Texas Data Privacy and Security Act: What SMBs Need to Know Before June 2026
Texas's comprehensive data privacy law takes effect June 1, 2026, applying to businesses that process personal data of 100,000+ Texas residents or derive 25%+ of revenue from selling personal data.
Does the Texas DPSA Apply to Your Business
The Texas Data Privacy and Security Act (TDPSA) takes effect June 1, 2026. The law applies to businesses that conduct business in Texas or produce products or services consumed by Texas residents AND either (1) process the personal data of 100,000 or more Texas consumers per year, or (2) process the personal data of 25,000 or more Texas consumers and derive more than 25% of gross revenue from selling personal data. Small businesses as defined by the U.S. Small Business Administration are exempt from some provisions but not all. If you are unsure whether the law applies to your business, consult with a privacy attorney or contact Segler.Net for an assessment.
Key Requirements Under the Texas DPSA
The Texas DPSA imposes several key requirements on covered businesses. Privacy notice requirements: businesses must provide consumers with a clear privacy notice describing what personal data is collected, how it is used, and with whom it is shared. Consumer rights: Texas consumers have the right to access their personal data, correct inaccurate data, delete their data, obtain a copy of their data, and opt out of the sale of their personal data and targeted advertising. Data protection assessments: businesses must conduct data protection assessments for processing activities that present a heightened risk of harm to consumers. Data security: businesses must implement reasonable security practices to protect personal data.
Enforcement and Penalties
The Texas Attorney General has exclusive authority to enforce the Texas DPSA — there is no private right of action, meaning individual consumers cannot sue businesses directly for violations. However, the AG can seek civil penalties of up to $7,500 per violation. Before initiating an enforcement action, the AG must provide businesses with a 30-day cure period to correct violations. This cure period provision makes it especially important to have your compliance program in place before June 1, 2026 — if you receive an AG inquiry, you will have 30 days to demonstrate compliance.
Steps to Prepare Before June 1, 2026
With less than three months until the effective date, Texas businesses should take the following steps immediately. First, conduct a data inventory to understand what personal data you collect, how you use it, and with whom you share it. Second, update your privacy notice to include all required disclosures. Third, implement mechanisms for consumers to exercise their rights including access, correction, deletion, and opt-out requests. Fourth, review your data sharing arrangements with third parties and update contracts as needed. Fifth, implement or document your data security practices. Segler.Net can assist with the technical aspects of compliance including data security implementation and privacy notice updates.
- Determine if your business meets the thresholds that trigger Texas DPSA applicability
- Update your privacy notice to include required disclosures about data collection and use
- Implement opt-out mechanisms for data sales and targeted advertising
- Conduct data protection assessments for high-risk processing activities
- Contact Segler.Net for a Texas DPSA compliance assessment
Need Help With This Threat?
Our San Antonio security team can assess your exposure, apply patches, and protect your business before attackers strike.
Stay ahead of the next threat
Get weekly security alerts — breaches, patch updates, compliance news, and threat intel — delivered free to your inbox every week.