Texas Data Privacy and Security Act, Profiling Provisions (HB 4)
Effective date
Penalty
Up to $7,500 per violation under the DTPA framework. 30-day cure period, permanent, no sunset. AG-only enforcement. No private right of action.
Cure period
30 days
Obligations mapped
12 obligations
Overview
Texas comprehensive privacy law with profiling provisions. Requires data protection assessments for profiling that presents a risk of harm. Consumer opt-out for profiling producing legal or similarly significant effects, targeted advertising, and sale of personal data. Universal opt-out mechanism required for covered profiling opt-outs. Broad applicability: no revenue or data volume thresholds (unlike many state privacy laws). Small businesses as defined by the SBA are exempt. The 30-day cure period is permanent with no sunset. Profiling opt-out applies to decisions with legal or similarly significant effects, not all profiling.
This is a privacy law with automated decision-making provisions.
See if this regulation applies to your company with the free exposure scan.
Who this applies to
This regulation applies to the following roles:
- Developers of covered AI systems
- Deployers and users of covered AI systems
- Organizations operating in Texas
This regulation applies to both companies that build AI products and companies that use AI tools from other vendors.
HB 4
AI categories covered
- Consumer-facing AI
- Automated decision-making
- Algorithmic profiling
Specific AI use cases:
- Customer profiling and segmentation
- Credit scoring and risk assessment
- Resume screening and ranking
- Chatbots and virtual assistants
What this requires you to do
12 obligations identified from statutory analysis.
541.105(a)(3)
541.103
541.101(b)(3)
541.053
541.055
Regulation summaries are simplified for readability and may not capture every nuance of the underlying statute. Verify important details against primary sources linked on this page.
Enforcement and penalties
Up to $7,500 per violation under the DTPA framework. 30-day cure period, permanent, no sunset. AG-only enforcement. No private right of action.
Cure period: 30 days.
Penalty amounts are based on statutory text and may be subject to adjustment, judicial interpretation, or enforcement discretion.
Legislative history
effective
Takes effect
Related regulations
- In EffectAI-Specific
Texas TRAIGA (Responsible Artificial Intelligence Governance Act, HB 149)
Texas RAIGA (HB 149) prohibits AI systems from intentionally manipulating behavior to cause harm, infringing constitutional rights, or discriminating against protected classes. Where applicable, government agencies may need to disclose AI interactions. Updates biometric consent for AI training data. Creates a regulatory sandbox program. AG exclusive enforcement with 60-day cure period. Intent-based liability standard (no disparate impact).
Effective
- In EffectAI-Specific
Texas TRAIGA Biometric and AI Training Amendments (HB 149, 89th Legislature)
Amends the Texas Capture or Use of Biometric Identifier Act (CUBI) and related Business and Commerce Code provisions for biometric data used with AI. Relaxes CUBI for AI training with a carveout for publicly available data and adds anti-scraping consent requirements for biometric identifiers. Enforced under the same HB 149 TRAIGA framework as the core act: intent-based liability, 60-day cure, preemption of local AI rules, and the statutory penalties and safe harbors that apply to TRAIGA generally.
Effective
- In EffectAI-Specific
Texas SB 1188 - Healthcare AI Practitioner Disclosure
Requires healthcare providers using AI-enabled clinical support features in electronic health record workflows to disclose AI involvement in clinical decision support contexts. Applies to AI-assisted diagnosis, treatment recommendations, and clinical support pathways in covered settings.
Effective
- In EffectAI-Specific
Texas Nonconsensual Intimate Deepfakes (SB 441)
Criminalizes creating and distributing nonconsensual intimate deepfakes. Creates civil liability for victims. Platforms must take down reported content within 72 hours. Consent to create an image does not constitute consent to share it.
Effective
- In EffectAI-Specific
Texas Government AI Ethics and Oversight (SB 1964)
Requires Texas state agencies and local governments to inventory AI systems, adopt an AI code of ethics aligned with NIST AI RMF, conduct impact assessments for AI that autonomously influences consequential decisions, and disclose AI use to affected individuals. Applies to government entities only, not the private sector.
Effective
Texas AI regulation guide lists every tracked rule for this jurisdiction with timelines and obligation tallies.
Regulation summaries are simplified for readability and may not capture every nuance of the underlying statute. Verify important details against primary sources linked on this page.