Managing Attorney
Between managing employees, serving customers, and keeping operations running, data privacy compliance probably is not at the top of your to-do list. But if your Houston business collects any personal information from Texas residents, the Texas Data Privacy and Security Act now governs how you handle that data. The law took effect in July 2024, requires specific disclosures and consumer rights processes, and carries penalties of up to $7,500 per violation. A Houston business law attorney at Capstone Legal Strategies can help you cut through the complexity and put a practical compliance plan in place.
What Is the Texas Data Privacy and Security Act?
The Texas Data Privacy and Security Act (TDPSA) establishes rules for collecting, storing, processing, and selling consumer information linked to a specific individual. It was passed as House Bill 4 during the regular session of the 88th Texas Legislature, and the law became effective July 1, 2024. Provisions related to consumer-designated agents and universal opt-out mechanisms took effect on January 1, 2025.
Unlike other states that apply revenue thresholds and volume of data processed to determine applicability, the TDPSA applies to nearly anyone who conducts business in Texas or produces products or services consumed by Texans and who processes or engages in the sale of personal data. That broad scope means most Houston-area companies, from restaurants and retail shops to technology startups and professional services firms, need to pay attention. Small businesses as defined by the federal Small Business Administration are generally exempt from the Act, except that if a small business sells the sensitive data of a consumer, it must first obtain the consumer’s consent.
The Act also exempts the following types of entities:
- State agencies and political subdivisions of the state
- Financial institutions governed by the Gramm-Leach-Bliley Act
- Entities governed by HIPAA
- Nonprofit organizations
- Institutions of higher education
- Electric utilities, power generation companies, and retail electric providers as defined by Utilities Code Sec. 31.002
If your business does not fall into one of those categories or is exempt as a small business, compliance is not optional.
What the TDPSA Requires of Your Business
The TDPSA places several core obligations on businesses that act as “controllers,” meaning they determine the purpose and means of processing personal data. Here is what your Houston business needs to have in place:
Privacy Notice
Clear and accessible privacy notices are required, detailing data collection and processing practices. Your notice must explain what categories of personal data you collect, why you collect it, whether you sell it, and how consumers can exercise their rights.
Data Minimization
The TDPSA mandates entities to only collect personal data from consumers that is reasonably necessary and proportionate as it relates to the purposes for processing. Collecting more data than you need increases both your compliance burden and your risk.
Consumer Rights Processes
Consumers have the right to know whether a company is processing their personal data, to correct inaccuracies, to delete personal data, and to opt out of the processing of personal data for targeted advertising or the sale of personal data. Your business must have a process for receiving and responding to these requests.
Consent for Sensitive Data
Explicit consumer consent is required before processing sensitive personal data, including information about race, health, or precise geolocation. Sensitive data also includes the personal data of a child under the age of 13.
Data Protection Assessments
Businesses must conduct assessments for certain processing activities, such as targeted advertising and the sale of personal data.
Data Security
Implementation of reasonable administrative, technical, and physical data security practices is mandated.
Data Subject Access Request
Once a controller receives a data subject access request, they must respond without undue delay, but no later than 45 days after the receipt of the request. A controller can extend the response period by 45 days when reasonably necessary as long as they notify the consumer within the initial 45-day response period. Building internal procedures to handle these requests on time is a critical part of staying compliant.
How the TDPSA Is Being Enforced
The Texas Attorney General has exclusive authority to enforce the TDPSA. The law does not provide a private right of action for individuals, but that does not mean enforcement is passive. In 2025, Texas demonstrated its intention to be an aggressive privacy legislator and regulator, a trend that is expected to continue in 2026.
On January 13, 2025, the Texas Attorney General filed the first-ever enforcement action under the TDPSA against insurance company Allstate and its subsidiary, Arity, alleging that the defendants unlawfully collected, used, and sold geolocation and movement data from Texans’ cellphones.
The Texas Attorney General also sent notices to more than 100 companies in 2024 for their apparent failure to register under the separate Texas Data Broker Act. These actions signal that businesses across Houston and the rest of the state face real regulatory consequences for noncompliance.
Businesses have a 30-day period to address alleged violations upon notice before enforcement actions proceed. Non-compliance can result in civil penalties of up to $7,500 per violation. Each affected consumer counts as a separate violation, so fines can escalate rapidly for widespread noncompliance. The 30-day cure period is not a substitute for proactive compliance; it is a last opportunity to fix problems before penalties attach.
Steps Houston Businesses Can Take Now
Whether your company is a growing startup in the Houston Heights or an established firm in Sugar Land, building a data privacy compliance program does not need to be overwhelming. The following steps can help you get started:
- Conduct a data inventory. Map out what personal data your business collects, where it is stored, who has access to it, and whether it is shared with or sold to third parties.
- Review and update your privacy notice. Make sure your website privacy policy accurately describes your data practices and includes all disclosures required under the TDPSA.
- Establish consumer rights procedures. Create a clear process for consumers to submit requests to access, correct, delete, or opt out of the processing of their data, and train your team to respond within the 45-day window.
- Implement consent mechanisms. If your business processes sensitive data, put opt-in consent processes in place that meet the TDPSA’s strict definition of consent, which requires a clear, affirmative act.
- Honor universal opt-out signals. Since January 2025, your website must recognize Global Privacy Control signals from consumers’ browsers and suppress tracking scripts accordingly.
- Review vendor contracts. If you use third-party data processors, your contracts must include the data processing provisions required by the Act.
These steps provide a solid foundation, but every business is different. A compliance review tailored to your specific operations, industry, and data practices is the most effective way to identify and close any gaps.
Protect Your Houston Business with a Data Privacy Compliance Plan
The TDPSA is not a future concern. It is in effect now, and enforcement is accelerating. Capstone Legal Strategies works with Houston-area businesses to evaluate data practices, draft compliant privacy policies, and build frameworks that reduce regulatory risk. Contact our office to schedule a consultation and take the first step toward a data privacy compliance program that fits your business.