Texas AG Has Investigated 100+ Companies Under the TDPSA

The Texas Attorney General’s office has investigated more than 100 companies under the Texas Data Privacy and Security Act since the law took effect in July 2024. The first enforcement lawsuit was filed in January 2025. Civil penalties run up to $7,500 per violation, and with no regular legislative session until 2027, the AG’s office is setting the compliance standard through enforcement actions alone.

If your business collects personal data from Texas residents through a website, CRM, email marketing, or intake forms, these investigations are directly relevant to you.

What the AG Has Done So Far

The TDPSA gave the Texas Attorney General exclusive enforcement authority over the state’s data privacy law. No private lawsuits, no class actions. The AG’s office is the sole enforcer, and it has been busy.

More than 100 investigations have been opened since the law became enforceable. The first lawsuit, filed in January 2025, signaled that enforcement has moved past initial warnings to formal legal action. The AG’s focus areas have been specific and consistent:

• Data collection transparency. The AG is examining whether businesses clearly disclose what personal data they collect, why they collect it, and who they share it with. Vague or outdated privacy policies are a primary target.
• Handling data from vulnerable populations. Under the SCOPE Act, which amended the TDPSA, businesses that process data from minors face additional scrutiny. The AG has prioritized cases involving children’s data.
• Failure to honor opt-out signals. Since January 2025, Texas law requires websites to recognize Global Privacy Control (GPC) browser signals. The AG has investigated companies that ignore these signals while continuing to serve targeted advertising.

The penalty math is straightforward. Each violation can carry a civil penalty of up to $7,500, and each affected consumer counts as a separate violation. A company that mishandles data for 200 customers faces potential exposure of $1.5 million.

Sources: Texas Attorney General TDPSA page, Holland & Knight analysis, Measured Collective enforcement tracker

Five Obligations the AG Is Enforcing

The TDPSA’s requirements break down into five areas that every covered business must address. Here is what each one means in practice.

1. Privacy policy updates. Your privacy policy must list every category of personal data you collect, explain why you collect it, identify the third parties you share it with, and tell consumers how to exercise their rights. A boilerplate privacy policy from 2020 does not satisfy this. If your policy fails to mention categories like browsing data, device identifiers, or purchase history, and you collect those, you are out of compliance.

2. Opt-out mechanisms for data sales and targeted advertising. Consumers must have a clear way to opt out if you sell personal data or use it for targeted advertising. This applies even if you do not think of what you are doing as “selling” data. Sharing customer data with advertising platforms or analytics providers in exchange for services can qualify as a sale under the TDPSA.

3. Honoring Global Privacy Control signals. Your website must detect and respect GPC signals from visitors’ browsers. When someone visits your site with GPC enabled, your consent management system must automatically suppress targeted advertising cookies and data-sharing tags. This has been required since January 2025, and it is one of the most common gaps the AG has flagged.

4. Responding to consumer data requests within 45 days. Texas residents can request access to, correction of, or deletion of their personal data. Your business must respond within 45 days, with one 45-day extension if necessary. You need internal systems to receive these requests, verify the requester’s identity, locate all relevant data, and deliver or delete it within the deadline.

5. Using the 30-day cure period effectively. When the AG identifies a violation, your business gets 30 days to fix the problem before penalties apply. That sounds generous, but only if you can actually remediate within that window. Businesses that lack a data inventory or do not know where personal data lives across their systems will struggle to cure violations in time.

No Legislative Session Until 2027 Changes the Calculus

Texas holds regular legislative sessions every two years. The next one does not convene until January 2027. That means the TDPSA as written today, with no amendments or additional exemptions, is the law your business will be measured against through at least mid-2027.

This matters for two reasons. First, there is no opportunity for the legislature to soften requirements or add exemptions for small businesses. The TDPSA does not include a revenue threshold or employee count minimum that shields smaller companies. If you conduct business in Texas and process personal data, the law applies to you. Second, the AG’s office has nearly two years of enforcement runway with a stable regulatory framework. They are building precedent through investigations and lawsuits right now, not waiting for new rules.

For Texas SMBs, compliance is not something you can defer until the law “settles.” The law has settled. The AG is enforcing it.

What to Do This Week

If you have not started TDPSA compliance work, these are the highest-priority steps.

Audit your privacy policy. Compare what your policy says against what your business actually does with personal data. If your CRM collects email addresses, your website runs analytics cookies, or your marketing team uses retargeting pixels, your privacy policy needs to disclose all of it. Update the policy to list specific data categories, processing purposes, and third-party recipients.

Check your website for GPC compliance. Open your site in a browser with Global Privacy Control enabled (Firefox supports it natively, and extensions are available for Chrome). Check whether your site’s tracking behavior changes when GPC is active. If your analytics and advertising tags still fire normally, your implementation is not working.

Inventory your data processing activities. Map where personal data enters your business, where it gets stored, who has access, and which third parties receive it. This inventory is the foundation for responding to consumer requests within the 45-day window and for completing the data protection assessments the TDPSA requires.

Review your vendor agreements. If you share personal data with SaaS providers, marketing platforms, or other processors, check that your contracts include the data processing terms the TDPSA requires. Your vendors need to support consumer deletion and access requests when you pass them through.

Build your response process. Decide who in your organization will handle consumer data requests, how they will verify the requester’s identity, and what tools they will use to locate and compile the requested data. Test the process before a real request arrives.

We published a detailed TDPSA compliance checklist earlier this month that walks through each requirement with specific action items. If you are starting from scratch, that checklist provides the full implementation roadmap.

The Enforcement Trajectory Points One Direction

The Texas AG has moved from investigation to litigation in under a year. Over 100 companies have faced scrutiny, the first lawsuit established that formal action is on the table, and $7,500-per-violation penalties make non-compliance expensive at scale. With no legislative changes possible until 2027, the current enforcement posture is the enforcement posture for the foreseeable future.

For most Texas businesses, data protection and privacy compliance is a technical project as much as a legal one. The privacy policy updates, GPC implementation, data inventory, and consumer request infrastructure all require technical expertise to implement correctly. If your IT provider understands compliance requirements, they can help you close the gaps the AG is actively investigating.