Texas Data Privacy and Security Act (TDPSA) for Houston E-Commerce: 2026 Compliance Guide
The Texas Data Privacy and Security Act (TDPSA) took effect July 1, 2024. By 2026, the Attorney General has begun enforcement. What Houston e-commerce and consumer-data businesses need in place.
Introduction
The Texas Data Privacy and Security Act (TDPSA) took effect July 1, 2024, making Texas the eleventh US state with a comprehensive consumer-data privacy law. Through the back half of 2025, the Texas Attorney General's office moved from guidance issuance into active enforcement, including investigations and at least one publicly disclosed settlement. By 2026, Houston e-commerce, retail, healthcare-adjacent, and consumer-data businesses must be in compliance.
This is the practitioner's view of TDPSA scope, the rights consumers now have against your business, the documentation you need on file, and the technical controls a Houston MSP deploys to support compliance.
Who TDPSA Applies To
TDPSA applies to a person or business that:
- Conducts business in Texas or produces products or services consumed by Texas residents, AND
- Processes or engages in the sale of personal data, AND
- Is not a small business under the SBA standard (with a notable exception for sale of sensitive data — small businesses are still prohibited from selling sensitive data without consent)
The small-business exemption is narrower than many Texas SMBs assume. If you sell sensitive data, the exemption disappears for that activity. Sensitive data includes: racial / ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, citizenship, genetic data, biometric data, geolocation data, children's data, and personal data from a known minor.
Consumer Rights Under TDPSA
Texas consumers now have the right to:
- Confirm whether a controller is processing the consumer's personal data
- Access a copy of their personal data
- Correct inaccuracies
- Delete their personal data
- Obtain a portable copy in a usable format
- Opt out of: sale of personal data, targeted advertising, profiling that produces legal or significant effects
Controllers must respond to verifiable consumer requests within 45 days, with a possible 45-day extension. A consumer-rights request portal — or at minimum a documented intake email — is required.
Required Disclosures
Your privacy policy must include:
- Categories of personal data processed
- Purpose of processing
- Categories of data shared with third parties
- Categories of third parties
- How consumers can exercise rights
- How to appeal a denied request
- If selling personal data or processing for targeted advertising: clear and conspicuous disclosure plus opt-out mechanism
Data Protection Assessments
TDPSA requires a documented Data Protection Assessment (DPA) for any processing activity that presents a heightened risk of harm. The DPA documents the activity, the benefits, the risks, and the mitigations. Examples of activities requiring a DPA: processing sensitive data, selling personal data, processing for targeted advertising, profiling that produces significant effects.
The Texas AG can request DPAs in an enforcement investigation. Not having them is itself a violation.
Enforcement Posture
TDPSA is enforced exclusively by the Texas Attorney General — there is no private right of action. Penalties: up to $7,500 per violation. Cure period: 30 days from notice (the AG can provide notice and a chance to cure before suing, but may also forgo it for 'willful or material' violations).
Through late 2025, AG enforcement priorities have focused on: lack of opt-out mechanisms, sale of sensitive data without consent, dark-pattern UI, and inadequate consumer-rights response procedures.
Technical Controls a Houston MSP Deploys
Data Inventory and Classification
- Map every system that stores Texas-resident personal data: e-commerce platform, CRM, email marketing, analytics, payment processor, support ticketing
- Classify data: identifiers, financial, health, biometric, geolocation, etc.
- Document retention period per data class and per system
Consumer Rights Workflow
- Intake form on website (or dedicated email)
- Identity verification process
- Standard operating procedure for response within 45 days
- Audit trail for every request
Cookie Consent and Opt-Out Mechanisms
- Compliant cookie banner (OneTrust, Cookiebot, Iubenda)
- Global Privacy Control (GPC) signal honored as opt-out
- Documented suppression list for marketing
Vendor Risk and Data Processing Agreements
- DPA in place with every third party that processes personal data on your behalf
- Vendor inventory updated annually
- Sub-processor disclosure
Security Controls
TDPSA requires "reasonable security practices". The Texas AG has indicated NIST CSF and CIS Controls v8 as benchmarks. See our cybersecurity services and ransomware insurance prerequisites for the related control set.
Where to Start
For Houston e-commerce and consumer-data businesses not yet TDPSA-compliant: prioritize the consumer-rights workflow and the privacy policy update first (the easiest items the AG checks externally), then deploy the technical controls. Total project: typically 90 days for a 25-100 employee company.
For broader Texas regulatory context: FTC Safeguards Rule, vCISO for FTC Safeguards, and the 2026 Texas SMB Benchmark Report.
Geographic Coverage
Related Articles
Need Expert IT Support?
Let our team help your Houston business with enterprise-grade IT services and cybersecurity solutions.