GDPR Compliance in Texas: EU GDPR + Texas Data Privacy and Security Act
Texas businesses serving EU customers must comply with the GDPR regardless of where the business is located. Additionally, as of July 1, 2024, Texas businesses processing data of Texas residents must comply with the Texas Data Privacy and Security Act (TDPSA), which shares GDPR's core architecture. Texas's large technology, energy, and financial sectors create significant GDPR exposure, particularly for companies with EU business relationships.
TX AG enforces the Texas Data Privacy and Security Act; can seek civil penalties up to $7,500 per violation; no private right of action under TDPSA
State Penalties: TDPSA civil penalties: up to $7,500 per violation. TX AG can seek injunctive relief. No private right of action. GDPR fines apply in addition for EU resident data.
Federal Penalties: GDPR: up to €20M or 4% of global annual turnover for most serious violations
How Federal + Texas Law Overlap
GDPR applies to Texas businesses processing EU resident personal data above the applicable thresholds. TDPSA applies to Texas businesses meeting separate processing thresholds (100K+ TX consumers annually, or 25K+ if selling data). Both laws share similar subject rights architectures but differ in consent models — GDPR defaults toward explicit consent; TDPSA uses opt-in for sensitive data and opt-out for general processing.
Additional Texas Requirements Beyond Federal Law
- Texas Data Privacy and Security Act (TDPSA, effective July 1, 2024) — consumer rights: access, correction, deletion, portability, opt-out of targeted advertising, opt-out of sale
- TDPSA sensitive data categories include racial/ethnic origin, religious beliefs, mental/physical health, sexual orientation, citizenship — largely overlapping with GDPR special categories
- TDPSA requires data protection assessments for processing activities involving sensitive data or high-risk profiling
- TDPSA requires opt-in consent for processing of sensitive personal data (similar to GDPR explicit consent requirement)
- Texas AG has a 30-day cure period before imposing civil penalties for TDPSA violations
- Texas businesses with EU data transfers must use GDPR-compliant transfer mechanisms (SCCs, adequacy decisions)
Key Compliance Requirements for Texas
- Assess GDPR applicability — does your Texas business offer products/services to EU residents or monitor EU resident behavior?
- If GDPR applies: publish GDPR-compliant Privacy Notice including legal basis for each processing activity
- TDPSA compliance: publish privacy notice disclosing data categories, purposes, third-party sharing, and consumer rights
- Implement data subject rights request handling for both GDPR (30 days) and TDPSA (45 days) timelines
- GDPR international transfers: use Standard Contractual Clauses (SCCs) for data transfers from EU to Texas operations
- Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing under GDPR and similar TDPSA assessments
Common Violations in Texas
- Failure to assess GDPR applicability — many Texas companies with EU customers incorrectly assume GDPR doesn't apply
- Cookie consent violations — deploying analytics and ad tracking before obtaining valid EU consent
- Invalid data transfer mechanisms post-Schrems II — outdated Privacy Shield reliance
- Missing or inadequate Privacy Notices failing to disclose legal basis under GDPR
- Failure to respond to EU data subject rights requests within GDPR's 30-day window
Recent GDPR Enforcement in Texas
Check Your GDPR Readiness in Texas
Take our free compliance quiz to see how your organization stacks up against GDPR requirements in Texas.
Take the Free Quiz → Risk Calculator →Frequently Asked Questions
Does GDPR apply to Texas companies?
Yes, if your Texas company offers goods or services to EU residents (including free services), or monitors EU resident behavior (such as web analytics tracking EU visitors). GDPR has no minimum revenue threshold for US companies — even a small Texas business with a few EU customers may be subject to GDPR. The key question is whether you intentionally target EU residents.
What is the Texas Data Privacy and Security Act?
The Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024, is Texas's comprehensive consumer data privacy law. It applies to entities controlling or processing personal data of 100,000+ Texas residents annually (or 25,000+ if selling data). It grants consumers rights to access, correct, delete, and port their data, and to opt out of targeted advertising and data sales.
How does GDPR differ from the Texas TDPSA?
GDPR is an EU regulation with extraterritorial reach covering any business processing EU resident data. TDPSA is a Texas state law. Key differences: GDPR requires a legal basis for each processing activity (consent, legitimate interests, etc.); TDPSA uses an opt-out model for general processing and opt-in for sensitive data. GDPR fines can reach 4% of global revenue; TDPSA caps at $7,500 per violation.
What EU data transfer mechanisms must Texas businesses use?
Texas businesses receiving personal data from EU entities must use a GDPR-compliant transfer mechanism. The most common are Standard Contractual Clauses (SCCs), which were updated in 2021. Privacy Shield is no longer valid. The EU-US Data Privacy Framework (2023) provides an adequacy mechanism for US companies that self-certify. Binding Corporate Rules (BCRs) are available for multinational groups.
Who enforces GDPR violations against Texas companies?
EU member state data protection authorities (DPAs) enforce GDPR against Texas companies. The lead DPA for a US company is typically determined by the location of its EU establishment or main EU business activities. For US companies with no EU establishment, any EU member state DPA may investigate. The Texas AG enforces TDPSA separately. Both can impose penalties simultaneously for the same data processing practices.