The Texas TDPSA and What It Means for Your Website
Texas now has a comprehensive data-privacy law of its own — the TDPSA — and it reaches small businesses other state laws skip. Here's what it asks of your website, and why a consent-first setup already covers it.
Texas wrote its own privacy law — and your website is in scope
For years, Texas contractors could half-tune-out the privacy headlines. Those were California problems, Europe problems — somebody else’s compliance department. That era is over. The Texas Data Privacy & Security Act, the TDPSA, took effect in 2024, and it is exactly what it sounds like: a comprehensive consumer data-privacy law for Texas, enforced by an Attorney General who has made privacy a signature issue.
Here’s the part most owners miss. A lot of state privacy laws only bite once you’re processing data on hundreds of thousands of people. The TDPSA doesn’t draw that line the same way. It reaches businesses of ordinary size — which means the website where your customers price a roof or a new AC can be in scope.
Why “we’re too small to worry about it” is the trap
The instinct is understandable: you’re a five-truck shop, not Meta, so surely nobody’s coming for your contact form. But the TDPSA’s everyday duties don’t depend on how big you are. They depend on whether you collect and use Texans’ personal data — and a website that captures visitor information does exactly that.
That’s where the enforcement record gets your attention, not as a forecast for your shop but as proof Texas means it. In January 2025, the state filed the first-ever enforcement suit under a comprehensive state data-privacy law — over driving data collected and sold without consent. And Texas had already shown it would swing hard on consent: a $1.4 billion settlement with Meta over biometric data captured without permission, and a $1.375 billion settlement with Google over tracking Texans without consent. Those are the largest privacy settlements a single state has ever obtained. The common thread in every one is the same word the TDPSA is built around: consent.
What does the TDPSA actually require of my website?
Strip away the legal language and the TDPSA asks a contractor’s website for three practical things.
First, transparency — tell visitors what personal data you collect and why, in a privacy notice they can actually find. Second, opt-out rights — give people a clear way to opt out of targeted advertising and the sale of their data. Third, consent for sensitive data — get clear, affirmative consent before you process the categories the law treats as sensitive.
Notice what all three have in common. None of them ask you to stop marketing or stop knowing who’s on your site. They ask you to be upfront, to honor a no, and to get a yes before the sensitive stuff. That’s not a wall around your business. It’s a set of manners the law now expects — and they happen to be the same manners that make homeowners trust you.
The setup that satisfies it without slowing you down
This is where a consent-first approach does the heavy lifting. Instead of bolting compliance on after the fact, it builds the law’s requirements into how a lead is captured in the first place.
A clear consent banner handles transparency and the affirmative yes. A timestamped consent log handles proof — so when anyone asks who agreed and when, the answer is one lookup, not a scramble. And because follow-up is email-grade only — never a phone number handed to you to cold-dial — you stay clear of the call-and-text rules that ride alongside privacy law. The lead drops into the funnel you already run, whether that’s Jobber, Housecall Pro, ServiceTitan, or HubSpot.
Compare that with the alternative. A purchased list or a shared-platform lead arrives with someone else’s consent assumptions, or none at all. If a Texan exercises a TDPSA right and asks where their data came from, “we bought it from a vendor” is not the answer you want to be giving the Attorney General’s office.
What to put in place this quarter
- Publish a real privacy notice that says what you collect and why, and link it where visitors can find it.
- Run a clear consent banner so identification only happens for people who said yes — and so opt-out is honest and easy.
- Keep the receipt. A timestamped consent log on a 7-year audit trail means TDPSA proof exists before anyone asks for it.
- Follow up by email, not a cold call, so the contact rules never become your problem.
You don’t need to read the statute cover to cover. You need a website that collects on consent and keeps a record — and most of the TDPSA’s day-to-day burden is handled for you.
Consent Resolve was engineered to a stricter bar than any U.S. state law — the GDPR standard, whose maximum fine reaches €20 million or 4% of global revenue. Build to the strictest regime in the world and the TDPSA comes along for the ride. Every figure here is sourced on our stats page.
The short version for Texas pros
The TDPSA is Texas joining the chorus: collect and contact people on consent, tell them what you’re doing, and keep proof. Run a consent-first website and you’ve already answered it — while still capturing the homeowners you’re paying to bring to your site. See why consent-first protects your shop, and weigh it against what your current lead channels actually cost, in fees and in exposure. This article is general information, not legal advice — for how the TDPSA applies to your specific business, talk to a Texas attorney.