Texas Data Privacy and Security Act: Compliance Imperatives and Enforcement Trends for Businesses

Sep 15, 2025
post featured image

By: Daniel J. Gershman, Esq. and Vaughn C. Collopy, Esq.

Texas remains a premier destination for corporations seeking a business-friendly tax climate, a deep labor pool, and relatively light operational costs.[i] Yet the same state that has long marketed itself as a pro-growth haven is now demonstrating a new resolve to police the collection, use, and safeguarding of personal information. For any company that has recently moved, or is considering moving, its headquarters, regional hub, or key facilities to the Lone Star State, awareness of this shift is no longer optional.[ii] The Texas Data Privacy and Security Act (TDPSA), coupled with an assertive enforcement posture from the Office of the Attorney General, is reshaping compliance priorities and elevating the potential consequences of missteps.

Although the TDPSA has been on the books for several years, recent high-profile settlements illustrate how aggressively the statute can be applied. The billion-dollar resolutions reached with Meta (over its facial-recognition program) and with Google (over broader data-handling practices) were negotiated under the auspices of Texas and a coalition of states, but the message in Austin is clear: failure to respect the privacy rights of Texans carries a price tag measured in nine and ten figures.[iii] Businesses whose operations are less conspicuous than those of a global technology giant should not assume they are immune. The Attorney General’s office has steadily expanded its investigative resources, routinely issues civil investigative demands, and has signaled in speeches, press releases, and settlement announcements that it views data privacy enforcement as integral to consumer protection.

What, precisely, does the TDPSA require? In broad terms, any entity that “does business” in Texas and processes personal information relating to Texas residents must implement reasonable administrative, technical, and physical safeguards to protect that data.  The statute obliges companies to maintain a written privacy policy, limit data collection to that which is “adequate, relevant, and reasonably necessary,” obtain affirmative consent before capturing sensitive biometric identifiers, and furnish clear mechanisms for individuals to access, correct, and, in certain circumstances, delete their information.[iv] Notably, the Attorney General is empowered to seek both injunctive relief and civil penalties of up to $50,000 per violation, an amount that can multiply quickly when each instance of improper collection or disclosure is counted as a separate offense.[v]

For companies that have recently relocated to Texas, compliance presents a slightly different calculus than in states such as California, whose privacy regime is already well known. Texas regulators have made it plain that they view the arrival of new headquarters as an economic win for the state, but they also see an opportunity to set expectations early. The result is a series of “welcome letters” and informal outreach from the Attorney General’s Consumer Protection Division reminding executives of TDPSA responsibilities. In some cases, those letters are followed by formal requests for documentation of privacy policies, data-flow maps, vendor contracts, and third-party audit reports. While Texas courts do not yet have an extensive body of TDPSA case law, the threat of litigation and the brand damage that accompanies it should motivate companies to close any compliance gaps before they catch the attention of regulators or plaintiffs’ lawyers.

Practical steps can mitigate that risk. First, conduct a gap assessment that maps every category of personal data gathered from employees, customers, and vendors, and compares existing controls with TDPSA benchmarks.  Second, update public-facing privacy notices to ensure they describe, in plain English, why information is collected, how it is used, and how long it is retained. Third, develop an incident-response protocol, including a 48-hour internal reporting trigger, so that security events are escalated quickly and handled consistently. Fourth, extend compliance obligations through the supply chain by revising vendor agreements to address data-processing instructions, audit rights, and breach-notification timeframes. Finally, invest in employee training: Texas enforcement actions frequently cite evidence that staff either misunderstood or ignored company policies when handling personal information.

The business upside of proactive compliance is twofold.  Internally, it reduces the likelihood of costly breaches, investigations, and disruptive consent decrees. Externally, it can differentiate a company in the eyes of customers, investors, and potential acquirers who increasingly view a robust privacy posture as table stakes for doing business. Given the speed at which new regulations proliferate, Congress is debating federal privacy proposals, and several neighboring states have introduced their own bills, establishing a rigorous framework now will make future adaptations less expensive.

In short, Texas’s evolving regulatory climate does not negate the substantial advantages of relocating corporate operations to the state, but it does demand a more sophisticated approach to data governance than many businesses may have anticipated. By acknowledging the Attorney General’s intensified focus, understanding the contours of the TDPSA, and embedding privacy-by-design principles across the enterprise, companies can position themselves to thrive in Texas while avoiding the pitfalls that have ensnared even the world’s most well-resourced technology firms.

Falcon Rappaport & Berkman helps businesses navigate evolving privacy laws, including the Texas Data Privacy and Security Act. For assistance or to learn more, please contact our Corporate & Securities Practice Group at 516-599-0888 or complete the form below.

[i] See Favorable Business Climate in Texas, Texas Business Climate, https://businessintexas.com/why-texas/business-climate/.

[ii] Tex. Bus. & Comm. Code ch. 541 (effective on July 1, 2024).

[iii] See Attorney General Ken Paxton Secures Historic $1.375 Billion Settlement with Google Related to Texans’ Data Privacy Rights, TX Attorney General, https://www.texasattorneygeneral.gov/consumer-protection/file-consumer-complaint/consumer-privacy-rights/texas-data-privacy-and-security-act (May 9, 2025); see also, Attorney General Ken Paxton Secures $1.4 Billion Settlement with Meta Over Its Unauthorized Capture of Personal Biometric Data in Largest Settlement Ever Obtained From an Action Brought By a Single State, TX Attorney General, https://www.texasattorneygeneral.gov/news/releases/attorney-general-ken-paxton-secures-14-billion-settlement-meta-over-its-unauthorized-capture (July 30, 2024).

[iv] See supra Note ii.

[v] See id.

DISCLAIMER: This summary is not legal advice and does not create any attorney-client relationship. This summary does not provide a definitive legal opinion for any factual situation. Before the firm can provide legal advice or opinion to any person or entity, the specific facts at issue must be reviewed by the firm. Before an attorney-client relationship is formed, the firm must have a signed engagement letter with a client setting forth the Firm’s scope and terms of representation. The information contained herein is based upon the law at the time of publication.

Have Questions? Contact Us

Categories