Texas Data Privacy and Security Act (TDPSA) for Houston E-Commerce: 2026 Compliance Guide

TDPSA applies to a person or business that:

• Conducts business in Texas or produces products or services consumed by Texas residents, AND
• Processes or engages in the sale of personal data, AND
• Is not a small business under the SBA standard (with a notable exception for sale of sensitive data — small businesses are still prohibited from selling sensitive data without consent)

The small-business exemption is narrower than many Texas SMBs assume. If you sell sensitive data, the exemption disappears for that activity. Sensitive data includes: racial / ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, citizenship, genetic data, biometric data, geolocation data, children's data, and personal data from a known minor.

Texas consumers now have the right to:

• Confirm whether a controller is processing the consumer's personal data
• Access a copy of their personal data
• Correct inaccuracies
• Delete their personal data
• Obtain a portable copy in a usable format
• Opt out of: sale of personal data, targeted advertising, profiling that produces legal or significant effects

Controllers must respond to verifiable consumer requests within 45 days, with a possible 45-day extension. A consumer-rights request portal — or at minimum a documented intake email — is required.

Your privacy policy must include:

• Categories of personal data processed
• Purpose of processing
• Categories of data shared with third parties
• Categories of third parties
• How consumers can exercise rights
• How to appeal a denied request
• If selling personal data or processing for targeted advertising: clear and conspicuous disclosure plus opt-out mechanism

TDPSA requires a documented Data Protection Assessment (DPA) for any processing activity that presents a heightened risk of harm. The DPA documents the activity, the benefits, the risks, and the mitigations. Examples of activities requiring a DPA: processing sensitive data, selling personal data, processing for targeted advertising, profiling that produces significant effects.

The Texas AG can request DPAs in an enforcement investigation. Not having them is itself a violation.

TDPSA is enforced exclusively by the Texas Attorney General — there is no private right of action. Penalties: up to $7,500 per violation. Cure period: 30 days from notice (the AG can provide notice and a chance to cure before suing, but may also forgo it for 'willful or material' violations).

Through late 2025, AG enforcement priorities have focused on: lack of opt-out mechanisms, sale of sensitive data without consent, dark-pattern UI, and inadequate consumer-rights response procedures.

Data Inventory and Classification

• Map every system that stores Texas-resident personal data: e-commerce platform, CRM, email marketing, analytics, payment processor, support ticketing
• Classify data: identifiers, financial, health, biometric, geolocation, etc.
• Document retention period per data class and per system

Consumer Rights Workflow

• Intake form on website (or dedicated email)
• Identity verification process
• Standard operating procedure for response within 45 days
• Audit trail for every request

Cookie Consent and Opt-Out Mechanisms

• Compliant cookie banner (OneTrust, Cookiebot, Iubenda)
• Global Privacy Control (GPC) signal honored as opt-out
• Documented suppression list for marketing

Vendor Risk and Data Processing Agreements

• DPA in place with every third party that processes personal data on your behalf
• Vendor inventory updated annually
• Sub-processor disclosure

Security Controls

TDPSA requires "reasonable security practices". The Texas AG has indicated NIST CSF and CIS Controls v8 as benchmarks. See our cybersecurity services and ransomware insurance prerequisites for the related control set.

For Houston e-commerce and consumer-data businesses not yet TDPSA-compliant: prioritize the consumer-rights workflow and the privacy policy update first (the easiest items the AG checks externally), then deploy the technical controls. Total project: typically 90 days for a 25-100 employee company.

For broader Texas regulatory context: FTC Safeguards Rule, vCISO for FTC Safeguards, and the 2026 Texas SMB Benchmark Report.

• Houston managed IT
• The Woodlands managed IT
• Sugar Land managed IT
• Katy managed IT
• Galveston managed IT