In This Article
On January 13, 2025, Texas Attorney General Ken Paxton filed the first enforcement action under the Texas Data Privacy and Security Act against Allstate Corporation and its subsidiary Arity. The lawsuit alleges they secretly harvested sensitive geolocation data from millions of Texans' cellphones by embedding tracking software into popular mobile apps like Life360 and GasBuddy — then sold that data to insurance carriers to adjust premiums and deny coverage [Texas Attorney General]. The state is seeking more than $1 million in penalties.
That case opened the floodgates. The Attorney General's office has since launched investigations touching over 100 companies, and every one of those investigations is backed by penalties of up to $7,500 per violation — per affected consumer [White & Case]. A single data handling failure affecting 10,000 customer records can generate eight-figure exposure overnight.
Now, as of January 1, 2026, the compliance landscape has gotten considerably more complex. The Texas Responsible Artificial Intelligence Governance Act — known as TRAIGA — has taken effect alongside the TDPSA, creating a two-pronged regulatory framework that touches nearly every business that uses personal data or deploys AI systems in Texas. If your Dallas business has 50 to 200 employees, here is what both laws require — and what you need to build into your IT infrastructure before the Attorney General's office comes knocking.
✓ Key Takeaways
- The TDPSA has no revenue threshold — it applies to virtually every Dallas business collecting personal data, with penalties of $7,500 per violation per consumer
- TRAIGA took effect January 1, 2026, adding AI-specific obligations with penalties up to $200,000 per violation that can accrue daily
- The Texas AG is actively enforcing: 100+ investigations launched and the first lawsuit already filed against Allstate in January 2025
- Data protection assessments, privacy notices, processor contracts, and AI risk inventories are now operational requirements — not optional best practices
- Following the NIST AI Risk Management Framework creates an affirmative defense under TRAIGA — but only if the adoption is documented and operationalized
- Managed IT services provide the technical infrastructure — data classification, encryption, access controls, audit logging — that makes compliance sustainable
The TDPSA: Already in Force, Already Being Enforced
The Texas Data Privacy and Security Act went into effect on July 1, 2024, with full enforcement authority beginning January 1, 2025 [Texas AG Office]. Unlike privacy laws in California or Virginia, the TDPSA has no revenue threshold. If your business collects personal data from Texas residents — and in 2026, that includes virtually every company with a website, an email list, or a CRM — you are subject to its requirements.
The TDPSA gives Texas consumers the right to access, correct, delete, and port their personal data. It requires businesses to provide clear privacy notices, obtain consent before processing sensitive data, and honor opt-out requests for targeted advertising and data sales. Sensitive data under the TDPSA includes biometric identifiers, precise geolocation, health information, racial or ethnic origin, religious beliefs, sexual orientation, citizenship status, and data from known children [Termly].
For businesses providing managed IT services in Dallas or relying on them, the most operationally significant requirement is the data protection assessment. The TDPSA mandates these assessments for any processing activity that involves targeted advertising, the sale of personal data, profiling that presents a reasonably foreseeable risk of harm, processing of sensitive data, or any activity presenting a "heightened risk of harm to consumers" [Davis Wright Tremaine].
These assessments are not one-time exercises. Every new processing activity that falls into these categories requires a fresh assessment — and the Attorney General can demand to review them during an investigation.
Processor contracts represent another obligation that catches mid-sized businesses off guard. If your company shares personal data with third-party vendors — cloud providers, SaaS platforms, marketing automation tools, payroll processors — those vendors are "processors" under the TDPSA. You must have contracts in place that define the scope and purpose of processing, require the processor to assist with consumer rights requests and data protection assessments, mandate data deletion or return upon contract termination, and impose confidentiality obligations on all personnel who handle the data. Existing vendor agreements almost certainly do not include these provisions unless they have been updated since July 2024.
TRAIGA: The New AI Governance Layer
TRAIGA defines an "artificial intelligence system" broadly: any machine-based system that infers from its inputs how to generate outputs — including content, decisions, predictions, or recommendations — that can influence physical or virtual environments [Norton Rose Fulbright]. If your Dallas business uses chatbots, automated decision-making tools, AI-powered hiring screeners, predictive analytics, or even sophisticated CRM automation, TRAIGA likely applies.
Definition
High-Risk AI System (Under TRAIGA)
An AI system that makes or materially supports decisions affecting employment, education, healthcare, housing, insurance, or legal services. The broader the potential impact on individuals' rights and opportunities, the higher the compliance obligations for the deploying organization.
The Act targets specific prohibited uses of AI. Businesses may not develop or deploy AI systems intentionally aimed at inciting self-harm or criminal activity, produce child sexual abuse imagery or deepfake pornography, or use AI with the intent to discriminate against protected classes in employment decisions [Baker Botts]. For most mid-market Dallas businesses, the employment discrimination prohibition carries the most immediate operational weight. If you use AI-assisted tools in hiring, performance evaluation, or workforce management — even tools embedded in platforms you already use, like applicant tracking systems or LinkedIn Recruiter — TRAIGA's anti-discrimination requirements apply to you.
Healthcare providers face an additional disclosure obligation: they must inform patients when AI is being used in connection with their treatment or service [Ropes & Gray]. Organizations in the Dallas–Fort Worth healthcare sector that are already navigating HIPAA compliance requirements should treat TRAIGA disclosure as a parallel obligation, not a distant concern.
The enforcement mechanism is significant. The Attorney General can pursue civil penalties ranging from $10,000 to $200,000 per violation — and those penalties can accrue on a continuing, daily basis [K&L Gates]. TRAIGA does provide a 60-day cure period before enforcement action, but that window narrows quickly when violations involve systemic AI deployments embedded in core business processes.
The TDPSA and TRAIGA create overlapping compliance obligations that require coordinated technical infrastructure
TDPSA vs. TRAIGA: Side-by-Side
Understanding where these laws overlap and where they diverge is essential for building a unified compliance strategy. The comparison below covers the provisions most relevant to a typical 50–200 employee Dallas business.
| Dimension | TDPSA | TRAIGA |
|---|---|---|
| Effective Date | July 1, 2024 (enforcement Jan 2025) | January 1, 2026 |
| Scope | Any business processing personal data of Texas residents — no revenue threshold | Any entity developing or deploying AI systems in Texas or targeting TX residents |
| Key Obligations | Privacy notices, consent for sensitive data, data protection assessments, processor contracts, consumer rights fulfillment | Prohibited AI uses, employment non-discrimination, healthcare disclosure, voluntary risk management framework adoption |
| Penalties | Up to $7,500 per violation (per consumer) | $10,000–$200,000 per violation (daily accrual possible) |
| Cure Period | 30 days after AG notice | 60 days after AG notice |
| Safe Harbor | None specified | NIST AI Risk Management Framework compliance as affirmative defense |
| Enforcement | TX Attorney General (exclusive); 100+ investigations underway | TX Attorney General (exclusive); sandbox program via DIR |
What a 50–200 Person Dallas Business Needs to Do
Neither law requires a dedicated legal department or a seven-figure compliance budget. But both require deliberate operational changes backed by technical infrastructure. Here is a practical breakdown of what compliance looks like at the mid-market level.
Conduct Data Protection Assessments
Start by mapping every processing activity involving personal data across your organization. For each activity that involves targeted advertising, data sales, profiling, sensitive data processing, or heightened-risk processing, document the business purpose, the categories of data involved, the necessity of the processing relative to that purpose, and the risks to consumers. These assessments must be maintained — not filed once and forgotten — because the Attorney General can request them during any investigation.
Update Privacy Notices and Consent Mechanisms
Your privacy policy must disclose the categories of personal data you collect, the purposes for processing, third-party sharing practices, consumer rights under the TDPSA, and how consumers can exercise those rights. For sensitive data categories, you need affirmative opt-in consent — not pre-checked boxes or implied agreement through continued use. This extends to your website, mobile applications, and any customer-facing data collection point.
Audit and Update Vendor Contracts
Every vendor that processes personal data on your behalf needs a TDPSA-compliant processor agreement. Audit your vendor list systematically — this includes cloud hosting, email marketing, payroll, CRM, and any SaaS platform where customer data flows. Working with an IT consulting partner in Dallas can accelerate this audit and help identify shadow IT services that may be processing data without formal oversight.
Build an AI System Inventory
Catalog every AI system in use across your organization. This includes obvious tools like chatbots and AI writing assistants, but also less obvious ones: automated applicant screening in your HR platform, predictive lead scoring in your CRM, machine learning-based spam filters, and AI-powered analytics dashboards. For each system, assess whether it falls under TRAIGA's prohibited uses or employment-related anti-discrimination provisions. Organizations exploring broader AI adoption should consider AI consulting and strategy services to ensure new deployments are compliant from day one.
Train Your People
Compliance fails at the human layer more often than the technical one. Ensure that anyone handling consumer data requests understands the TDPSA response timeline, staff managing vendor relationships know what contract provisions to verify, hiring managers and HR teams recognize which AI tools require TRAIGA scrutiny, and your incident response team knows the breach notification requirements under both state and federal law.
Texas Data Privacy & AI Compliance Readiness Checklist
- ☐ Personal data processing activities mapped and documented
- ☐ Data protection assessments completed for high-risk processing
- ☐ Privacy policy updated with TDPSA-required disclosures
- ☐ Consent mechanisms implemented for sensitive data categories
- ☐ Consumer rights request workflow established (access, delete, correct, opt-out)
- ☐ Vendor/processor contracts audited and updated
- ☐ AI system inventory completed across all departments
- ☐ AI systems assessed for TRAIGA prohibited uses and discrimination risk
- ☐ NIST AI Risk Management Framework adoption evaluated
- ☐ Employee training delivered for data handling and AI governance
- ☐ Incident response plan updated for TDPSA breach notification requirements
- ☐ Audit logging and monitoring infrastructure verified
The IT Infrastructure Behind Compliance
Compliance with the TDPSA and TRAIGA is not purely a legal exercise — it requires technical infrastructure that most 50–200 person businesses do not have in-house. This is where Dallas IT services become essential — not as an optional layer, but as the foundation that makes every compliance obligation operationally sustainable.
Compliant IT infrastructure requires purpose-built monitoring, encryption, and access control systems
Data Classification and Discovery
You cannot protect data you cannot find. A compliant IT environment starts with automated data classification — identifying where personal and sensitive data lives across endpoints, servers, cloud storage, and SaaS applications. This includes structured data in databases and CRMs as well as unstructured data scattered across email threads, shared drives, Teams channels, and collaboration tools. Without classification, data protection assessments are guesswork.
Access Controls and Identity Management
The TDPSA requires limiting data access to what is necessary for the stated processing purpose. This translates to role-based access controls (RBAC) aligned to job functions, multi-factor authentication on every system handling personal data, privileged access management for administrative accounts, and regular access reviews to revoke stale permissions. ITECS is an authorized 1Password reseller and managed services partner — credential management and identity security are foundational to meeting these access control requirements for cybersecurity services.
Encryption in Transit and at Rest
Note:
Encryption is not optional under Texas data privacy law. Personal data must be protected both in motion and at rest. TLS 1.2+ for all data in transit, AES-256 encryption for stored data, encrypted backups with tested restoration procedures, and active certificate management are baseline requirements — not hardening extras.
Audit Logging and Continuous Monitoring
Both laws assume you can demonstrate compliance when asked. That means comprehensive audit logs documenting who accessed what data, when, from where, and what action they took. Centralized log management, a Security Information and Event Management (SIEM) platform, tamper-evident log storage, and real-time anomaly detection through network monitoring services are the building blocks that turn a compliance posture from aspirational to auditable.
Incident Response Readiness
The TDPSA requires timely consumer notification when breaches involving personal data occur. Your incident response plan must include defined roles and escalation chains, forensic capability to determine the scope and nature of a breach, consumer notification workflows that meet statutory timelines, coordination with the Attorney General's office when required, and post-incident review processes that feed back into your data protection assessments. An endpoint detection and response platform provides the automated containment and forensic depth that makes these response requirements achievable — especially for mid-market teams without a dedicated security operations center.
The NIST Safe Harbor: Your Best Insurance Policy
TRAIGA includes a significant incentive for proactive compliance: organizations that adopt and follow a recognized AI risk management framework — specifically the NIST Artificial Intelligence Risk Management Framework (AI RMF) — can use that compliance as an affirmative defense if the Attorney General brings enforcement action against them [Norton Rose Fulbright].
This is not automatic immunity. The safe harbor requires demonstrable, ongoing adoption: documented policies, implemented technical controls, regular risk assessments, and evidence that the framework is operationalized across the business — not just written into a policy document that lives in a shared drive. But it represents a meaningful risk reduction strategy, particularly for businesses that rely heavily on AI tools embedded in commercial platforms they did not build.
A Dallas managed IT services partner can help implement and maintain the technical controls that make NIST AI RMF adoption credible: AI system inventories, automated monitoring of AI outputs and decision patterns, access governance around AI tools, and the kind of continuous audit documentation that proves ongoing compliance rather than point-in-time checkbox exercises.
The Cost of Inaction
$7,500
per TDPSA violation, per consumer
$200K
maximum per TRAIGA violation, accruing daily
100+
active AG investigations since January 2025
The Allstate enforcement action demonstrated that the Attorney General is willing to pursue seven-figure penalties against companies that ignore cure notices [WilmerHale]. For a mid-sized Dallas business with 10,000 customer records in a CRM, a single TDPSA violation affecting those records could theoretically generate $75 million in exposure. While actual enforcement is unlikely to reach that ceiling, the per-consumer multiplier means that even a modest data handling failure can produce penalties that dwarf the annual IT budget.
TRAIGA's daily accrual mechanism compounds the risk further. An AI compliance failure embedded in a hiring process or customer-facing system that goes undetected for six months accumulates penalty exposure with every passing day. The system you deployed to save time in recruiting could become the most expensive tool in your organization.
The calculus is straightforward: the cost of a comprehensive cybersecurity consulting engagement that covers data classification, access controls, encryption, audit logging, vendor contract reviews, and AI governance is a fraction of the exposure under either law. Texas data privacy compliance is no longer a forward-looking initiative — it is a present-tense operational requirement.
Is Your Dallas Business Ready for TDPSA and TRAIGA?
ITECS helps mid-market organizations build the technical infrastructure behind Texas data privacy and AI compliance — from data classification and encryption to audit logging and incident response.
Schedule a Compliance Review →Sources
- Texas Attorney General — Allstate Enforcement Action (January 2025)
- Norton Rose Fulbright — The Texas Responsible AI Governance Act: What Your Company Needs to Know
- K&L Gates — Texas Responsible AI Governance Act Signed Into Law (June 2025)
- Baker Botts — Texas Enacts Responsible AI Governance Act: What Companies Need to Know
- Ropes & Gray — Navigating TRAIGA: Texas's New AI Compliance Framework
- White & Case — Texas Attorney General's Landmark Privacy Lawsuit Signals New Era
- WilmerHale — Texas AG Brings First Ever Lawsuit Under State Privacy Law
- Davis Wright Tremaine — Texas Data Privacy and Security Act Overview
- Texas Attorney General — Texas Data Privacy and Security Act