Intro Texas passed its tough Data Privacy legislation on May 28, 2023 called the Texas Data Privacy and Security Act (TDPSA). The law comes into effect on July 1, 2024. It takes its basics from the Virginia Consumer Data Protection Act (VCDPA), but the TDPSA has significant differences in scope, definitions, and obligations from the state controller. Why is it "Tough" The TDPSA is considered "tough" due to its comprehensive and rigorous approach to consumer data protection. It broadens the scope of applicability compared to previous laws by covering entities that process or sell personal data and either conduct business in Texas or produce products or services consumed by Texans, regardless of whether these entities specifically target Texas residents. It also avoids the ambiguity of data volume and revenue thresholds, instead focusing on well-defined categories of "small businesses." How does Texas define "Personal Data"? The law includes broad definitions for terms like "personal data" and "sale of personal data," capturing a wide range of data transactions. Moreover, the definition of "consent" is narrow and demands a clear, unambiguous agreement to process personal data from the consumer, setting a high standard for consumer agreement. What is required of a business? A business taking consumer data is called a "Data Controller" and the obligations are rigorous, requiring data protection assessments for high-risk processing activities, clearly defined privacy notices for consumers, and stringent measures to protect personal data. Controllers are required to respond to consumer rights requests within a specified timeframe, providing another layer of consumer protection. Who is going to enforce the law? Enforcement is vested in the Attorney General with potential penalties of up to $7,500 per violation, which can mount to significant sums for systemic or repeat offenses. Bottom line All these elements make the TDPSA a robust and comprehensive privacy law, demanding high standards of data protection and accountability from businesses. It aims to protect consumers' data rights rigorously, making it a "tough" law in the realm of privacy legislation.
What "Personal Data" Means for Your Shopify or BigCommerce Store
The TDPSA's definition of personal data is deliberately broad, which affects how you collect and handle customer information. It includes not just names and email addresses, but also IP addresses, cookie identifiers, device IDs, and behavioral data. If you're running a Shopify store and using Google Analytics or Meta Pixel to track customer behavior, that pixel data qualifies as personal data under Texas law.
This matters because you need to know what you're actually collecting. Many eCommerce brands assume they only need consent for email addresses, but the TDPSA treats pixel tracking, retargeting data, and analytics as personal data collection too. If a Texas resident visits your site, their browsing behavior becomes your responsibility the moment you start tracking it.
The law also captures inferred data—information you derive about a customer based on their actions. If you use an AI tool to predict purchase behavior or segment customers by income level, that prediction is personal data. You can't rely on anonymized or aggregated data as an escape hatch either. The TDPSA requires robust anonymization that makes re-identification "reasonably impracticable," a high bar that most standard anonymization techniques don't clear.
This means your data inventory needs to be honest and complete. Audit every tool connected to your Shopify admin: Klaviyo, Gorgias, Privy, Recharge, and any third-party app that touches customer data. Document what each tool collects and how it's used.
Your Obligations as a "Data Controller"—and When You're Not Alone
The TDPSA designates your brand as a "Data Controller" if you decide how and why personal data gets collected and used. But here's where eCommerce gets complicated: you're not always acting alone. When you use Shopify, you're likely sharing data with payment processors, email platforms, and fulfillment partners. Shopify itself may be a processor on your behalf, or a joint controller, depending on the arrangement.
This shared responsibility is crucial to understand because violations can expose all parties. If Klaviyo mishandles Texas customer data, your brand could face enforcement action even if you didn't directly cause the breach. You need written data processing agreements with every vendor that touches customer data.
For most mid-market eCommerce brands, this means:
- A DPA (Data Processing Agreement) with Shopify or BigCommerce
- Clear contractual language with email platforms about how Texas data is handled
- Explicit agreements with payment processors about PCI compliance and data retention
- Documentation of third-party tools that receive customer data, even indirectly
If you use customer data for targeted advertising through Meta Pixel or Google Ads, you're a controller. If you use Klaviyo to send marketing emails, you're a controller. The TDPSA doesn't let you hide behind "we're just using a platform"—you own the decisions about what data to collect and why.
Start by mapping your data flow. Know exactly where every data point goes and why. This protects you during enforcement and makes responding to consumer rights requests much faster.
Consumer Rights Requests: What You Actually Need to Do
When a Texas customer asks to see what data you hold about them—a Data Subject Access Request (DSAR)—you have a tight deadline. The TDPSA requires you to respond within 45 days. For eCommerce brands managing thousands of transactions monthly, that's manageable only if you have a process in place.
A DSAR might ask you to produce:
- All purchase history and transaction records
- Communication logs (emails, support tickets)
- Browsing data collected through pixels
- Data shared with third parties
- Any inferred or derived information about them
You can't just send a CSV export. You need to actually gather and organize information from every system—your Shopify backend, Klaviyo, payment processors, analytics platforms, and customer service tools. If you use a CRM or attribution tool, that data gets included too.
Many brands underestimate how fragmented their data is. Customer records live in Shopify, email history in Klaviyo, support tickets in Gorgias, and behavioral data in Google Analytics—none of which automatically talk to each other. Fulfilling a single DSAR can require manual work across five or six platforms.
The TDPSA also requires you to disclose which third parties received that customer's data. If you shared an email address with a marketing partner, or a device ID with an analytics vendor, you must disclose it. This is information most brands don't readily have documented.
How to Stay Compliant Without Killing Your Growth
Compliance doesn't mean shutting down your marketing engine. It means being intentional about data use and transparent with customers. Most Texas residents don't object to targeted ads or personalization—they object to secret data use.
Start with your privacy notice. Make it specific to what you actually do: "We use Google Analytics to track which products you view. We use Meta Pixel to show you ads on Instagram. We share your email with Klaviyo to send newsletters." Avoid vague language like "optimize your experience."
Then tackle consent. If you collect personal data beyond what's necessary to complete a transaction, you need affirmative consent from Texas residents. A cookie banner that says "We use cookies" isn't enough under the TDPSA. You need explicit agreement to tracking and marketing uses.
Finally, build a documented process for handling DSARs. When a request comes in, you need a workflow that gathers data from all your platforms, organizes it, and delivers it within 45 days. Without a system, you'll miss deadlines and face penalties.
The good news: your eCommerce business doesn't need to change fundamentally. You just need visibility into your data practices and the ability to prove compliance when Texas's Attorney General comes knocking.