FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatoryprivacydata protectionTDPSA

Texas Data Privacy and Security Act: The Largest Red State Privacy Law and Its AI Implications

By Basel IsmailMay 17, 2026

Texas Data Privacy and Security Act: The Largest Red State Privacy Law and Its AI Implications

Texas Governor Greg Abbott signed HB 4 on June 18, 2023, and the Texas Data Privacy and Security Act (TDPSA) took effect on July 1, 2024. With nearly 30 million residents, Texas became the largest state without a pre-existing comprehensive privacy law to adopt one, and the largest Republican-led state to do so. The law borrows heavily from the frameworks in Virginia (VCDPA) and Connecticut (CTDPA), but it has a few wrinkles worth paying attention to, particularly around AI and automated decision-making.

Who Is Covered and What Makes Texas Different

The TDPSA applies to entities that conduct business in Texas or produce products or services consumed by Texas residents, process or sell personal data, and are not classified as a small business under the U.S. Small Business Administration's standards. That last part is notable. Unlike the CCPA, which sets a $25 million revenue threshold, or Colorado's CPA, which uses processing volume thresholds (100,000 consumers or 25,000 consumers with revenue from data sales), the TDPSA leans on an external federal classification. If the SBA considers you a small business based on your NAICS code, you are generally exempt from the TDPSA's core obligations, though not from all of them. The small business carve-out does not apply to the data sale and consent provisions under Section 541.107.

The law covers "consumers," defined as Texas residents acting in an individual or household capacity. It excludes individuals acting in a commercial or employment context. Standard exemptions apply for data governed by HIPAA, GLBA, FERPA, FCRA, and the DPPA, as well as for government entities and nonprofits. If you are in healthcare or financial services, your regulated data sets are carved out, but any personal data you process outside those frameworks is still in scope.

Core Obligations: Familiar Territory with Some Edges

The TDPSA follows the now-standard state privacy law playbook. Controllers must provide reasonably accessible privacy notices, limit data collection to what is adequate, relevant, and reasonably necessary, implement reasonable data security practices, and avoid processing sensitive data without consent. Consumer rights include access, correction, deletion, data portability, and the right to opt out of targeted advertising, data sales, and profiling that produces legal or similarly significant effects.

A few specifics worth flagging:

Sensitive data includes biometric data, precise geolocation, data of known children, racial or ethnic origin, religious beliefs, health diagnoses, sexual orientation, and citizenship or immigration status. Processing any of these requires affirmative consent.
Universal opt-out mechanisms must be recognized by controllers. Section 541.055 requires controllers to honor opt-out preference signals, similar to what Colorado and Connecticut require. The Texas Attorney General has rulemaking authority to establish technical specifications for these signals.
No private right of action. Enforcement sits exclusively with the Texas Attorney General. The AG must provide 30 days' written notice of an alleged violation, and the controller has that cure period to fix it. Violations are enforceable under the Texas Deceptive Trade Practices Act, which means civil penalties of up to $7,500 per violation.

One thing to watch: unlike Virginia's cure provision, which sunsets, the TDPSA's 30-day cure period has no expiration date. For now, this gives controllers a meaningful buffer. Whether the AG's office will interpret "cure" narrowly or broadly remains to be seen.

The AI and Profiling Angle

This is where things get interesting for anyone deploying AI systems that touch Texas consumer data. The TDPSA defines "profiling" as any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements (Section 541.001(24)).

Consumers have the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. Section 541.051(a)(4) is explicit about this. If your AI system is making or materially influencing decisions about creditworthiness, employment eligibility, insurance underwriting, housing access, or similar outcomes for Texas consumers, you need an opt-out mechanism.

Controllers must also conduct and document data protection assessments (DPAs) for processing activities that present a heightened risk of harm. Under Section 541.058, these assessments are required for targeted advertising, data sales, processing sensitive data, and, critically, profiling where there is a reasonably foreseeable risk of unfair or deceptive treatment, financial or physical injury, a physical or other intrusion on solitude or seclusion, or other substantial injury to consumers.

If you are running an AI model that profiles Texas consumers in any meaningful way, you need a documented DPA. The assessment must weigh the benefits of the processing to the controller, the consumer, and the public against the potential risks, factoring in the use of de-identification, reasonable consumer expectations, and the context of the processing. These assessments must be made available to the AG upon request during an investigation.

Practical Implications for AI Deployments

The combination of opt-out rights for consequential profiling and mandatory DPAs creates a compliance surface area that many organizations have not fully mapped. Consider a few scenarios:

Healthcare AI (non-HIPAA data): If you are processing consumer health-adjacent data, say wellness app data or consumer-facing symptom checkers, that falls outside HIPAA's covered entity framework, the TDPSA applies. Profiling users to recommend services or triage urgency could trigger DPA requirements.
Financial services lead scoring: Using AI to score or segment potential customers based on behavioral data collected from Texas residents likely constitutes profiling with significant effects. You need the opt-out mechanism and the DPA.
EdTech platforms: Student data may be covered under FERPA exemptions, but parent or guardian data processed for marketing, recommendations, or engagement scoring is not exempt.
Defense contractors with consumer-facing products: If you sell products or services to Texas consumers alongside your government contracts, the consumer-facing data processing is in scope.

The TDPSA does not require algorithmic impact assessments in the way the EU AI Act does, and it does not mandate disclosure of automated decision-making logic. But the DPA requirement, combined with the AG's investigative authority, means you should be prepared to explain and defend your AI processing choices with documentation. "We ran it through the model" is not going to satisfy a DPA review.

Enforcement Trajectory

Texas AG Ken Paxton (and now his successor) has been aggressive on data privacy enforcement even before the TDPSA. In 2022, the AG's office secured a $1.4 billion settlement with Meta over biometric data collection under the Texas Capture or Use of Biometric Identifier Act (CUBI). The office has also pursued enforcement actions against Google and other major platforms. There is every reason to expect that the TDPSA will be actively enforced, particularly against companies processing sensitive data or engaging in profiling at scale.

The AG's office also has rulemaking authority under the TDPSA, which means additional guidance on universal opt-out mechanisms, DPA requirements, and potentially AI-specific processing standards could emerge. Monitoring those rulemaking proceedings is worth the effort.

How FirmAdapt Addresses TDPSA Compliance

FirmAdapt's platform is built to handle exactly this kind of layered compliance challenge. For organizations processing Texas consumer data through AI systems, FirmAdapt provides structured workflows for conducting and documenting data protection assessments, mapping profiling activities to the specific TDPSA triggers, and maintaining auditable records that can be produced to the AG's office upon request. The platform's compliance-first architecture means these controls are embedded in the AI processing pipeline itself, not bolted on after the fact.

For companies operating across multiple state privacy regimes, FirmAdapt also maps overlapping obligations, so a DPA conducted for TDPSA purposes can simultaneously satisfy Colorado CPA or Connecticut CTDPA requirements where the standards align. This reduces duplicative work without cutting corners on jurisdiction-specific requirements.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free