Texas Email Privacy Guide: Laws, Rights & Protection 2025

What the TDPSA is, and when it took effect

The Texas Data Privacy and Security Act was passed as House Bill 4 by the 88th Texas Legislature and signed by Governor Greg Abbott on June 18, 2023, making Texas the tenth state to enact a comprehensive consumer privacy law (Alston & Bird). It lives in Chapter 541 of the Texas Business and Commerce Code.

The statute became effective July 1, 2024. One piece arrived later: the authorized-agent opt-out provisions in Section 541.055(e) took effect January 1, 2025 (Texas Legislature Online, HB 4 enrolled text). For context on scale, Texas reached an estimated population of 31,290,831 as of July 2024, the second-largest of any U.S. state (U.S. Census Bureau estimate via The Texas Tribune), so the law reaches a large share of residents whenever a covered business touches their data.

Who has to comply

The TDPSA applies to a person that conducts business in Texas, or produces a product or service consumed by Texas residents, and that processes or engages in the sale of personal data, and that is not a small business as defined by the U.S. Small Business Administration (Tex. Bus. & Com. Code § 541.002). There is no revenue or record-count threshold, which is the most striking structural difference from California.

Several categories are exempt: state agencies and political subdivisions, financial institutions and data covered by the Gramm-Leach-Bliley Act, HIPAA covered entities and business associates, nonprofit organizations, institutions of higher education, and electric utilities and power generators (HB 4 enrolled text). The small-business exemption is not absolute: under Section 541.107, even an SBA-defined small business may not sell sensitive personal data without first getting the consumer's consent (Tex. Bus. & Com. Code § 541.107).

The five rights Texans have under the TDPSA

Section 541.051 gives Texas consumers five rights they can exercise against a covered controller (Tex. Bus. & Com. Code § 541.051):

1. Confirm whether a controller is processing your personal data, and access that data.
2. Correct inaccuracies in your personal data.
3. Delete personal data provided by, or obtained about, you.
4. Obtain a copy of your data in a portable and, where technically feasible, readily usable format.
5. Opt out of the sale of your personal data, targeted advertising, and profiling that produces legal or similarly significant effects.

How to make a request

The steps are the same across most covered companies:

1. Open the company's privacy policy and look for a Texas privacy rights or "Your Rights" section.
2. Submit your request through the listed method (a web form, a privacy email address, or a toll-free line).
3. Complete any reasonable identity verification the controller asks for.
4. State which right you are exercising: access, correction, deletion, portability, or opt-out.

A controller must respond without undue delay and no later than 45 days after receiving the request. It may extend once by another 45 days when reasonably necessary, as long as it tells you within the first 45-day window (Tex. Bus. & Com. Code § 541.052 via Justia).

Since January 1, 2025, controllers must also recognize universal opt-out signals (browser- or device-level mechanisms such as Global Privacy Control, or GPC) and treat a valid signal as an opt-out of data sales and targeted advertising; the law sets technical standards but does not mandate GPC specifically (Bendele Legal). That means a single browser setting can carry your opt-out to every covered Texas business at once, without filing a request with each one.

Sensitive data, controller duties, and what counts as "precise location"

The TDPSA treats some categories as sensitive and protects them more tightly. Section 541.001 defines sensitive data to include personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status; genetic or biometric data processed to uniquely identify an individual; personal data collected from a known child; and precise geolocation data (HB 4 enrolled text). A controller must obtain consent before processing sensitive data. That is an opt-in model, not the opt-out California uses.

Two definitions are worth knowing precisely. Biometric data means data generated by automatic measurements of biological characteristics (a fingerprint, voiceprint, or eye retina or iris) used to identify a specific individual; it excludes photographs, video, audio, and data generated from them. Precise geolocation data means information that identifies an individual's specific location within a radius of 1,750 feet (HB 4 enrolled text).

What controllers must do

Beyond honoring rights, Section 541.101 requires controllers to limit data collection to what is adequate, relevant, and reasonably necessary for the disclosed purposes, and to maintain reasonable administrative, technical, and physical security practices proportionate to the data they hold (Tex. Bus. & Com. Code § 541.101). Controllers must also conduct and document data protection assessments for higher-risk activities: targeted advertising, the sale of personal data, processing of sensitive data, and certain profiling. Those assessments stay confidential but must be produced to the Attorney General on request, and the requirement applies only to processing generated after July 1, 2024 (HB 4 enrolled text). The data-minimization duty is the part most relevant to everyday email: a company should not collect more than it needs, but in practice many still ask for a primary address they do not strictly require.

Enforcement: who can act, the cure period, and penalties

The Texas Attorney General has exclusive authority to enforce the TDPSA (HB 4 enrolled text, § 541.151). The statute is explicit that there is no private right of action: it "may not be construed as providing a basis for, or being subject to, a private right of action for a violation of this chapter or any other law" (Tex. Bus. & Com. Code § 541.156). You can file a complaint with the AG, but you cannot sue a company yourself for a TDPSA violation.

Before suing, the AG must give the business 30 days' written notice identifying the specific provisions allegedly violated. If the business cures the violation and provides a written statement confirming the cure within that window, no enforcement action follows. Unlike some states, this cure right has no sunset date (Tex. Bus. & Com. Code § 541.154). Civil penalties run up to $7,500 per violation after the cure period, with each affected consumer counted separately (Tex. Bus. & Com. Code § 541.155).

The law has teeth in practice. On January 13, 2025, the Texas AG filed the state's first TDPSA enforcement action against Allstate and its subsidiary Arity, alleging the companies harvested precise geolocation and driving data from more than 45 million Americans through software development kits embedded in third-party mobile apps, and seeking more than $1,000,000 at up to $7,500 per violation (Byte Back Law).

TDPSA vs. California's CCPA

California's law is older and more familiar. The CCPA was signed June 28, 2018, took effect January 1, 2020, and was amended by Proposition 24 (the CPRA), whose substantive provisions took effect January 1, 2023 (California Attorney General; registry: ccpa-official). California grants six rights: to know, delete, opt out of sale or sharing, correct, limit use of sensitive personal information, and non-discrimination (California Attorney General). For a deeper walkthrough of California specifically, see our California privacy laws guide.

The two laws diverge on who they cover, how they treat sensitive data, and how they are enforced.

Sources: Texas thresholds and structure (Tex. Bus. & Com. Code § 541.002); California revenue/record thresholds and 2025 CPI adjustment to $26,625,000 (California Attorney General); the CPRA raising the consumer threshold from 50,000 to 100,000 (California Attorney General); California penalties of up to $2,500 per violation or $7,500 per intentional violation and the removed cure period (IAPP); California's breach-only private right of action with statutory damages of $100 to $750 per consumer per incident (Cal. Civ. Code § 1798.150); dual California regulators (California Attorney General); and a side-by-side of the two regimes (Texas Lawbook).

The practical takeaway: Texas reaches more mid-size companies because it skips the dollar threshold, and it is stricter on sensitive data by requiring consent up front. California gives consumers one extra lever, the ability to sue directly, but only for specific data breaches involving unencrypted, unredacted personal information (Cal. Civ. Code § 1798.150).

The Texas email-specific law, and where temp email fits

The TDPSA governs personal data broadly. Texas also has an older, email-specific statute. Chapter 321 of the Business and Commerce Code ("Regulation of Electronic Mail") prohibits intentionally sending unsolicited commercial email that falsifies routing information, uses false or deceptive subject lines, or misuses someone else's domain name. Under Section 321.052, a sender of unsolicited commercial email must place "ADV:" at the start of the subject line and provide a no-cost return address for removal requests (Tex. Bus. & Com. Code § 321.051 via Justia). Unlike the TDPSA, Chapter 321 does allow private suits: an injured person may recover the lesser of $10 per unlawful message or $25,000 per day (Texas statute, Chapter 321).

The federal CAN-SPAM Act sits on top of all this. Effective January 1, 2004, it requires senders to honor opt-out requests within 10 business days and preempts inconsistent state email laws, though it does not preempt state rules against falsity or deception. The FTC enforces it, with civil penalties adjusted to up to $53,088 per email as of January 17, 2025 (FTC inflation-adjustment release).

Why a disposable inbox still matters

Legal rights are real, but they are reactive. You exercise them after a company already has your address, and enforcement runs through the AG or, for breaches in California, a narrow lawsuit. Spam volume shows why prevention helps: 47.27% of all email sent worldwide in 2024 was spam (registry: kaspersky-spam-phishing-2024), and the cost of a breach lands at roughly $169 per stolen record (registry: ibm-data-breach-2024). The fewer services that hold your primary address, the smaller your exposure.

A disposable address is one tactic that complements your statutory rights. It does not replace them, and it does not grant anonymity or exempt anyone from the law. When a newsletter, one-time download, or trial only needs to send you a confirmation link, a throwaway inbox keeps that address out of the marketing and broker pipelines that the TDPSA's opt-out and deletion rights would otherwise have to chase down later. TempMailSpot is a free, no-registration option: open the page, a temporary address appears, and incoming mail shows up automatically within seconds (it polls quickly at first, then eases off). Mailboxes default to 10 minutes with unlimited extension, you can export messages as PDF, JSON, or EML, and, unusually for a disposable service, you can send a reply behind a CAPTCHA. For account email you actually depend on, keep a real inbox and use your TDPSA rights to control it. To see how this works alongside other state and federal rules, read our overview of privacy laws and your email rights, and for local context there is a guide for Houston residents.