While generally considered a business-friendly state, Texas is taking an increasingly important role in regulating how U.S. companies use their information technology.
Over the past few years, Texas has adopted path-breaking new data privacy and AI laws with potentially broad impacts for businesses—including those in the Midwest—that have Texas customers, and its attorney general is actively enforcing these laws in the marketplace. As the second-largest economy in the U.S., it’s time for businesses to pay more attention to what is happening in the Lone Star State or face potentially stiff fines and/or legal action.
The Broad Scope of the Texas Data Privacy and Security Act
In June 2023, Texas became the tenth U.S. state to adopt a comprehensive data privacy law, the Texas Data Privacy and Security Act (TDPSA).
The law generally follows its predecessors in its disclosure requirements and consumer rights, but it breaks new ground in how it defines the law’s scope. While most state privacy laws apply only to companies that process large volumes of consumer data—in Virginia, Kentucky, and Indiana, for example, the “applicability threshold” is 100,000 consumers—the TDPSA applies to companies processing any amount of personal information.
What that means for you in practice is that, unless your business falls under the law’s narrow small business exemption, any Texas consumer whose information you collect while in the process of using your product or service may have the right to correct and delete their data, opt-out of processing of their data, and more.
Active Enforcement of the TDPSA
In addition to a privacy law with an unusually broad scope, Texas also has an attorney general’s office that is actively monitoring business activity and enforcing the TDPSA.
In early 2025, for example, the Texas attorney general sued an auto insurance company for allegedly tracking Texas consumers’ driving habits. Notably, the complaint alleged that the insurer and its affiliates violated the TDPSA by collecting sensitive driver information without obtaining drivers’ consent, and failing to give consumers the right to opt-out of the “sale” of their personal information to third parties. Because the TDSPA authorizes up to $7,500 in penalties per violation, the insurer’s potential exposure is significant.
Just a couple of weeks ago, the attorney general of Texas issued a press release touting his office’s enforcement activities in the tech sector. The release stated:
“Texas is the watchdog for the nation’s privacy rights and freedoms, and I will continue doing all I can to protect Texans from new threats to their personal data and digital security.”
It’s hard to miss the message being sent to companies doing business in Texas: It’s time to take complying with Texas’s laws seriously.
Taking the Lead on AI Regulation
Earlier this year, Texas became one of the first U.S. states to adopt a law regulating generative artificial intelligence, when it passed the Texas Responsible Artificial Intelligence Governance Act (TRAIGA). Following the guidance of the Organization for Economic Cooperation and Development (OECD), the law defines an “AI system” as a machine-based system that makes statistical inferences from inputs to produce outputs.
The law requires state agencies and health care providers to disclose their use of AI systems to consumers who interact with it. And like the European Union’s AI law, TRAIGA prohibits deploying AI systems for certain sensitive activities. AI cannot be used, for example, to manipulate humans into harming themselves or committing crimes or to discriminate against consumers based on protected characteristics such as their race, color, national origin, or sex. State agencies are prohibited from using AI to develop “social scores” for consumers.
TRAIGA gives the attorney general broad authority (including large civil penalties) to enforce the law and creates a “Texas Artificial Intelligence Council,” whose duties include ensuring that AI systems are “ethical and developed in the public’s best interest.”
What Does This Mean for My Business?
When it comes to privacy, AI, and other issues involving consumer data, businesses can’t afford to ignore what’s happening in Texas. Here are a few simple questions you can ask and answer now to prevent legal headaches down the road:
- Do you currently have customers who reside in Texas? Any Texas consumer whose information you process may have rights against you under the TDPSA.
- If the answer is yes, have you put in place the processes you need to appropriately respond to their requests to exercise their TDSPA rights?
Does your privacy policy include TDSPA-compliant disclosures? While the TDSPA’s disclosure requirements generally track those of other state privacy laws, the law contains a few quirky provisions that may apply to your processing. And, depending on the technology you are using to deliver your services, the AI Act might require Texas-specific AI disclosures.
