Texas State Data Privacy Laws

If an individual or business of any size steals or misuses your private data, your legal recourse might depend on the jurisdiction. As of 2024, Texas has become one of the most proactive states in protecting consumer privacy. From mandatory breach notifications to limits on how companies collect and use your data, Texas state law gives you clear protections—and options to file a claim and pursue justice.

Home • What is a Data Breach • Texas State Data Privacy Laws

Last Modified date: July 22, 2025

An Overview of Texas Data Privacy Laws

Texas has enacted several strong privacy laws that require businesses to protect consumer data and notify affected individuals if a data breach occurs. If your personal or sensitive information is compromised, these laws may give you the right to take legal action or join a class action lawsuit.

Texas Data Privacy and Security Act

The Texas Data Privacy and Security Act (TDPSA) took effect in 2025 and sets clear rules for how businesses can collect, store, process, and use personal data. It applies to any consumer data that can be tied to a specific individual and limits how companies can sell or share that information without your knowledge.

Texas Identity Theft Enforcement and Protection Act

The Texas Identity Theft Enforcement and Protection Act (ITEPA) requires businesses to take reasonable steps to protect your personal data and to notify you quickly if it’s compromised. If a breach affects 250 or more Texans, the business must report the breach to the Office of the Attorney General within 30 days. In all other cases, individuals must be notified within 60 days of determining that the breach occurred.

Texas Business and Commerce Code—Data Security Provisions

The Texas Business and Commerce Code defines how businesses must implement reasonable security practices when collecting, storing, or sharing your data. They may not collect more than what’s needed for business purposes, and they cannot use sensitive data—such as your race, religion, or health details—without your consent.

Texas Medical Privacy Laws and HIPAA Enforcement

Texas builds on federal HIPAA protections with its own Texas Medical Records Privacy Act (TMRPA). This law extends privacy rules to medical records in paper form and restricts how your protected health information (PHI) can be used for marketing purposes. If a breach occurs, health care companies must notify you just as they would under other Texas breach laws.

Recent Data Breaches in Texas

Here are some of the most notable data breaches affecting Texas and the outcomes of those situations if they have been resolved through settlements or legal action:

Meta: In 2022, Texas sued Meta for illegally collecting the biometric data of millions of Texans without consent. The state reached a $1.4 billion settlement in 2024—the largest settlement ever obtained by a single state. Meta has faced numerous class action lawsuits over similar privacy violations.
Allstate and Arity: In January 2025, the Texas Attorney General sued Allstate and Arity for illegally collecting, using, and selling millions of Americans’ private data captured via embedded software in apps. Shortly after filing, another class action lawsuit was filed against Allstate on behalf of users of apps like GasBuddy, Life360, Routley, and Fuel Rewards.
USAA: In December 2024, USAA settled a class action lawsuit for $3.25 million over a 2021 data breach involving public motor vehicle records. Over 22,600 individuals were impacted, including many Texans.

Different types of data breaches, such as insider threats, phishing, physical theft, ransomware, and malware, can result in stolen information. If a company was negligent in safeguarding your personal information, you may have legal recourse.

What Is Personal Information Under Texas Law?

Under Texas law, personal information includes any data that can be traced to a specific individual, such as your Social Security number, driver’s license number, financial account details, health information, and biometric data. The term does not include publicly available information.

Texas also considers any data about children under 13 to be protected. Companies must get your consent before collecting or using sensitive personal data.

When Must Companies Notify You of a Data Breach in Texas?

Under ITEPA, companies in Texas are subject to strict notification requirements if there is a known or suspected data breach. If your personal data is part of a breach, companies must:

Alert you within 60 days of discovering a breach.
Notify the Texas Attorney General within 30 days if 250 or more residents are affected.

Reports to the Attorney General must be submitted to the state electronically and include specific information, including:

The number of Texas residents impacted by the data breach.
The number of Texas residents who have been sent a data breach notification by mail or some other direct form of communication.
Details of the data breach.
Contact information for the responsible person at the business.
Mitigation steps the business is taking.

The Texas data breach notification law specifies that affected parties must be directly notified via mail. However, notice by email, publications, posting on the company’s website, or broadcasting on statewide media are acceptable when the costs of giving notice would exceed $250,000 or the number of impacted persons exceeds 500,000 individuals.

Your Privacy Rights as a Texas Resident

As a Texas resident, the various data breach laws in Texas give you the right to expect the security of your private data, outline what companies must do if there is a breach, and give you options for legal recourse.

Businesses must take reasonable action to secure all sensitive and personal data, and if there is a breach, you have the right to timely notification. You can also take protective measures, such as setting up credit monitoring or fraud alerts.

You may wonder what to do if you are notified of a data breach. Fortunately, the law gives you the right to seek legal recourse in cases of negligence or non-compliance, including suing a company for failure to implement reasonable prevention measures or providing you with reasonable notice after a breach occurred.

How To File a Complaint or Take Legal Action in Texas

If you discover or suspect that your data was exposed in a breach, here’s what to do next:

Gather documentation such as emails, letters, and screenshots related to the breach.
File an official complaint with the Texas Attorney General.
Report any identity theft, fraud, or other violations of Texas data privacy laws to the appropriate agency, such as the FTC or credit bureaus.

If many people were affected by the same breach, you may be able to join a class action lawsuit or start one. This can be a powerful strategy for achieving justice when a company’s wrongdoing has harmed you.

Don’t stand alone after a data breach. Class Action U can help you take charge and connect you with attorneys who know how to fight back and understand what’s at stake.

"*" indicates required fields

Name*

First Name Last Name

Email*

Phone Number*

Zip Code*

Tell Us About Your Case

By submitting this form, I agree to the Terms, Disclaimer and Privacy Notice and to receiving calls and emails from the law firm handling this investigation

TCPA*

By checking this box and clicking "Submit", I am providing my electronic signature expressly consenting to receive marketing phone calls, emails, and SMS text messages from Kopelowitz Ostrow Ferguson Weiselberg Gilbert (KO), or parties acting on its behalf, related to the products or services that I am inquiring about on the landline and/or mobile phone number that I provided, regardless of whether it is on any Do Not Call registry. I confirm that the phone number set forth above is accurate and that I am the regular user of the phone number. I understand that these calls may be generated using an automatic telephone dialing system and may contain pre-recorded and/or artificial voice messages. I understand that consent is not required as a condition for purchasing or obtaining any products or services. For SMS messages campaigns, text "STOP" to stop and "HELP" for help. Msg & data rates may apply.

This field is for validation purposes and should be left unchanged.