor sees an opt-out-model banner with a "Your Opt-Out Rights" control, while an EU visitor on the same site sees strict opt-in, through the regional consent engine. GPC honoring is on by default in the runtime, so a Texan browser sending the signal gets its sale and targeted-advertising categories suppressed without any extra configuration. Sensitive-data categories can be set to require opt-in. Confirm the current TDPSA text and AG guidance before you finalize; this reflects mid-2026.
Related guides
For the signal itself, read Global Privacy Control explained and universal opt-out mechanisms across US state laws. For the wider map, see our complete guide to US state privacy laws and do you need a cookie banner in the United States. Primary source: the Texas Attorney General's TDPSA page.