Texas · TDPSAWordPress hosting with TDPSA plugin built into the platform.
Opt-out signals for sale, targeted advertising, and profiling, opt-in for sensitive data, Universal Opt-Out Mechanism (GPC) honoring since January 2025, and an appeal workflow — handled by Yovale's compliance MU-plugin. You don't install it. You don't update it. You don't pay for it. Unlike most US state laws, the TDPSA has no 100,000-consumer threshold — if you're not a US SBA small business and you serve Texas residents, you're covered. The same platform also handles CCPA, VCDPA, CPA, CTDPA, and every other US state privacy law.
Under the TDPSA, you can opt out of the sale of personal data, targeted advertising, and profiling. You can also access, correct, delete, or export the data we hold about you. Your browser's Global Privacy Control signal is honored automatically.
Six obligations you have to meet.
The Texas Data Privacy and Security Act took effect on July 1, 2024, with the Universal Opt-Out Mechanism requirement following on January 1, 2025. Unlike VCDPA, CPA, or CTDPA, the TDPSA has no 100,000-consumer threshold. It applies to any entity that conducts business in Texas or produces products or services consumed by Texas residents, processes or engages in the sale of personal data, and is not a small business as defined by the US SBA. That makes it the broadest US state privacy law on paper — a single-author WordPress blog with Texas readers can fall under it. Enforcement sits with the Texas Attorney General, with civil penalties of up to $7,500 per violation.
- 01
Opt-out for sale, targeted ads, profiling
Texas consumers can opt out of the sale of personal data, targeted advertising, and profiling that produces legal or similarly significant effects. The opt-out mechanism has to be clear, conspicuous, and free of dark patterns — and recognized through the Universal Opt-Out Mechanism since January 1, 2025.
- 02
Opt-IN for sensitive data
You cannot process sensitive data without explicit consent. Sensitive data covers race, religion, mental or physical health diagnosis, sexual orientation, citizenship and immigration status, genetic or biometric data, precise geolocation, and data from a known child under 13.
- 03
Universal Opt-Out Mechanism (UOOM)
Since January 1, 2025, the TDPSA requires controllers to recognize browser signals like Global Privacy Control as a valid opt-out for sale and targeted advertising. The signal must be honored at the controller level — not just shown as a banner option.
- 04
Consumer rights: access, correct, delete, port, appeal
Texas consumers can request access, correction, deletion, and a portable copy of their personal data. You respond within 45 days, extendable once by 45 days. If you deny a request, the consumer can appeal — you respond to the appeal within 60 days.
- 05
Controller and processor duties
Contracts between controllers and processors must spell out processing instructions, confidentiality, deletion or return of data at end of service, and assistance with consumer requests. Yovale acts as your processor under a written contract.
- 06
Data protection assessments
Conduct and document a data protection assessment for any processing presenting a heightened risk of harm — targeted advertising, sale of personal data, profiling with significant effects, and any processing of sensitive data. The Texas AG can request the assessment in an investigation.
Built into the platform. Not a plugin you install.
Yovale ships TDPSA compliance as a signed must-use plugin — part of the hosting itself, not something you install from the WordPress repository. It's version-pinned, fetched from R2 with SHA-256 verification, and dropped into a per-site bind-mounted mu-plugins directory at provision time. The Universal Opt-Out Mechanism is honored at the edge before any analytics, ad, or profiling code runs. Updates ship through the same channel your hosting updates do.
Geo-aware consent with UOOM/GPC honoring
Texas visitors see TDPSA opt-out controls for sale, targeted advertising, and profiling. If their browser sends Global Privacy Control, the opt-out is applied automatically at the Cloudflare edge worker — no click needed. Sensitive categories require explicit opt-in.
Privacy portal
/.well-known/privacy on every Yovale site. Texas consumers can submit access, correction, deletion, and portability requests without filing a support ticket. Every request shows up in your Compliance dashboard tab with a 45-day SLA timer.
Appeal workflow with audit log
When a request is denied, the consumer gets a one-click appeal link. The appeal opens a separate 60-day SLA case in your dashboard. Every opt-out, request, denial, and appeal is logged with timestamp and region — exportable as JSON or CSV if the Texas AG ever asks.
Signed processor contract (DPA)
Pre-signed controller-processor contract that meets TDPSA § 541.104 requirements. Lists every sub-processor (Cloudflare, Anexia, R2), purpose limits, confidentiality, deletion at end of service, and assistance with consumer requests. PDF download from the dashboard.
Why infrastructure beats a plugin.
Typical WordPress TDPSA plugin
- Adds 200-500ms to every page load (banner JS, geo lookup, DB writes)
- Ignores Global Privacy Control or implements it inconsistently — TDPSA violation since January 2025
- Stores opt-out signals in wp_options — slow, untyped, breaks with object caching
- Costs $49-149/year per site and rarely covers UOOM, appeals, or audit logs
- Breaks when you migrate hosts; opt-out history and appeal records lost
Yovale's built-in approach
- 0ms latency — opt-out state and GPC signal evaluated at the edge worker
- UOOM/GPC honoring built into the platform — works on day one, on every Yovale site
- Audit log in a dedicated database, queryable, never blocks page render
- Included on every plan ($149 / $249 / $499 per year), no per-site compliance fees
- Travels with your site forever — opt-out and appeal history is yours to export
14 regulations. One toggle each. All automatic.
- Opt-out for sale, targeted ads, profiling
- Opt-in for sensitive data
- UOOM/GPC honoring since Jan 1, 2025
- 45-day consumer request response
- Appeal process within 60 days
TDPSA + Yovale, answered.
Does the TDPSA apply to my site? It has no 100k threshold.
Correct — and that's what makes the TDPSA the broadest US state privacy law on paper. It applies to any entity that conducts business in Texas or produces products or services consumed by Texas residents, processes or engages in the sale of personal data, and is not a small business as defined by the US Small Business Administration. There is no 100,000-consumer floor like VCDPA, CPA, or CTDPA. A single-author WordPress blog with Texas readers can fall under it. Yovale runs full TDPSA protections by default so the question is moot — every Yovale site is ready.
What counts as a US SBA small business for the TDPSA exemption?
The US Small Business Administration sets size standards by NAICS industry code — typically based on number of employees (often 500 or fewer for many sectors) or average annual revenue (often $7.5M to $40M depending on industry). The TDPSA exemption is narrow: even if you qualify as an SBA small business, you still cannot sell sensitive personal data without affirmative consent. We don't give legal advice — check your specific NAICS code against current SBA size standards if you intend to rely on the exemption.
How does Universal Opt-Out Mechanism (UOOM) compliance work?
Since January 1, 2025, the TDPSA requires controllers to recognize Global Privacy Control (GPC) and similar browser signals as a valid opt-out for sale and targeted advertising. Yovale evaluates the GPC header on every request at the Cloudflare edge worker — before analytics, ad pixels, or third-party tags fire. Visitors with GPC enabled are treated as having opted out, with the decision logged in the audit trail. No banner click required, no JavaScript hack required.
What's the cure period and is it still in effect?
The TDPSA gives controllers a 30-day cure period after the Texas Attorney General sends a notice of violation. If you cure within 30 days and provide written confirmation, the AG may not pursue civil penalties for that violation. Unlike California (where the CCPA cure period was sunset in 2023), the TDPSA cure period is not currently set to expire. That said, repeat offenders and bad-faith conduct can lose the cure benefit — treat it as a one-shot safety net, not a workflow.
How is the TDPSA different from the CCPA?
Both give opt-out for sale and targeted advertising plus rights to access, delete, and port data. The TDPSA goes further on sensitive data — it requires opt-IN consent, while California uses an opt-out signal. The TDPSA also mandates a formal appeal process and is enforced by the Texas Attorney General with no private right of action (CCPA has a private right of action for certain data breaches). The TDPSA has no 100k threshold; the CCPA has gross-revenue and transaction-volume thresholds. Yovale handles both regimes from one platform.
Do you provide a processor contract for the TDPSA?
Yes. A pre-signed controller-processor contract that meets TDPSA § 541.104 requirements is available as a PDF in your dashboard. We're listed as your processor, you're the controller. It lists every sub-processor (Cloudflare, Anexia, R2), purpose limits, confidentiality terms, return or deletion of data at end of service, and our duty to assist with consumer requests and data protection assessments.
Ship a TDPSA-compliant WordPress site in 60 seconds.
Every Yovale site is TDPSA-ready from the moment you deploy. UOOM/GPC honoring on day one. No plugin to install. No processor contract to chase. No appeal workflow to build. Start the free Growth trial and see your first compliance dashboard.