The Texas Data Privacy and Security Act turned one year old in July 2025. Chuck and Brian unpack what happened, and what didn't. The TDPSA's small-business exemption (borrowed from the SBA) carved out most of Texas. The Attorney General has exclusive enforcement, with a 30-day cure window. Twenty-four letters issued, one lawsuit filed, against Allstate, the first state-AG enforcement of a comprehensive privacy law in the country. Plus the three playbooks businesses are using (ignore, copy-and-pray, build lightweight privacy) and why complying with California's CCPA gets you 90% of the way to Texas compliance.
Businesses doing business in Texas (or targeting Texans) that either process personal data of 50,000+ consumers, or earn 25% or more of their revenue from selling personal data. Small businesses (per the SBA definition, generally under 500 employees) are exempt.
The right to access, correct, delete, and port personal data. The right to opt out of data sales. The right to opt out of targeted advertising and profiling. Plus the right to be informed about how data is collected and used, via clear privacy notices at the point of collection.
Exclusively by the Texas Attorney General. There is no private right of action. The AG must give 30 days notice and opportunity to cure before bringing an enforcement action. Penalties run up to $7,500 per violation, which can scale rapidly across thousands or millions of affected consumers.
The first major state-AG enforcement under a comprehensive data privacy law in the United States. The AG alleges Allstate collected ultra-precise location data via embedded code in apps including Life360, then sold that data to third parties without affirmative opt-in consent, clear privacy notices at collection, or an opt-out mechanism. Allstate Corporation was dismissed for lack of jurisdiction; the case continues against subsidiaries.
Companies already compliant with CCPA are roughly 90% compliant with TDPSA. GDPR is the high watermark globally. Most large corporations were already broadly compliant with CCPA and GDPR before TDPSA passed, which is why TDPSA hasn't required wholesale privacy policy rewrites.
Mostly no, but there are nuances around definitions (what counts as 'selling' data, what is a 'sensitive' data category) that vary by state. Design to the strictest applicable standard (typically CCPA in the U.S., GDPR globally), then map state-by-state variations to your specific business model.
Understand what data you collect, know where it lives, document what you do with it. Provide clear privacy notices at collection points. Make opt-out easy and honor it. Don't post a privacy policy that says something different from what you do, that's worse than not having a policy at all.
Currently, no. The TDPSA, CCPA, and GDPR all cover personal data of natural persons (i.e., humans). Pet DNA testing companies and similar services are not regulated under existing consumer privacy frameworks.
Lightly edited from auto-transcription, ad reads removed, paragraphs grouped, speakers attributed via heuristic. For exact attribution, listen on Apple Podcasts, Spotify, or via the embedded player above.
Brian Elliott: It's all about giving consumers, you know, the notice of what you're doing with the data. And often they will, you know, gladly sacrifice a little bit of privacy for a lot of convenience. Learn more at scalefirm.com. One year ago, Texas passed a data privacy law, supposedly to protect our personal information and bring some clarity to how companies handle data.
Chuck Kraus: So did it change anything or was it just political theater? You're listening to Y'all Street Law. I'm Chuck Krause, and today we're breaking down the Texas Data Privacy and Security Act with my co-host and resident GC Whisperer, Brian Elliott. Brian, welcome back.
Brian Elliott: Always a pleasure, Chuck. Glad to be here. So before we get into whether this law worked out or not, I want to give you a solid two minutes to flex. What exactly is the Texas Data Privacy and Security Act?
Chuck Kraus: Okay, great. Yeah, let's jump into it. This is a comprehensive state data privacy law that was passed. I guess it was passed in late 2023.
Brian Elliott: It was effective as of July 2024. So one year ago, right? So that's why we're revisiting it now. We're going to see, you know, how, you know, what one year into the Data Privacy Act brought us.
Chuck Kraus: But before we do that, let's just do a refresher on some of the major points, right? So the law applies. It's the Data Privacy Law. It applies to any business that is doing business in Texas or targeting Texans if they process personal data of 50,000 or more consumers or if 25% or more of their revenue comes from selling personal data.
Brian Elliott: It controls the right of consumers to access, correct, delete, and port their data. It allows consumers the right to opt out of data sales. It addresses targeted advertising and profiling. And it imposes duties on businesses to limit the collection of data that's only necessary for a specifically disclosed purpose.
Chuck Kraus: That's why we have privacy policies on websites and we make disclosures when we collect data. If you are a data processor, it means that you handle data on behalf of another business. You have to follow instructions. You have to fulfill a consumer's request and you have to make sure that your subcontractors are also following the same rules.
Brian Elliott: Thank you. Also, the Texas Data Privacy and Security Act requires that you perform a data protection assessment before you do anything high risk, like targeted advertising using collected data information or the processing of sensitive data. Importantly, in Texas, the enforcement of the Texas Data Privacy and Security Act is exclusive to the Attorney General. There is no private right of action.
Chuck Kraus: So different from, for example, California, and we'll talk a little bit about California, but different from other data privacy acts, the AG is the only entity that is permitted to bring an action under the Texas Data Privacy Act, and they must give a 30-day notice, an opportunity to cure before they do it. And we'll talk about specific instances of how that plays out. Interesting. I have a number of questions.
Brian Elliott: First, a comment, though. It's clear this isn't your first rodeo. I think we'll need to just link to the full bill in the show notes for anyone who wants to fully geek out. But just one question on it, I think you mentioned at the outset that the bill was really going after entities that do business in Texas that intuitively, I think that's a clear test.
Chuck Kraus: But you said also targeting Texans. What does that mean? So this is an issue that is often talked about in data privacy legislation, especially where we have this state-by-state patchwork of data privacy laws, right? Does the law have extraterritorial jurisdiction, right?
Brian Elliott: Can California or Texas pass a law that governs what a business in Illinois or Virginia can do with respect to the citizens of Texas or Texans' data, right? And the answer to that is, we'll see. And one of the examples we'll talk about is the Allstate case that happened this year that really starts to go down that path. But basically, when we say targeting Texans, this is in order to control an entity that's set up anywhere in the world that is processing data that belongs to the citizens of Texas.
Chuck Kraus: Got it. Got it. Got it. Okay.
Brian Elliott: So it's been a year. What happened? Yeah. Well, so, you know, the short answer is not a whole lot, right?
Chuck Kraus: And there are a couple of reasons for that. One is that, you know, the big tech companies and, you know, most mature businesses in general have already been compliant with California's CCPA and CPRA. And they're already, if applicable, compliant with GDPR. And the Texas law didn't move material boundaries away from those two laws.
Brian Elliott: And the Texas law didn't move material boundaries away from those two laws. So if you are already compliant or materially compliant with GDPR and CCPA, generally, you're going to also be compliant with the Texas Data Privacy Act. There are some nuances and we can talk about that. But so it didn't it wasn't this huge shift in, you know, everybody has to to rewrite their privacy policies and change their technology when this action, when this law came into effect.
Chuck Kraus: Right. Also very important for Texas is. And it's a it's a pro-business law. And there are a few reasons why it's called a pro-business law.
Brian Elliott: But one of them is that it exempts from the application small business. And the law uses a the definition of small business, borrows it from the SBA. So whatever qualifies as a, quote, small business under the SBA rules qualify is exempt from the Texas law. So in general, that's, you know, some benchmarks that are often used is fewer than 500 employees.
Chuck Kraus: But we talked about the thresholds that are applicable here. It's it's it's those thresholds are still going to apply. But for the majority of businesses, if you're not a, you know, a huge business that is collecting, you know, hundreds of thousands of data records, it may this law just may not apply to you. So that so the short answer is many businesses just simply ignore the Texas law.
Brian Elliott: Yeah, that's a huge exemption,, I would imagine if you could you could probably count the number of businesses with more than 500 employees much easier than you could the number with fewer than 500 just in terms of the sheer volume. Yeah, exactly. And that's and that's why there hasn't been this, you know, tidal wave of enforcement. There have been no big fines.
Chuck Kraus: There hasn't been like this huge activity based on it, because really this law was was addressed. And I think you brought it up in the preamble. Was it just legislative theater? Right.
Brian Elliott: It was a a law that was introduced because this was the trend. Everybody is passing these data privacy laws. We have to protect the consumers. But then the the real teeth of the bill are stripped out when it exempts the majority of businesses in Texas.
Chuck Kraus: And and there's no private right of action. So only the AG can bring an enforcement action, which means it's going to be based on, you know, state priorities and not necessarily, you know, the day to day actions are taking place with consumer data. And so has the AG done anything under this under this law? Yeah.
Brian Elliott: So it's not a complete sleeper. There have been a couple of things that there were in while it after the bill was passed and before it became effective, the AG sent out 100 letters to two different organizations to, you know, put them on notice that the the bill is coming and you're going to be required to to, you know, follow the new regulations in Texas. And that if they needed to register as a data broker, which is. different law.
Chuck Kraus: It's chapter 509. But if you need to register as a data broker, then you can do that as well, and that would be a requirement. But specifically tied to the Texas Data Privacy Act compliance, there have been a couple of dozen letters that the AG has sent out, and they haven't made a big splash about most of these, but they're available on the AG website, and you can see press releases about some of them and things like that. And what they do is they're putting these businesses on notice that there is a suspected violation of the Texas Data Privacy Act and giving them 30 days to cure the alleged defect in their process.
Brian Elliott: And what we've heard is that, or because we haven't heard follow-up from many of those, nothing's really happened past that, there is one exception, and we can talk about that, that has matured into an actual enforcement, and that was the Allstate case. And in this one, in November of 2024, the AG sent Allstate a letter that said, you know, we think that you are mishandling consumer auto data. And basically the allegation is, they were collecting, they were using technology that was embedded into other apps like Life360 and things like that to collect ultra precise location, not driving location. And then they were using that driving location of Texas consumers to sell to other companies and inform insurance decisions and things of that nature.
Chuck Kraus: I think all the insurance companies use it, you opt in, they offer you, you know, a discount for good driving behavior. They're then tracking your acceleration, where you're going, you're braking. But I guess the other side of that is, is potentially using all that information, monetizing it and selling it to, to others that, that may be interested in selling you something because they can see you drive past their, their location, you know, five times a day. Yeah.
Brian Elliott: I mean, like data is the, is the new oil, right? That's what they say. Right. So it's, it's good.
Chuck Kraus: If there's a way to monetize it, people are going to figure out a way to do it. And these are, these are among the allegations in the Allstate case is that, you know, the AG says that, you know, they, they collected and processed this sensitive data without affirmative opt-in consent from the consumers. Right. And they didn't have clear privacy notices at the point of data collection.
Brian Elliott: Right. And then they, they didn't offer a clear opt-out mechanism. Once the, you know, if a consumer became aware that this data was being collected, there was no clear way to opt out of it. And then of course, the, the big, like, the, I don't know.
Chuck Kraus: is that they sold the data to third parties without disclosing the fact that they were doing it. And so not to say that any of those things are wrong in and of themselves or illegal in and of themselves. It has to do with, I guess, the informed consent of the customer whose data this is, that they were agreeing affirmatively for these actions to take place. It's all about giving consumers, you know, the notice of what you're doing with the data and often they will, you know, gladly sacrifice a little bit of privacy for a lot of convenience, right?
Brian Elliott: That's been the trend. So the burden is on the business to make sure you're providing adequate consent and opportunity to opt in and disclosures at the point of collection so that consumers know what's going on. What is Allstate saying as a response to this enforcement action? Let's deal with that one first.
Chuck Kraus: Yeah, I mean, so this action was brought against Allstate and four or five subsidiary companies that do various things, including data collection. So Allstate came out, as they came out swinging with a broad answer, motions to dismiss and things like that, saying, among other things, that a large amount of what is being accused in this Texas action is preempted by federal law, the Fair Credit Reporting Act. And they sought a motion to dismiss on that basis, which wasn't successful, but they did win a motion to dismiss for two of the entities, including Allstate Corporation, on a lack of jurisdiction. So we talked about this and the extraterritorial application of the law.
Brian Elliott: Here, Allstate Corporation said, no, you don't get us because we, the parent corporation, Allstate, wasn't, we weren't, you know, materially involved in the collection of this data. It was a subsidiary. So, you know, and we don't otherwise, you know, have jurisdiction in the state of Texas. So you can can't sue us here under state law and the court agreed with that and they also the court also dismissed the the primary data subsidiary the one that was that the AG accused of being the data collector in this in this situation also dismissed that that entity for lack of jurisdiction the AG is now appealing the the subsidiaries dismissal but is not appealing the all-state corporations dismissal right essentially acknowledging that this headline grabbing event that they had which says you know it was it was published in in back in January you know Ken Paxton is the first state AG to bring a comprehensive enforcement action under a you know data privacy act against all state and it grabbed headlines everybody talked about it but then I'll say corporation was dismissed from the lawsuit pretty quickly so not not an open and shut case by by any means yeah no no not at all it but it's you know so the the the case continues there are two aspects of it one aspect is on on appeal about the uh you know the dismissal due to jurisdiction of of the subsidiary company and then discovery is going forward on the other parts of it the um I think it's part of it is fascinating right when you when you see the what what's going on the I'm just going to pull up the one of the pleadings in the case this is this is all states response to uh what the AG is doing here and if you if you just bear with me I mean it's going to quote the opening paragraph from it uh all state says in rushing to bring the first enforcement action ever filed by a state attorney general to enforce a comprehensive data privacy law the state prioritize splashy headlines over factual accuracy the state's petition is riddled with errors and false statements and relies on improper group pleading to obfuscate critical differences among the defendants had the state properly investigated the basis for its claims it would have realized they were meritless right instead the state sallied forth with its misguided case and and they go on to to explain really the procedure here what happened is that the the state you know issued this notice they the defendants all state companies group of companies claim that they engaged with the AG and provided hundreds of documents and responses to all their questions as they're required to do and they offered to meet on an ongoing basis with the with the AG to explain that you've got it wrong right the the things that you think that we're doing we're not doing you've accused us of of mishandling the data and not providing notices and not getting opt-in but we have done these things right but the AG you you know, quote, sallied forth anyway, and, and, and, and, you know, put, put, put forward this lawsuit without the, you know, the defense says without, you know, properly investigating the claims.
Chuck Kraus: So we'll see. I mean, this is, it's in discovery now. We'll see how it all shakes out. And this is more than just sort of court of public opinion, right?
Brian Elliott: There's just real penalties behind, uh, these, these laws potentially. Yeah. Potentially, you know, it's a, it's a, on a, on an incident by incident, uh, fine that could be assessed on an incident by incident basis. So if you've got, you know, it's, you know, $7,500 per violation, and if there are, you know, millions of potential consumers that are affected by it, that those numbers can get very high, very quickly.
Chuck Kraus: So it's no, it's no, uh, joke, but it's also not something that, um, you know, that because of the broad exemptions and, um, and, and the fact that, that most of what, what's included in the Texas data privacy law is already included in the California CCPA and the GDPR that, you know, most major corporations are already in compliance with. It probably isn't, uh, incrementally a big concern. It's fascinating. I mean, I, I have to imagine practically, you see this with other legislation that's brought forward with it, you know, there's, there's often a, um, a situation or a case that, that they're trying to address with new legislation.
Brian Elliott: So I can imagine there was, there was some sort of list already, um, in the works, right. And, and all state was on it, uh, and maybe, you know, potentially other companies who were, you know, the initial, the initial targets of, of this law. But what about, you know, switching gears, what about the rest of the business community? If you're not one of those companies that, you know, was on this, this list from day one, um, how, how are, how are other companies in the business community at large?
Chuck Kraus: How are, how are you counseling clients to respond to this? Yeah. Well, I mean, there, there are three, three basic playbooks, right? Like in, in the first case, you can ignore it if you're below the thresholds and if you're otherwise exempt, right?
Brian Elliott: So if, if you're not collecting, you know, data of 50,000 Texas consumers, you can largely ignore it. You know, that's, that's the easy way to say it. Uh, there are ways that there are reasons that you probably don't want to ignore it, especially if you're scaling fast. Um, but then the, the second approach that, that a lot of companies take is they steal a template and they pray, right?
Chuck Kraus: So they, they go and they, they scrape off somebody else's privacy policy. They adopt it often without even changing the names of the place that they, they, they put it from, they just repost it. And they say, that's, it's going to be good enough. It was good enough for competitor X is good enough for my company.
Brian Elliott: And they, they post it without really even tying it back to their actual practices. or whether or not, you know, it discloses the things that they're doing, right? And then the third way is, you know, to really pay attention to these rules and to build a lightweight privacy approach, right? Like you don't need to be, you know, winning any awards for the most private privacy-focused organization, but you probably do need to be aware.
Chuck Kraus: And being aware means a couple of things. It means understanding, you know, what data you're collecting, how you're using it, where that data is stored, having a mechanism for responding to consumer inquiries when they say we want to opt out or we want to invoke our right to be forgotten, you know, to be able to have a mechanism then to erase that data or take it off of the places where it's listed. Yeah, interesting. So I guess the companies that are using it strategically, the third bucket.
Brian Elliott: Um, really potentially turning compliance into a growth weapon, right? Look, it's a, everybody wants to, like, if you can come out and say, we are addressing this, we put your privacy front and center. You know, Apple did this recently. They, they, they, they came out with an entire advertising campaigns.
Chuck Kraus: They're, they're most secure. The most private iPhones are more private than other things and things like that. And if you can do that, I mean, yeah, I mean, the consumers have a, have a positive reaction to it. So you can use it as a, as a growth tool.
Brian Elliott: Um, the other thing it does though, is, is also if you, if you have embedded, um, a privacy standpoint, uh, from your, from the outset, um, it doesn't slow you down. So it's not like you have to keep tripping over each state's trip wires when the next date, you know, did develops their rule or, or a new, a new action comes out in California or something. If you've got privacy embedded by design, you can just continue to accelerate and move faster. Which I imagine you must really need to do because, you know, ultimately, um, if you're going to build the system, you're going to build it for the, the high watermark, whatever the regulatory high watermark is, that's, that's what you're going to need to comply with.
Chuck Kraus: So how do you, you know, how, how do companies that operate in multiple States practically think about this in terms of, you've got the Texas state of private security act, you've got the CCPA, you've got, um, GDPR, you know, you've got this big exemption in Texas, you know, so what, given, given California, given European regulations, you know, I'm, am I really off the hook or do I still need to do all of this? Just, I don't have to worry about Texas as much because I have fewer than 500 employees. Yeah, exactly. This is, this is exactly how companies are thinking about it.
Brian Elliott: And I think it's smart is, is to say, look, what's the, what's the most important most burdensome regulatory environment that we need to comply with, comply with that one and everybody else. falls in place there are going to be some nuances through there right like they're from on a state by state basis what is categorized as you know selling data the definition of you know sell versus transfer versus assignment is it sold to a third party is a commercial like all these kinds different states are going to have different uh nuanced versions of that but the principles are basically the same and if you're in the united states complying with the ccpa generally you're going to be in compliance with everything else that's not to say you shouldn't also be aware of of you know the illinois biometric data law and and other things but it's generally you if you if you comply with one the the big one you're going to be basically in compliance with many so it sounds like california is not a complete overlap but if if if if you're dealing in data you're you're you're clearly familiar with the california law uh or need to be uh and it sounds like compliance with that will get you a long way towards compliance with um texas at least yeah for sure and i think that the the the with the way i look at it with my clients is is you look at this scale uh not only of you know the volume of data that you're collecting but also the sensitivity right as you move into more sensitive data you know health information personal financial information um you know uh you know the the sensitive personal information like like uh religious affiliation political affiliation uh things like that um that's when you're going to want to you know put a little bit more effort into it and think about are we really in full compliance across all the states that we operate in um but if what you're doing is uh something less than that and you are collecting data for a limited purpose like for example because you sell a widget on an e-commerce website and you collect the data for the like you know the shipping address for the purpose of doing it and the credit card information goes through your payment provider you don't collect the payment information you want to make sure that you're vigilant that you're using a reputable payment provider that that will process that appropriately but you probably don't need to be as concerned if all you're doing is collecting a um you know some some web data on a uh a relatively minor minor scale compared to you know health related information you know financial information account numbers and things of that nature yeah yeah what about what about pets grime any of these laws extend to you know there's all sorts of companies offering pet dna testing is the is that information covered by these laws or so far the laws only cover human uh privacy data yeah that's a uh that's a great one uh we'll have to look into that and get back to you i uh i haven't heard of uh i've heard that that being a a major issue but if that's something that's of interest to your clients chuck we're glad to dig into that all right what's uh looking forward what what do you predict is next for the for the Texas State of Privacy Security Act? Yeah, I think that, look, this is going to be a creature of state priority, right? So to the extent that the Texas AG office gets a bug in its ear that it needs to, you know, consumer sentiment or something, some big event happens, you can see more enforcement.
Chuck Kraus: But because it's limited by, you know, state budgets and the limited attention that the AG's office can give you, I think will have continued enforcement, but it's going to be spotty like it has been over the last year. Maybe some more letters will go out, but I would expect that the majority of issues related to Texas will be resolved without lawsuits and continuing enforcement action. I think, you know, every year we talk about whether or not the U.S. Congress is going to pass a preemptive federal law.
Brian Elliott: Every time it's floated out there, people get all excited about it. They think it's going to be this big thing and it hasn't materialized yet. I am skeptical that it's going to be anytime soon. There are other national priorities.
Chuck Kraus: It doesn't seem to be a priority of the current administration and the current makeup of Congress. So I think that's on the back burner for now. And then I think, you know, it's a, in terms of, of where we are in data privacy, we've got, you know, we've got time under our belt, you know, people have dealt with some of these issues already. You know, the, the, the, the, the, the, the, the, the small, the small stuff has, has been, you know, fettered out over the last couple of years.
Brian Elliott: And I think, you know, developers and, and builders are, are taking privacy as a, you know, from, from the outset, you know, privacy by design more seriously. So it's, it's becoming less of an issue because of the attention that it's been given over the last decade. Yeah. But if you're a, you know, if you're a GC of a company handling data across 10, you know, 10 different States you know, what, what, what's your life like right now in light of this new law?
Chuck Kraus: Yeah, I think it's, it's, it's understand the differences between, between all the States as it applies to your company, right? Dig in where, where your company is, is dealing with sensitive data or, or non-typical like anything more than, than just the, the basic collection of, of web information, right? But design to the strictest standard, right? Design to the CCPA and that'll get you 90% of the way there.
Brian Elliott: And then you can focus on just what the differences are that apply to your company. Got it. All right, Brian, uh, we're almost 30 minutes in. I think it's time for some, some, uh, some conclusions, some hot takes calls to calls to action.
Chuck Kraus: So taking a step back, do you think, was this law real fake for show or something in between? I think it was, um, it's, it's a. PR win, right? I mean, this is something that made headlines when it was enacted.
Brian Elliott: It allowed the AG to take a victory lap. I think that ultimately, we'll wait and see about the actual practical enforcement effect of it. It probably lands somewhere in between, but it certainly was a PR win, that's for sure. All right.
Chuck Kraus: Next, so what do you think founders and GCs should do now differently, if anything? This is, it comes down to this. It's very simple. Understand the data that you're collecting, right?
Brian Elliott: And I say it's simple. That can be difficult because data can be in a lot of places that are not intuitively thought of, right? But understand the data that you're collecting, know where it is within your systems, understand what your organization is doing with it, and then follow the basic rules. Make it easy for people to opt out, disclose exactly what you're doing with the data, what you're collecting and what you're doing with it, and really stop copying and pasting privacy policies.
Chuck Kraus: Fair enough. So you don't, you're not recommending the 40-page GDPR playbook, but you are recommending, you need to really understand how this applies to your particular company. I got to tell you, I've given that advice to boards and executive teams in so many different situations. It's refreshing to hear that it applies here too.
Brian Elliott: The worst thing you could do is adopt a policy and not follow it. It's, it, it's, it's not only the worst thing you can do, it's, it's, it's actively detrimental. Like it's, it's the, it's, it's, it's, and, and we see it over and over again. When the policy, it's, it's, it's worse to have a policy that says something that you don't do than to not have a policy at all.
Chuck Kraus: Just, you know, just make sure that when you post something publicly that says, here's how we're, how we're treating data and this is what we commit to doing with it, that you're doing those things. It sounds simple. Uh, in practice, uh, it's a little bit more elusive, I guess. Yeah.
Brian Elliott: I think sometimes you, you move, you move faster than your brain. Uh, and I guess that's the, uh, that's the warning is, is stop and be, be thoughtful about these things. Okay. Perfect place to leave it, Brian.
Chuck Kraus: Um, first happy birthday to the Texas data privacy and security act. Um, you're not quite walking yet, but we'll keep watching. Uh, this has been y'all street law. I'm Chuck Krause and he's Brian, and we will catch you next time.
Brian Elliott: See y'all later. Thanks for tuning in to the scale LLP y'all street law podcast. We hope you enjoyed today's episode and found it valuable. .