Beancount.io LogoBeancount.io

Texas Data Privacy Act and the 20-State Patchwork: A 2026 Compliance Playbook

12 min readMike ThriftMike Thrift
Texas Data Privacy Act and the 20-State Patchwork: A 2026 Compliance Playbook

By the time you finish reading this sentence, somewhere in the United States a consumer has just clicked "Do Not Sell or Share My Personal Information." If your business operates a website, runs ads, or stores customer email addresses, that single click might already obligate you under one or more of the twenty comprehensive state privacy laws now in effect across the country — and most small business owners have no idea.

The Texas Data Privacy and Security Act (TDPSA) took effect on July 1, 2024, and Texas became the most populous state without a comprehensive privacy law to finally adopt one. But the TDPSA is not the only story. As of 2026, twenty states have active comprehensive consumer privacy laws, twelve states require recognition of universal opt-out signals like the Global Privacy Control (GPC), and three brand-new laws — Indiana, Kentucky, and Rhode Island — kicked in on January 1, 2026. The cure periods that gave early-state laws their training wheels are sunsetting throughout 2026, meaning enforcement is about to get sharper.

This guide unpacks what you actually need to do in 2026 to keep regulators away from your door — without buying a fifty-thousand-dollar privacy program you don't need.

Why Texas Matters More Than You Think

Texas privacy law has one quirk that makes it unlike every other state law: it doesn't care how much money you make or how many records you hold. It cares only whether you fit the U.S. Small Business Administration's definition of a small business — generally fewer than 500 employees, with industry-specific revenue caps.

Most state privacy laws (California's CCPA, Virginia's VCDPA, Colorado's CPA, Connecticut's CTDPA) tie applicability to numerical thresholds: 100,000 consumers, or 25,000 consumers if more than half your revenue comes from selling personal data, or annual gross revenue over $25 million. The TDPSA throws those thresholds out.

This creates a strange inversion. A mid-size Texas-based SaaS company with 600 employees and modest revenue can be fully subject to TDPSA while a high-revenue California startup with 30 employees might be exempt under the SBA threshold but subject under CCPA's revenue test. If you do business in both states, you don't get to pick the friendlier one — you must comply with whichever applies to the consumer making the request.

The TDPSA Sensitive Data Exemption That Isn't

Here is the sneaky part. Even if your business qualifies as a small business under SBA size standards and is otherwise exempt from TDPSA, you still must obtain consumer consent before selling sensitive personal data. So "exempt" doesn't mean "do whatever you want." If you sell email addresses tied to health interests, religious affiliations, precise geolocation, or biometric identifiers, you need opt-in consent regardless of size.

The 20-State Compliance Map

By 2026, comprehensive privacy laws are in effect or about to take effect in: California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Delaware, New Hampshire, New Jersey, Kentucky, Minnesota, Maryland, Rhode Island, Nebraska, and Maryland (Online Data Privacy Act).

Most of these laws follow a "Virginia model" structure: rights to access, correct, delete, port, and opt out, plus controller obligations around notice, data minimization, and processing limits. California sits on its own island with the CCPA/CPRA's broader employee and B2B coverage and unique cybersecurity audit and automated decision-making regulations.

The practical takeaway: build for the strictest common denominator, not for each state in isolation. A privacy program tuned to California, Colorado, and Texas requirements will sweep up obligations under all 17 other state laws.

Consumer Rights You Must Honor in Forty-Five Days

Across nearly every state law, consumers have the same core rights:

  • Access — they can ask what personal data you hold about them.
  • Correction — they can require you to fix inaccurate data.
  • Deletion — they can require you to delete their data (with exceptions for legal holds, fraud prevention, internal use).
  • Portability — they can demand a machine-readable copy.
  • Opt-out of sale, targeted advertising, and profiling — three distinct opt-out rights bundled in most states.

Most laws give you 45 days to respond, with a 45-day extension where reasonably necessary. California's CCPA gives 45 days with a 45-day extension. Texas gives 45 days with a 45-day extension. You need an authenticated request workflow that intakes, verifies, fulfills, and logs — and you need it to scale beyond a single overwhelmed legal email inbox.

What "Authenticated" Means in Practice

You cannot just take a request at face value. If somebody emails saying "delete all my data," you must verify that person is actually the data subject. Common verification approaches include:

  • Confirming the request from an account login.
  • Matching submitted information against records on file.
  • Sending a confirmation email with a one-time code.
  • Requiring a notarized affidavit for high-risk requests (rare; reserved for cases where data loss would be catastrophic).

Failing to authenticate creates two risks: you delete data for an imposter (a deletion attack), or you disclose personal data to the wrong person (a confidentiality breach). Both are violations.

The Global Privacy Control: A Single Browser Signal That Triggers a Dozen Laws

The single most important technical compliance change for 2026 is the Global Privacy Control (GPC). It's a browser-level signal that automatically tells every website a user visits: "I am opting out of the sale or sharing of my personal information."

By January 1, 2026, twelve states require businesses to honor GPC as a valid opt-out request: California, Colorado, Connecticut, Montana, Nebraska, New Hampshire, New Jersey, Minnesota, Maryland, Delaware, Oregon, and Texas. Some of these states explicitly named GPC; others simply require recognition of any "universal opt-out mechanism" and GPC is the dominant implementation.

What this means technically: your website needs to read the Sec-GPC HTTP header (or the navigator API equivalent) on every request, and when it sees the signal, suppress data sales, cross-context behavioral advertising, and sharing — without prompting the user. No cookie banner. No additional click. Just suppress.

California layered on a 2026 display requirement: businesses must visibly indicate whether the consumer's opt-out preference signal was processed. An "Opt-Out Request Honored" indicator on the page is the emerging standard. Skip this, and a regulator (or a serial plaintiff) can argue you failed to provide notice that the opt-out was accepted.

The Adtech Pipeline Trap

Here is where most companies fail. Honoring GPC at the page level is easy. Honoring it across your downstream adtech stack — Google Ads, Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, every dynamic retargeting vendor — is hard. Each of these vendors has its own opt-out flag, signal, or pixel parameter that you must set when GPC is detected. Miss one, and you continued sharing data with that vendor in violation of state law.

Audit your tag manager. For every vendor that fires on your site, document how it respects GPC. Don't trust marketing claims — test with a GPC-enabled browser and a network sniffer.

Sensitive Data: Opt-In Consent Required

Across nearly every state law, processing sensitive personal data requires affirmative opt-in consent. Sensitive data typically includes:

  • Social Security numbers, driver's license numbers, passport numbers, financial account credentials.
  • Biometric data used to identify a person.
  • Health and medical information not already covered by HIPAA.
  • Precise geolocation (often defined as within 1,750 feet or a similar radius).
  • Racial or ethnic origin.
  • Religious beliefs.
  • Sexual orientation, gender identity.
  • Citizenship or immigration status.
  • Children's personal data (under 13, sometimes under 16).

Consent must be freely given, specific, informed, and unambiguous. Pre-checked boxes don't count. Bundling consent inside a general terms-of-service acceptance doesn't count. Buried disclosures don't count. If you process sensitive data, you need a dedicated consent flow with clear language and a record of how, when, and where consent was captured.

Data Processing Agreements: Vendor Contracts Are Now a Compliance Requirement

Every state privacy law requires that businesses sharing personal data with third-party vendors (called "processors" or "service providers") sign a written contract — a Data Processing Agreement (DPA) — governing that data.

A compliant DPA in 2026 must:

  1. Specify the nature, purpose, and duration of processing.
  2. Identify the types of data and categories of consumers involved.
  3. Bind the processor to confidentiality obligations.
  4. Require the processor to assist with consumer rights requests.
  5. Require the processor to delete or return data at contract termination.
  6. Permit audits and require subprocessor flow-down.
  7. Restrict cross-border transfers and impose security obligations.

If you use SaaS tools — Stripe, HubSpot, Mailchimp, Intercom, Slack, AWS, Google Workspace — you need DPAs on file with all of them. Most major vendors offer click-through DPAs. The miss happens with niche tools, freelancers, contractors, and one-off integrations that nobody thought of as "vendors."

Data Protection Assessments: When You Need to Document Risk

Most state laws require Data Protection Assessments (DPAs — confusingly, same acronym as Data Processing Agreement) for processing activities that present heightened risk. Trigger activities include:

  • Processing for targeted advertising.
  • Sale of personal data.
  • Profiling that produces legal or similarly significant effects.
  • Processing of sensitive data.
  • Any processing presenting a heightened risk of harm.

Texas, Virginia, Colorado, Connecticut, and others all require these. The assessment must weigh benefits to the controller, consumer, public, and processor against risks to the consumer, with mitigations documented. Keep these on file. Regulators can subpoena them during an investigation.

The Cure Period Cliff: Why 2026 Is Different

Early state privacy laws came with "right to cure" provisions — a 30 or 60-day grace period after a regulator issued a notice of violation, during which the business could fix the problem before any penalty attached. This was designed as training wheels.

In 2026, those training wheels are coming off. Cure periods sunset throughout 2026 in Connecticut, Delaware, Kentucky, Minnesota, and Montana. Rhode Island's brand-new law had no cure period to begin with. California's cure period expired years ago.

Texas kept its 30-day cure period with no sunset, which is unusually generous. But penalties after that 30-day window are up to $7,500 per violation. With consumer privacy claims, "per violation" often means per affected consumer — multiply that by your customer database and the math gets ugly fast.

Tying Privacy Compliance to Your Books

Privacy compliance touches finance more than most operators realize. Three areas in particular:

Vendor cost allocation. Privacy compliance vendors — consent management platforms, DSAR fulfillment tools, identity verification services, privacy counsel retainers — are operating expenses you should track separately so you can report cost-of-compliance to your board and make ROI decisions about which laws to over-comply with versus where to accept risk.

Breach reserve. Most state laws don't explicitly require you to set aside funds for potential breaches, but if you process sensitive data at scale, building a contingent liability reserve is good hygiene. Even small breaches trigger notification costs, credit monitoring offers, and forensic investigation fees that can run six figures.

Insurance documentation. Cyber liability insurers increasingly require documentation of your privacy program — written policies, DPA inventory, GPC implementation testing, DSAR response logs — at renewal. Maintaining clean records can move the needle on premiums.

Accurate bookkeeping with a clear chart of accounts that segregates privacy compliance costs, vendor expenses, and incident response reserves makes annual budget reviews, board reports, and insurance renewals far less painful.

The Practical 2026 Compliance Stack

If you are starting from zero, here is the minimum viable privacy program for a small or mid-size U.S. business in 2026:

  1. Identify which laws apply. Map your customer base, headcount, and revenue to each state's applicability thresholds.
  2. Publish a single consolidated privacy notice that satisfies the strictest applicable law. Include sensitive data disclosures, sale/share disclosures, processing purposes, retention periods, consumer rights, and a contact channel.
  3. Build a DSAR workflow. Pick a tool (or a structured email-and-spreadsheet process if you're small) that intakes, authenticates, fulfills, and logs requests within 45 days.
  4. Implement GPC honoring. Read the signal at the page level. Suppress sales and targeted advertising vendors when set. Display an opt-out-honored indicator if you have California traffic.
  5. Sign DPAs with every vendor. Inventory all vendors. Sign the DPA. Store it where you can find it.
  6. Conduct DPAs for high-risk processing. Document each one. File them.
  7. Establish a sensitive data consent flow with affirmative opt-in and recorded evidence.
  8. Document your security program. Most state laws require "reasonable" security. Reasonable looks like written policies, access controls, encryption in transit and at rest, vulnerability management, and incident response procedures.

Common Mistakes Small Businesses Make

  • Assuming the SBA small business exemption gets you out of TDPSA entirely. It doesn't — sensitive data processing still requires consent.
  • Treating cookie banners as a privacy program. Banners are one tactic. They don't substitute for DSAR processes, DPAs, or GPC honoring.
  • Ignoring vendor flow-down. Your DPAs with vendors need to require those vendors to flow obligations down to their subprocessors. Most boilerplate DPAs cover this, but read before you sign.
  • Treating opt-outs as marketing decisions. Honoring an opt-out is a legal requirement, not a preference. Suppress the data flow even if it hurts retargeting performance.
  • Letting cure periods lapse before acting. If you receive a notice of violation, you have a finite window. Move immediately, document the cure, and get written confirmation from the regulator.

Keep Your Compliance Records Clean From Day One

As you build out a privacy compliance program across the multi-state patchwork, you will accumulate vendor invoices, consultant retainers, insurance premiums, and incident response costs that need to be tracked, categorized, and reported. Beancount.io provides plain-text accounting that gives you complete transparency and version control over your financial data — making annual board reports, insurance renewals, and cost-of-compliance analyses dramatically easier than wrestling with a black-box ledger. Get started for free and see why developers, finance professionals, and privacy-conscious operators trust plain-text accounting for their business books.