When did Texas TDPSA take effect and who must comply?

TDPSA took effect July 1, 2024. It applies to any person conducting business in Texas or producing products consumed by Texas residents who processes personal data of 100,000+ Texas residents, or 25,000+ residents while deriving 50%+ revenue from selling personal data. Biometric provisions apply to any entity capturing biometric identifiers for commercial purposes regardless of size.

What is 'profiling' under TDPSA and when does an AI system qualify?

TDPSA defines profiling as automated processing of personal data to evaluate, analyze, or predict personal aspects — including economic situation, health, preferences, interests, reliability, behavior, location, or movements. Any AI model that scores, ranks, segments, or predicts individual characteristics from personal data qualifies. This covers credit scoring, hiring AI, personalization AI, fraud detection, and health risk prediction.

When does TDPSA require opt-in consent vs. opt-out?

Opt-out is the default for profiling, targeted advertising, and sale of personal data. Opt-in (affirmative consent) is required for sensitive data: racial or ethnic origin, religious beliefs, health conditions, sexual orientation or gender identity, immigration status, biometric data, genetic data, and personal data of known children under 13.

What data protection assessment does TDPSA require for AI systems?

TDPSA requires DPAs for processing presenting heightened risk, including all profiling, targeted advertising, sale of personal data, and sensitive data processing. The DPA must document: processing purpose, necessity and proportionality, risks to consumers, safeguards to mitigate risks, and benefits vs. risks analysis. DPAs must be provided to the Texas AG on request and must exist before processing begins.

How has the Texas AG enforced biometric privacy rules?

Texas AG secured a $1.4 billion settlement from Google (2024) for collecting biometric data through Google Photos facial recognition and Google Assistant voice matching without adequate consent. A $35 million settlement from Snapchat (2024) included biometric violations for minors. TDPSA adds to these biometric protections with comprehensive privacy rights and AI profiling opt-out requirements.

Is there a private right of action under TDPSA?

No. TDPSA enforcement is exclusively by the Texas Attorney General. However, the $1.4 billion Google settlement demonstrates that AG enforcement can produce nine-figure penalties. The Texas AG has a dedicated Consumer Protection Division and has been active in privacy and technology enforcement.

How does Tenet AI help with Texas TDPSA data protection assessments?

Tenet AI provides empirical evidence for DPAs: actual input data types processed, output distributions, anomaly events, and model behavior over time. This supports DPA risk documentation based on how the AI system actually behaves in production — not just design intent. For consumer rights: per-decision logs with consumer identifiers support access and deletion requests with verifiable evidence.

Texas TDPSA and AI: Profiling Opt-Out Rights, Sensitive Data Processing, and Enforcement Exposure

Q: What opt-out rights do Texas residents have for AI profiling?

Consumers may opt out of profiling in furtherance of decisions that produce legal or similarly significant effects — including denial of goods/services, housing, credit, or employment. Controllers must provide a clear, accessible opt-out mechanism and honor opt-out requests within 45 days. The opt-out must be honored in the actual AI decision pipeline, not just in the UI.

Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024, requires opt-out for AI profiling that produces legal or significant effects, opt-in consent for sensitive data processing (biometric, health, race/ethnicity), and data protection assessments for processing presenting heightened risk. Texas AG secured a $1.4 billion settlement from Google over biometric data collection and $35 million from Snapchat — demonstrating serious enforcement capacity. TDPSA applies to any entity processing personal data of 100,000+ Texas residents, which covers most companies with significant US operations.

TDPSA Scope: Who It Covers and When AI Systems Are In Scope

TDPSA applies to any person conducting business in Texas or producing products consumed by Texas residents who processes or sells personal data and satisfies a size threshold: (a) processes data of 100,000+ Texas residents, (b) processes data of 25,000+ residents and derives 50%+ revenue from data sales, or (c) for biometric provisions — any entity capturing biometric identifiers for commercial purposes regardless of size. For AI systems: any model processing personal data about Texas residents as part of a business workflow is within scope if the threshold is met. A company with significant US operations processing data of 100,000+ Texas residents almost certainly meets the threshold.

Profiling Opt-Out: What AI Systems Must Implement

TDPSA defines "profiling" as any form of automated processing of personal data to evaluate, analyze, or predict personal aspects — including economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. AI systems that qualify: credit scoring, hiring AI, personalization and recommendation AI, fraud detection, health risk prediction, customer segmentation, and behavioral targeting. Consumers may opt out of profiling producing legal or similarly significant effects — including denial of goods/services, housing, credit, or employment. Controllers must provide an accessible opt-out mechanism and honor opt-out within 45 days. The opt-out must be implemented in the actual AI decision pipeline, not just in the UI layer.

Sensitive Data Requiring Opt-In Consent

TDPSA sensitive data categories requiring affirmative consent before processing: racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation or gender identity, immigration status, biometric data processed to uniquely identify an individual, genetic data, and personal data of a known child. AI systems frequently encounter sensitive data through: facial recognition and biometric authentication (biometric data — opt-in required); clinical AI processing health records (health condition — opt-in required); hiring AI that infers disability or health from application data; marketing AI that infers race or religion from behavioral signals; and any child-facing AI. Texas AG has specifically targeted biometric data collection — the Google settlement centered on facial recognition and voice matching without consent.

Data Protection Assessments for AI Systems

TDPSA requires DPAs for processing presenting heightened risk, including all profiling, targeted advertising, sale of personal data, and sensitive data processing. Required DPA elements: purpose specification (why this AI, for what objective); necessity and proportionality (why this data and this model, not a less invasive approach); risk to consumers (bias testing, disparate impact analysis, harm scenarios); safeguards (technical controls, human review, override capability); and benefits vs. risks analysis. DPAs must be available to the Texas AG on request — they must exist before processing begins. The $1.4B Google action demonstrates that the absence of adequate consent and risk documentation for biometric AI creates massive enforcement exposure even for well-resourced companies.

Texas AG Enforcement: What the Google and Snapchat Settlements Reveal

Texas AG's $1.4 billion settlement with Google (2024) resolved claims that Google illegally collected Texas residents' biometric identifiers through Google Photos facial recognition and voice matching in Google Assistant without adequate notice or consent — under the Texas Capture or Use of Biometric Identifier Act (CUBI). The $35 million Snapchat settlement (2024) included biometric violations for minors. TDPSA extends these biometric protections with comprehensive privacy rights for all personal data, profiling opt-out, sensitive data opt-in, and DPA requirements. The Google settlement is the largest privacy enforcement action by a state AG in US history — demonstrating that Texas takes privacy enforcement seriously and has the resources to pursue large technology companies.