Texas Privacy Law (TDPSA): What Small Businesses Need to Know

The Texas Data Privacy and Security Act (TDPSA) took effect July 1, 2024, and applies to any business that processes the personal data of 100,000 or more Texas consumers annually — with no annual revenue threshold of any kind. This is the single most important fact about Texas privacy law and the reason TDPSA catches more nationally distributed Shopify merchants off guard than any other state law. The Texas Attorney General is the sole enforcement authority, with civil penalties of up to $7,500 per violation and a 30-day cure period before formal action can be brought. Texas is the second most populous state in the country — roughly 9% of the US population — which means national e-commerce stores often cross the consumer threshold without realizing it.

Does TDPSA Apply to My Business?

TDPSA applies to any person or business that conducts business in Texas or produces products or services consumed by Texas residents, and processes the personal data of 100,000 or more Texas consumers in a calendar year. There is also a secondary trigger: businesses processing data of 25,000 or more Texas consumers AND deriving 50% or more of gross revenue from selling personal data are also in scope.

The threshold logic is OR — you only need to meet one. And critically, neither path includes a revenue floor. A $300,000-per-year e-commerce store can be subject to TDPSA on the same terms as a billion-dollar national brand if both reach the consumer count.

The "consumer" definition in TDPSA covers any Texas resident acting in an individual or household context — not employees acting in a business context. But it does include browser visitors, email subscribers, account holders, and anyone whose data you process. Texas's population means a national store with 1.1 million annual unique US visitors will, on average, process data from over 100,000 Texas consumers.

There is one important exemption: TDPSA does not apply to "small businesses" as defined by the U.S. Small Business Administration, except with respect to the sale of sensitive personal data, which always requires opt-in consent regardless of size. The SBA's small business definition varies by industry, but for most retail and e-commerce categories, the threshold is around $9 million in average annual receipts. Verify your specific NAICS code with the SBA's size standards before relying on this exemption.

What Does TDPSA Require?

TDPSA grants Texas consumers a familiar set of rights and imposes corresponding obligations on covered businesses. The structure mirrors Virginia VCDPA closely, with a few Texas-specific touches.

Consumer rights you must honor. Texas consumers may request access to the personal data you hold about them, correct inaccurate data, delete personal data, obtain a copy in a portable format, and opt out of the processing of their data for purposes of targeted advertising, the sale of personal data, or profiling that produces legal or similarly significant effects. You must respond within 45 days, with a possible 45-day extension when reasonably necessary.

Disclosures you must publish. TDPSA requires a clear and accessible privacy notice that lists the categories of personal data you process, the purposes for processing, how consumers can exercise their rights and appeal denials, the categories of data shared with third parties, and the categories of those third parties. Texas law also requires a specific notice when you sell sensitive personal data or biometric data, using prescribed wording.

Operational practices you must implement. You must conduct data protection assessments for high-risk processing activities, including targeted advertising, sale of personal data, profiling that creates significant effects, and the processing of sensitive data. You must obtain opt-in consent before processing sensitive data categories. You must establish reasonable administrative, technical, and physical security practices to protect personal data — this is the "duty of care" requirement that has become a focus of post-breach AG investigations.

How TDPSA Affects Small Businesses

TDPSA is the law that catches the most Shopify merchants and direct-to-consumer brands by surprise, because the absence of a revenue threshold runs counter to most operators' mental model of who privacy laws apply to. The reasoning that "we're too small for this" — accurate under California CCPA's $25M threshold — does not hold under Texas law.

A practical example. A $1.8 million-per-year DTC apparel store running national Meta and Google ads. Texas accounts for roughly 9% of US e-commerce traffic. With 1.5 million annual unique sessions across the store, abandoned cart captures, and email signups, that store likely processes data from 130,000 to 140,000 unique Texas consumers in a calendar year. Under TDPSA, that store is in scope. Under CCPA, it almost certainly is not. The two laws look superficially similar, but the threshold mechanics produce dramatically different outcomes.

The second TDPSA dynamic worth understanding is sensitive data. TDPSA does not allow the SBA-small-business exemption to cover sales of sensitive personal data — that obligation applies regardless of size. If your store collects precise geolocation, biometric identifiers, or health information, opt-in consent is required even if everything else about TDPSA does not technically apply to you. Many small wellness, fitness, and supplement brands fall into this trap.

Finally, the 30-day cure period under TDPSA is an opportunity small businesses should not waste. If the AG sends a notice of violation, you have 30 days to fix the problem and respond in writing. Compliance after notice typically resolves the matter without civil penalties. Compliance before notice — through a documented program — avoids the situation entirely.

Key Differences from Other State Privacy Laws

Texas TDPSA differs from California CCPA/CPRA in three structural ways. First, it has no revenue threshold. Second, it has no dedicated privacy enforcement agency — the Texas AG handles enforcement directly, alongside other consumer protection responsibilities. Third, it grants no private right of action; Texas consumers cannot sue businesses directly for TDPSA violations, only the AG can bring enforcement actions.

Compared to Virginia VCDPA, the laws are functionally similar. Both lack a revenue threshold, both use the same 100,000 consumer count, both grant the same set of consumer rights, and both rely on the state AG for enforcement. The most notable Texas-specific difference is the SBA small business carveout, which Virginia does not have, and the explicit notice requirements for sales of sensitive and biometric data.

Compared to Connecticut CTDPA, Texas's threshold is higher (100,000 vs Connecticut's 35,000), so fewer mid-size businesses are in scope under TDPSA than under CTDPA. But Texas's larger population means the absolute number of in-scope businesses is comparable.

The most important comparison for SMB operators: Texas TDPSA's combination of "no revenue threshold + the country's second-largest state population" makes it the highest-impact privacy law for nationally distributed small e-commerce brands. More small businesses are in scope under TDPSA than under CCPA, despite California's reputation as the strictest privacy state.

How to Comply with TDPSA

If TDPSA applies to your business, the following compliance steps establish a baseline. They are listed in the order most efficient for execution.

1. Confirm scope and the SBA exemption. Calculate your annual Texas consumer count from analytics, customer records, and email lists. Then check whether your business qualifies as a small business under the SBA size standards for your NAICS code. If you qualify and you do not sell sensitive data, you may be exempt from most TDPSA obligations.
2. Update your privacy notice. The notice must list categories of personal data processed, purposes, third-party sharing categories, and instructions for exercising consumer rights. If you sell sensitive data or biometric data, include the prescribed notice language.
3. Add opt-out mechanisms. Provide a clear opt-out for targeted advertising, sale of personal data, and profiling. The opt-out must be available through a method that is reasonably accessible to consumers.
4. Build a consumer rights request workflow. Document how requests are received, how identity is verified, how requests are routed and fulfilled, and how the 45-day response deadline is tracked. Include an appeals process for denied requests.
5. Implement opt-in consent for sensitive data. Before processing any sensitive personal data category — racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship status, genetic or biometric data, precise geolocation, or data of a known child — obtain affirmative opt-in consent.
6. Conduct data protection assessments. For each high-risk processing activity (targeted advertising, sale, profiling, sensitive data processing), document the purposes, the data categories, the risks to consumers, and the safeguards you have in place.
7. Document reasonable security practices. TDPSA's duty of care requires administrative, technical, and physical safeguards appropriate to the volume and nature of data you process. Document what you have in place — encryption, access controls, employee training, incident response.
8. Monitor for AG notices and respond within 30 days. The cure period only protects you if you act within it. Establish a clear internal channel for legal notices.

TDPSA Enforcement and Penalties

The Texas Attorney General is the sole enforcement authority for TDPSA. There is no private right of action — Texas consumers cannot sue businesses directly. The AG may seek civil penalties of up to $7,500 per violation, plus injunctive relief and reasonable attorney's fees.

Before bringing an enforcement action, the AG must provide written notice of the alleged violation and a 30-day cure period. If the business cures the violation within 30 days and provides a written statement that the violation has been addressed, the AG may not bring an action for that specific violation. This cure period is a meaningful protection — it gives small businesses a clear path to avoid penalties by acting quickly when notified.

The AG has broad authority to investigate, including the power to issue civil investigative demands for documents and testimony. The Office of the Attorney General has stated publicly that TDPSA enforcement is a priority and has begun routine compliance sweeps of national e-commerce businesses serving Texas consumers.

Frequently Asked Questions

Does Texas TDPSA apply to small businesses?

Yes, with one important exception. TDPSA applies to any business processing data of 100,000+ Texas consumers annually with no revenue threshold — but it does not apply to businesses that qualify as "small businesses" under the U.S. Small Business Administration's size standards, except for the sale of sensitive personal data, which always requires opt-in consent. Verify your SBA size standard for your specific NAICS code before relying on this exemption.

What is the Texas TDPSA revenue threshold?

There is no revenue threshold in TDPSA. This is the single most important fact about this law. It applies based on consumer data volume only: 100,000+ Texas consumers processed annually, OR 25,000+ Texas consumers if you derive 50% or more of revenue from data sales.

When did Texas TDPSA take effect?

Texas TDPSA took effect July 1, 2024. The Texas Attorney General is responsible for enforcement, and there is a 30-day cure period before the AG can bring formal action against a business that has been notified of a violation.

What are TDPSA penalties?

The Texas Attorney General can seek civil penalties of up to $7,500 per violation. There is no private right of action — only the AG can enforce TDPSA. There is a mandatory 30-day cure period after the business receives notice of the alleged violation, during which a fix can prevent enforcement.

Does TDPSA apply to my Shopify store if I'm not based in Texas?

Yes. TDPSA applies based on where your consumers are located, not where your business is incorporated or operates from. If you process personal data from 100,000 or more Texas consumers in a calendar year — regardless of whether your business has any physical Texas presence — TDPSA applies.

What counts as processing 100,000 Texas consumers?

"Processing" includes any operation performed on personal data: collection, storage, use, sharing, or deletion. The 100,000 count includes Texas residents whose data appears in your CRM, email list, account database, abandoned cart records, and analytics — not just paying customers. It is a broader count than most operators expect.

Check if TDPSA applies to your business → Take the free 5-minute quiz

This guide is for informational purposes only and does not constitute legal advice. Last updated: April 2026.