Texas Data Privacy and Security Act (TDPSA): what e-commerce businesses need to know

Texas means business

Texas is not waiting around on privacy enforcement. The Texas Data Privacy and Security Act (TDPSA) took effect July 1, 2024, and the state has already secured a settlement exceeding $1 billion in its first major enforcement action in 2025. For e-commerce businesses, Texas is arguably the most important state to get right — because the law applies more broadly than almost any other state privacy law.

Why TDPSA applies to more businesses

Unlike most state privacy laws that require processing data of 100,000+ consumers or meeting a revenue threshold, the TDPSA has no consumer count threshold and no revenue threshold. Instead, it applies to any business that:

• Conducts business in Texas or produces products/services consumed by Texas residents
• Is not a small business as defined by the SBA (generally more than $8 million in annual receipts, depending on industry)

If you sell online and ship to Texas — which, as the second most populous state, is likely — and you're above the SBA small business threshold, the TDPSA probably applies to you.

Consumer rights under TDPSA

Texas consumers have the right to:

• Access their personal data
• Correct inaccuracies
• Delete their data
• Portability — obtain their data in a usable format
• Opt out of targeted advertising, sale of personal data, and profiling

You must respond to consumer requests within 45 days, with one 45-day extension available.

Universal opt-out: required since January 2025

As of January 1, 2025, businesses must recognize universal opt-out mechanisms like Global Privacy Control (GPC). This means if a consumer's browser sends a GPC signal, you must treat it as a valid opt-out request for the sale of personal data and targeted advertising.

For e-commerce businesses, this requires technical implementation — your website and any third-party scripts (analytics, advertising pixels, retargeting tools) must respect the GPC signal.

The $1 billion enforcement signal

In 2025, the Texas Attorney General reached a settlement exceeding $1 billion — the largest privacy enforcement action by any state. While the specific target was a large technology company, the signal is clear: Texas is investing resources in enforcement and pursuing significant penalties.

The AG's office has indicated it will pursue businesses of all sizes that fail to comply with the TDPSA. The 30-day cure period provides some protection, but only if you act quickly when notified of a violation.

Data protection assessments

The TDPSA requires data protection assessments for:

• Targeted advertising activities
• Sale of personal data
• Processing for profiling purposes
• Processing sensitive personal data
• Any processing that presents a heightened risk of harm

For most e-commerce businesses, if you run targeted ads (Google, Meta, TikTok) or use retargeting, you need to conduct and document a data protection assessment.

The 30-day cure period

Texas provides a permanent 30-day right to cure. If the AG identifies a violation, you get 30 days to fix it before enforcement action. This is more generous than states like New Jersey or Maryland (no cure period), but 30 days moves fast when you need to change data practices across your entire operation.

Penalties

• Up to $7,500 per violation
• No private right of action — only the AG can enforce
• But given the $1B+ settlement precedent, penalties can be astronomical for large-scale violations

Practical compliance steps

1. Determine if TDPSA applies to you. Check your SBA size standard — if you're above the small business threshold for your industry and sell to Texas residents, assume it applies.

2. Implement GPC/universal opt-out. This is not optional as of January 2025. Test that your site correctly detects and honors GPC signals.

3. Audit your advertising stack. Every pixel, tag, and tracking script that shares data with third parties needs to respect opt-out signals.

4. Conduct data protection assessments. Document your targeted advertising, data sharing, and profiling activities.

5. Update your privacy policy. Texas-specific disclosures should be included.

6. Build consumer request workflows. Access, deletion, correction, and opt-out requests must be handled within 45 days.

7. Review vendor contracts. Ensure data processing agreements with your service providers comply with TDPSA requirements.

8. Monitor AG activity. Texas is actively investigating and enforcing. Stay current on enforcement trends and guidance.

Stay on top of changes like these — BriefStack monitors all 20 state privacy laws and delivers what matters to your inbox daily.

---

This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.