A Frisco Business Owner’s TDPSA Wake-Up Call

Picture a growing Frisco practice—maybe a boutique gym, a dental office, or a local SaaS company. The owner is focused on growth, payroll, and keeping customers happy. Somewhere in the background, their systems quietly collect email addresses, payment info, appointment history, and login data from clients all over Texas.

One day, a customer emails asking, “What data do you have on me, and how are you using it? I heard about this new Texas privacy law.” That simple question exposes a reality: the business doesn’t have a clear inventory of data, a documented way to respond to privacy requests, or a plan for what happens if a vendor has a breach.

TDPSA is designed for exactly this moment. It assumes that personal data is a regulated asset, not just a byproduct of doing business. The good news: with the right plan, you can bring your business into alignment without shutting down operations. The rest of this guide walks through what TDPSA is, who it applies to, the rights it grants consumers, and how to harden both your processes and your insurance strategy.

1. What Is the Texas Data Privacy and Security Act?

The Texas Data Privacy and Security Act (TDPSA) is a statewide privacy law that governs how businesses collect, use, store, and share personal data belonging to Texas residents. It applies whether a business is headquartered in Texas or simply markets products or services that reach Texas consumers. The law gives people new rights over their personal information and places new duties on businesses that process that information.

Most provisions of TDPSA became effective on July 1, 2024. The law is enforced exclusively by the Texas Attorney General, who can investigate potential violations and pursue civil penalties up to $7,500 per violation. Businesses typically receive notice and a 30-day opportunity to cure alleged violations, but that window is not meant to replace a real privacy and cybersecurity program.

Official information and consumer complaint instructions are available on the Texas Attorney General’s TDPSA page .

TDPSA is broader than many people expect. It is not limited to social media platforms or advertising giants. If your company operates in Texas, markets to Texas residents, or processes their personal data, you may be covered unless a specific exemption applies. To understand how this data risk sits alongside other business exposures, it can help to review related concepts like cyber liability, data breach, and identity theft.

TDPSA’s cure period is a safety valve, not a strategy. Regulators still expect businesses to build privacy and cybersecurity into their regular operations.

2. Who Must Comply and What Counts as Personal Data?

TDPSA applies broadly to individuals and entities that process or sell personal data and either conduct business in Texas or produce products or services consumed by Texas residents. In practical terms, that includes a wide range of retailers, service providers, SaaS platforms, contractors, and professional practices across the state.

If your business handles personal data from Texas residents and is not specifically exempt, it is wise to assume TDPSA applies. That can include:

• Retailers collecting customer emails, addresses, or phone numbers for marketing or order fulfillment.
• Medical or wellness practices that store patient or member data alongside payment details.
• Contractors and trades that use customer addresses, photos, and project notes in apps or cloud tools.
• E-commerce sites processing payments and shipping orders to Texas residents.
• Professional services firms (CPAs, attorneys, consultants) storing client documents and communication history.
• Technology companies tracking user behavior for analytics, personalization, or targeted advertising.

Certain entities are exempt, including state agencies, nonprofits, higher education institutions, financial institutions covered by Gramm-Leach-Bliley, and HIPAA-covered entities. Small businesses, as defined by the U.S. Small Business Administration, are generally exempt from many TDPSA obligations—but even they must obtain consent before selling sensitive personal data.

What Counts as “Personal Data” Under TDPSA?

TDPSA defines personal data broadly as any information that is “reasonably linkable” to an identified or identifiable person. That includes obvious identifiers and less obvious digital signals that can be tied back to an individual.

• Names, postal addresses, phone numbers, and account usernames.
• Email addresses, customer profiles, and loyalty program IDs.
• Payment details, transaction history, and purchase patterns.
• Browsing behavior, cookie IDs, IP addresses, and mobile advertising IDs.
• Biometric identifiers (fingerprints, facial scans, voiceprints).
• Health information and precise geolocation data.
• Sensitive data related to race, ethnicity, pregnancy, religion, or minors.

Regulators and industry observers expect heightened scrutiny around biometric, location, and children’s data because of rapid growth in AI tools, wearables, and connected devices. If your business already deals with complex physical risks and carries general liability insurance or a business owner’s policy (BOP), TDPSA adds another layer of exposure—centered on data rather than just physical property or bodily injury.

3. Consumer Rights, Common Mistakes, and Small Business Realities

TDPSA gives Texas residents several rights related to their personal data. Covered businesses must have real, working processes to honor those rights within statutory timeframes.

Core Consumer Rights Under TDPSA

• Right to Access: People can request confirmation that you are processing their personal data and request a copy.
• Right to Correct: Individuals can request correction of inaccurate information in your systems.
• Right to Delete: People may request deletion of data collected about them, subject to lawful exceptions.
• Right to Opt Out: Individuals can refuse certain processing for targeted advertising, profiling, or the sale of personal data.
• Right to Data Portability: In many cases, consumers can receive their data in a portable and usable format.
• Right to Appeal: Businesses must offer an appeal process when a request is denied and communicate how to use it.

Failure to respond on time, or to provide a meaningful appeal process, exposes your business to regulatory attention and reputational damage—especially if complaints pile up online or with the Attorney General.

Common TDPSA Mistakes and Myths

• Myth #1: “We’re too small for this to matter.”
  Many owners assume only big tech companies need to worry about privacy laws. In reality, TDPSA is designed to reach a wide range of businesses that process personal data, including lean teams in Frisco and North Texas that rely heavily on cloud tools.
• Myth #2: “Putting a privacy policy on our website is enough.”
  A privacy notice is only one requirement. TDPSA expects you to actually do the things your notice promises—track data, delete it when required, honor opt-outs, and keep systems reasonably secure.
• Myth #3: “Our IT vendor handles all of this.”
  Vendors are important, but TDPSA looks to the business that controls the data. You may share responsibility with vendors, but you do not hand it away. Contracts, oversight, and incident cooperation all matter.
• Myth #4: “We don’t sell data, so we’re in the clear.”
  TDPSA covers a wide range of processing activities beyond selling data. Simply storing, analyzing, or sharing personal data with service providers can create obligations.

How TDPSA Affects Small & Mid-Size Businesses

Many Texas small and mid-size business owners assume privacy laws only impact large technology firms. TDPSA challenges that assumption. If your company stores customer or employee information—which nearly every organization does—you need to know whether you qualify as a small business under SBA rules and what obligations still apply.

In practice, most TDPSA-ready businesses implement:

• A clear, easily accessible privacy notice on your website and relevant apps.
• Data retention and deletion procedures that match what your privacy notice promises.
• A documented process for receiving and responding to consumer privacy requests.
• Consent mechanisms for collecting and using sensitive personal data.
• Contracts with vendors that handle personal data, including security and incident reporting duties.
• Cybersecurity safeguards appropriate to your size and risk profile, including backups and monitoring.

4. Penalties, Breach Scenarios, and Where Cyber Insurance Fits

TDPSA enforcement happens through the Texas Attorney General’s Office. Investigations may focus on your privacy notices, your handling of consumer requests, your consent practices for sensitive data, and the reasonableness of your security measures.

Penalties for Non-Compliance

Violations under TDPSA can include:

• Failure to honor access, correction, deletion, or opt-out requests.
• Missing, incomplete, or misleading privacy notices.
• Collecting or selling sensitive data without appropriate consent.
• Inadequate administrative, technical, or physical security measures.

Penalties can reach $7,500 per violation, and the Attorney General may seek injunctions requiring operational changes and ongoing oversight. There is no private right of action under TDPSA—consumers cannot sue you under this law alone—but public enforcement and local news coverage can be far more damaging to small businesses than the legal process itself.

For a broader look at how Texas regulates insurance products and carriers, you can review the Texas Department of Insurance topic page.

How Cybersecurity Intersects With TDPSA

TDPSA requires businesses to use reasonable administrative, technical, and physical security practices. The statute intentionally leaves room to scale expectations based on business size and risk—but that does not mean “anything goes.” Regulators and insurers generally view the following as baseline controls for most modern organizations:

• Multi-factor authentication (MFA) on remote access, email, and key systems.
• Encryption of sensitive data at rest and in transit where practical.
• Strong access controls with least-privilege permissions and prompt offboarding.
• Documented incident response plans and periodic tabletop exercises.
• Vendor security assessments and contract clauses addressing data protection and breach cooperation.
• Regular patching, vulnerability management, and logging.
• Employee cybersecurity training and phishing simulations.

Businesses that already carry professional liability insurance or a BOP should consider how their cyber posture and TDPSA readiness look to underwriters. Strong controls can sometimes lead to better terms or more favorable options when shopping cyber insurance.

Why Cyber Insurance Matters in a TDPSA World

TDPSA does not require cyber insurance, but it raises the stakes of any data breach or privacy failure. A single incident can generate:

• Forensic IT costs to investigate attack vectors and restore systems.
• Customer notification expenses, mailing costs, and call center support.
• Credit monitoring or identity theft protection for impacted individuals.
• Regulatory defense costs and potential penalties where insurable.
• Business interruption losses while systems are down or limited.
• Public relations and crisis communications support to repair reputation.

Cyber insurance is not a replacement for TDPSA compliance. Instead, it acts like a financial shock absorber while you repair systems, respond to regulators, and reassure your customers and partners.

To explore options designed for Texas organizations, including retailers, professional practices, and growing SaaS companies, visit the Cyber Insurance quote page .

5. A Practical TDPSA Readiness Checklist for Texas Businesses

Use this checklist as a starting point to build or strengthen your TDPSA program. For complex environments or high-risk industries, consider involving legal counsel and specialist vendors.

1. Update your privacy notice.
   Clearly describe what personal data you collect, why you collect it, how long you keep it, who you share it with, and how people can use their TDPSA rights.
2. Create a rights request workflow.
   Document how you receive, verify, and respond to access, correction, deletion, and opt-out requests—plus how appeals are handled.
3. Map and minimize data.
   Inventory where personal data lives (systems, vendors, spreadsheets) and delete what you no longer need, consistent with legal and tax requirements.
4. Handle sensitive data with extra care.
   Confirm where you collect or process biometrics, precise location, health-related details, or minors’ data, and implement explicit consent and stronger security for those categories.
5. Strengthen cybersecurity basics.
   Enable MFA, tighten access control, patch systems regularly, and rehearse your incident response plan. Treat this as non-negotiable, not “nice to have.”
6. Align vendor contracts.
   Update agreements with processors and service providers to address security standards, incident reporting, cooperation during investigations, and data return or deletion at the end of the relationship.
7. Train your people.
   Educate staff on privacy obligations, social engineering risks, and how to escalate suspicious activity or privacy-related complaints.
8. Review your insurance stack.
   Assess how cyber insurance interacts with coverages like your business owner’s policy and general liability insurance, and confirm what types of cyber events and regulatory claims are included or excluded.
9. Plan your next 12 months.
   Schedule periodic TDPSA reviews, tabletop exercises, and vendor security check-ins so compliance remains a living process—not a one-time project.