The Texas Data Privacy and Security Act took effect on July 1 2024, making it one of the newest US state privacy laws. The Texas Attorney General has moved quickly on enforcement, with investigations affecting over 100 companies and the first lawsuit filed in January 2025.
How TDPSA Enforcement Works
The Texas Attorney General has exclusive enforcement authority under the TDPSA. When a potential violation is identified, businesses receive a 30-day notice to cure the issue before penalties are imposed.
Penalties can reach up to $7,500 per violation. Each affected consumer counts as a separate violation, so fines can escalate rapidly for widespread non-compliance.
The TDPSA does not provide a private right of action. Consumers cannot sue businesses directly for violations.
Notable Enforcement Actions
Allstate Corporation and Arity Subsidiaries (January 2025)
On 13th January 2025, the Texas Attorney General filed the first lawsuit under the TDPSA against Allstate Corporation and five of its subsidiaries, including three that share the name “Arity.”
The complaint alleges that the Arity defendants collected and processed sensitive personal data from Texas residents without their knowledge or adequate notice. According to the filing, consumers were “wholly unaware” that the Arity defendants were processing their sensitive data.
The enforcement division alleged that Arity operated as a data controller and was required by the TDPSA to provide consumers with a privacy notice disclosing its data practices. The case is ongoing.
Source: Texas Attorney General’s Office
Broader Enforcement Activity
Since the TDPSA took effect, the Texas Attorney General has aggressively pursued a broad range of privacy violations. Enforcement actions have already affected over 100 companies across various industries, including automakers and technology startups.
Allegations have ranged from unauthorized data sales to deceptive marketing practices. While many of these investigations have been resolved through the 30-day cure process, the volume of activity signals that the Attorney General is taking enforcement seriously.
Data Broker Enforcement
Texas has separate data broker registration requirements that complement the TDPSA. Data brokers who fail to register face daily civil penalties of at least $100 per day. The civil penalty against the same broker cannot exceed $10,000 in a 12-month period.
Violations of the Data Broker Law also constitute deceptive trade practices under the Texas Deceptive Trade Practices Act, opening additional enforcement avenues.
What These Cases Tell Us
The Allstate/Arity case provides early guidance on Texas enforcement priorities:
Privacy notices must be clear. The core allegation is that consumers were unaware their data was being processed. Businesses must ensure their privacy notices actually reach and inform consumers.
Sensitive data requires extra care. The complaint focuses on sensitive personal data, reinforcing that Texas takes the sensitive data consent requirements seriously.
Enforcement is proactive. Filing a lawsuit within six months of the law taking effect demonstrates that the Attorney General is not waiting for complaints before acting.
What This Means for Your Organization
Texas enforcement is active and expanding. Businesses should review their data collection practices to ensure consumers receive clear notice before any processing occurs. If you collect sensitive data such as precise geolocation, health information, or biometric identifiers, ensure you have appropriate consent mechanisms in place.
The 30-day cure period provides an opportunity to address issues before penalties are imposed, but the volume of investigations suggests businesses should not rely on this as a compliance strategy. Proactive compliance is the safer approach.
Monitor the Texas Attorney General’s announcements for updates on enforcement priorities and guidance.
