The Texas Data Privacy Act, one year in.
What twelve months of enforcement told us, and what mid-market companies are still getting wrong.
When the Texas Data Privacy and Security Act took effect on July 1, 2024, two predictions were widely made about what would happen next. The first was that the Attorney General's office would take an aggressive enforcement posture. Texas had positioned the TDPSA as one of the strongest state privacy regimes in the country, and loud rhetoric usually previews loud enforcement. The second prediction was that most covered businesses would treat compliance as a paperwork exercise. Update the privacy policy. Add a cookie banner. Designate someone. Move on.
A year in, the first prediction was wrong. The second was right. The Allstate lawsuit filed on January 13, 2025 is what happens at the intersection, and it is the practical lesson of the law's first year.
The first year of enforcement looked nothing like the rhetoric
For most of the period from July 2024 through early 2025, AG enforcement under TDPSA looked closer to a quiet acclimation program than to an aggressive crackdown. Letters went out. Companies were given a notice-and-cure window to address discrete failures, most commonly a privacy policy missing a required disclosure, or a consumer rights request that had not been honored within the statutory window.
The TDPSA gives the AG a thirty-day cure period before action can be brought. The first year of practice suggested the office was using that period not as a procedural formality but as the center of its enforcement strategy. Companies fixed things. The matters closed. No litigation.
The Allstate matter changed the picture. On November 29, 2024, the AG issued Allstate a cure letter under the TDPSA's notice-and-cure provision. Six weeks later, on January 13, 2025, AG Ken Paxton filed suit in Montgomery County District Court against Allstate Corporation and its subsidiary Arity. The complaint alleged that Allstate had paid mobile app developers, including GasBuddy, to install an Allstate-developed software development kit into their applications, allowing Allstate to collect precise geolocation and movement data from more than 45 million Americans, which Allstate then sold to insurance carriers without obtaining the affirmative consent the TDPSA requires.
The matter was the first enforcement action under any comprehensive state data privacy law in the United States. That framing matters. The AG was not merely testing TDPSA. The AG was establishing a national precedent for what state-level privacy enforcement will look like.
For counsel watching closely, the signal was specific. The AG was prepared to move past acclimation and use the law's enforcement mechanisms to test what privacy compliance looks like in practice, not just what it claims to look like on paper. That is the gap the second year of TDPSA is going to litigate.
The small business exemption is narrower than most companies think
The TDPSA includes a small business exemption that excuses certain entities from the law's substantive obligations. The exemption is real. It is also narrower than most mid-market companies seem to believe.
The statutory text cross-references the federal definition of "small business" under the Small Business Administration's NAICS size standards. The right answer depends on the company's NAICS code, not a single revenue or headcount number. SBA thresholds vary widely by sector, from headcount caps in manufacturing to revenue caps in services. The ranges span $1 million to $40 million+ in revenue, or 100 to 1,500+ employees, depending on industry.
The mid-market trap looks like this. A company with $40 million in revenue, 150 employees, and significant consumer data collection, a SaaS firm, a regional financial services business, a healthcare-adjacent vendor, does not look intuitively like a "small business" to the people running it. The CEO assumes the exemption does not apply. The privacy policy gets drafted. The vendor management program gets built.
Under SBA NAICS standards, that same company may qualify as small for its specific industry code. The reverse trap is worse. A company that assumes it qualifies for the exemption based on intuition rather than its actual NAICS-based threshold may be operating under the wrong legal framework entirely. When the AG inquiry letter arrives, the exemption claim has to be documented. If it doesn't hold, the underlying compliance gaps are the real exposure.
One critical point: the small business exemption does not apply to the sale of sensitive personal data. Section 541.107 of the Texas Business & Commerce Code specifically maintains the prohibition on selling sensitive personal data without consumer consent, even for businesses that otherwise qualify as small under SBA standards.
Sensitive data is defined broadly, and includes precise geolocation, biometric data, health information, racial or ethnic origin, religious beliefs, and data from known minors. For any business whose digital operations touch any of those categories, which includes most consumer-facing technology businesses, the exemption is effectively narrower in practice than in headline summary.
The SBA's affiliation rules add another wrinkle. A standalone analysis of one entity's size is wrong if the entity has affiliates. Private-equity portfolio companies, for example, count all portfolio company sizes together for SBA threshold purposes. The analysis has to capture the full affiliation web.
The takeaway: every covered business in Texas should have a documented exemption analysis. Whether the answer is "we qualify" or "we don't," the analysis should be in writing, dated, and held by general counsel or the privacy officer.
"TDPSA theater" and the consent management gap
The first-year failure mode that defines enforcement risk is the one Chuck and Brian Elliott named on Episode 12 of the Y'all Street Law Podcast: TDPSA theater. A company publishes a privacy policy that lists, in detail, the rights of Texas consumers and the company's data practices. Behind the policy, the actual operational machinery does not match.
Three common patterns:
The privacy policy promises consumers a right to access their data. The actual data infrastructure cannot produce a coherent inventory of what is held about a specific consumer across the company's systems. A request comes in. The privacy team scrambles. Twenty-eight days later, the response is partial.
The privacy policy describes the company's consent management practices. The actual consent management user flow on the website serves a cookie banner that nobody reads, defaults every category to "on," and stores the consent record nowhere it could be reproduced if challenged. The policy and the practice describe different companies.
The privacy policy declares that the company does not sell personal information. The actual ad-tech integration on the site, Google Analytics, Meta Pixel, third-party retargeting, meets the TDPSA's broad definition of "sale" or "share" under most reasonable readings. The disclosure is wrong.
Each of these patterns is fixable. None of them is fixed by a privacy policy rewrite. They are fixed by aligning the company's actual operational practice with what its policy claims it does. The AG inquiries the first year produced suggest this alignment work is where second-year enforcement will focus.
What to do now
For any Texas business that handles consumer data and is not a confirmed-exempt small business under the NAICS standards, the practical compliance reset is short.
Audit the privacy policy against actual data practice. Walk through every commitment in the policy and confirm it matches what the business does. Where there is a gap, fix the practice or amend the policy. Both choices are legitimate. The unacceptable answer is leaving the gap in place.
Test the consumer rights response process end-to-end. Submit a synthetic request. Run it through the actual workflow. Time it. Document it. If the company cannot honor an access request within the statutory window using its real systems, the policy commitment is unreliable.
Test the consent management flow. Open the site in an incognito browser. Walk through what a consumer experiences. Are the choices clear? Are the defaults defensible? Is the consent record stored and retrievable? If a consumer disputes a consent decision a year from now, can the company produce the record?
Document the exemption analysis if claiming one. If the company is operating under the small business exemption, the analysis supporting that claim should be in writing, with the specific NAICS code, the applicable SBA threshold, and the company's metric at the time of analysis. Update it annually.
Name the privacy contact and make sure the inquiry pipeline works. The AG sends letters. They go to general counsel addresses, registered agent addresses, or whatever the AG can find. If the company does not have a clear internal owner for those letters and a tested process for responding, the thirty-day cure clock starts before anyone in the company realizes a letter has arrived.
None of this is exotic compliance work. It is the difference between a compliance posture that survives an AG inquiry and one that does not.
Texas-licensed corporate counsel for businesses navigating TDPSA compliance.
Privacy regulation now sits at the intersection of corporate governance, vendor management, marketing operations, and product engineering. The companies that handle TDPSA compliance well treat it as a board-level program rather than a privacy-officer task. That framing produces materially better outcomes when an AG inquiry letter arrives.
My practice covers the governance side, board-level privacy program design, vendor agreement diligence, response readiness for AG inquiries, and the documentation discipline that turns a compliance posture into a defensible record. The technical privacy implementation runs through trusted specialists; the legal and governance overlay runs through me.
The first conversation is fifteen minutes. It identifies whether the situation needs structural attention now or whether existing measures are sufficient.
Going deeper on this topic? Brian Elliott and I covered the TDPSA's first year, the Allstate matter, and the small business exemption mechanics on the Y'all Street Law Podcast, Episode 12: Texas Data Privacy Turns One.
Going deeper.
Questions I hear from Texas business owners and counsel on this topic.
When did the TDPSA take effect?
The Texas Data Privacy and Security Act (TDPSA), passed as HB 4 and signed into law by Governor Abbott on June 18, 2023, took effect on July 1, 2024. The universal opt-out mechanism, requiring covered businesses to honor browser-based opt-out signals like Global Privacy Control, became effective on January 1, 2025.
What did the Allstate lawsuit involve?
On January 13, 2025, the Texas Attorney General filed suit against Allstate Corporation and its subsidiary Arity in Montgomery County District Court, the first enforcement action under any comprehensive state data privacy law in the United States. The complaint alleged that Allstate paid mobile app developers (including GasBuddy) to install an Allstate-developed software development kit, which collected precise geolocation and movement data from more than 45 million Americans nationwide. Allstate then sold that data to insurance carriers without obtaining the affirmative consent the TDPSA requires. The cure letter preceding the suit was issued November 29, 2024.
Does the small business exemption apply to my company?
The TDPSA cross-references the U.S. Small Business Administration's definition of "small business," which varies by NAICS industry code. Thresholds range from $1 million to over $40 million in revenue, or from 100 to 1,500+ employees, depending on industry. The right answer depends on your specific NAICS code, not a single revenue or headcount figure. The SBA's affiliation rules also apply, if your company has corporate affiliates, their size counts toward the threshold. A documented exemption analysis specific to your NAICS code is the only reliable way to determine whether the exemption applies.
What happens if my company sells sensitive personal data?
The small business exemption does not extend to the sale of sensitive personal data. Section 541.107 of the Texas Business and Commerce Code requires all businesses, including those otherwise qualifying as small under SBA standards, to obtain consumer consent before selling sensitive personal data. The TDPSA defines sensitive data broadly to include precise geolocation, biometric data, health information, racial or ethnic origin, religious beliefs, sexual orientation, citizenship status, genetic data, and data from known minors.
How long does the cure period last under the TDPSA?
The TDPSA provides a 30-day cure period from the date the Attorney General issues a notice of alleged violation. During this window, a covered business may correct the alleged violation without facing enforcement action or civil penalties. Civil penalties can reach up to $7,500 per violation if the cure period passes without resolution. The cure period is permanent, it has no sunset date, making it similar to Utah's privacy-law approach.
What does the universal opt-out requirement mean?
Since January 1, 2025, the TDPSA has required covered businesses to recognize and honor universal opt-out mechanisms, browser or device signals such as Global Privacy Control (GPC) that communicate a user's opt-out preference for data sales, targeted advertising, and certain forms of profiling. The signal must be honored automatically; the business cannot require a user to opt out separately for each purpose. Companies whose consent management platforms do not detect and honor GPC signals are out of compliance regardless of their privacy policy disclosures.
What civil penalties can the AG seek under the TDPSA?
The Texas Attorney General has the exclusive authority to enforce the TDPSA. There is no private right of action. The AG can seek civil penalties of up to $7,500 per violation, in addition to injunctive relief. Penalties accumulate per violation, which in cases involving large data sets, like the Allstate matter, which alleges violations affecting more than 45 million Americans, can produce substantial aggregate exposure even at the per-violation cap.
What should our board be doing now?
For boards of covered Texas businesses, the practical sequence is: (1) confirm whether the small business exemption applies via a documented NAICS-based analysis; (2) audit the published privacy policy against actual data practices and reconcile any gaps; (3) test the consumer rights response process end-to-end on a synthetic request; (4) confirm that the consent management platform recognizes GPC signals; (5) designate a named privacy contact with authority and confirm the AG inquiry pipeline works; (6) document the program in board minutes so the compliance posture is defensible if challenged.
Defined terms.
The legal terminology in this article. Each term has a precise statutory or doctrinal definition in the Kraus Law glossary, with citations and Texas-specific application notes.
If your business handles consumer data,
the documentation discipline matters.
Fifteen minutes is enough to identify whether your TDPSA posture would survive an AG inquiry, and what to fix if it would not.
This article is general information based on publicly available sources as of the publication date and is not legal advice for any specific situation. Outcomes depend significantly on the specific facts, entity structure, and timing involved. IRS guidance, regulatory positions, and case law continue to develop. Consult qualified legal counsel before making decisions that affect your specific situation. Chuck Kraus is licensed in Texas, Minnesota, and Alberta .