How Texas Is Reshaping Privacy Enforcement: 5 Compliance Strategies to Know

May 1, 20255 min read

Share this article

Is your compliance program ready for the next era of privacy enforcement?

Texas isn’t just talking about privacy—they’re taking action. And their approach could redefine what compliance means across the U.S.

Recently I had the opportunity to moderate an exclusive session, hosted by Transcend in partnership with the Future of Privacy Forum (FPF), featuring Tyler Bridegan, Director of Privacy and Tech Enforcement at the Texas Attorney General’s Office. The conversation offered an inside look at Texas’s evolving privacy enforcement model, from the state’s first comprehensive privacy lawsuit to what companies can expect as investigations expand.

I was also joined by Keir Lamont, Senior Director of U.S. Legislation at FPF, who provided insight into how Texas’s approach fits into the broader U.S. privacy landscape—what’s aligning, where it’s diverging, and what it all signals for the future of compliance.

Read on for five best practices to help your team stay ahead (and watch the full conversation).

1. Foster a collaborative relationship with regulators

Texas is building one of the country’s largest and most specialized state privacy enforcement teams, and collaboration is at the core of its approach.
“We’re a team of about 20 personnel made up of attorneys, privacy analysts, technologists, and support staff…we do a lot of cross-office collaboration,”​ Bridegan explained.

He encouraged companies to engage with regulators early and proactively, be transparent about their privacy efforts, and reach out for guidance when needed. As he put it, “We’re not here to catch people off guard, we want to work with companies and privacy professionals who are doing the right thing. We’re all in this together to ensure privacy protections, and collaboration is key.”

Historically, many companies have feared that engaging with regulators might open them up to added scrutiny. But what stood out most in our conversation was how much collaboration is truly encouraged. I shared this concern during the session:

“I think the fear from the operational side is once we might show you something, maybe a new feature that’s a little risky, we’re suddenly on your radar. But hearing that your office is open to that kind of dialogue, and even has technologists who can speak to our teams, is really helpful."

It was refreshing to hear directly regulatory bodies value transparency and openness in dealing with privacy issues. The takeaway? Building a cooperative relationship can ensure that your organization is seen as proactive and responsible, rather than reactive and non-compliant.

One of the clearest takeaways from our conversation was that consent should no longer be treated as a check-the-box exercise. Regulators expect more and companies should too. As Bridegan put it:

“There’s never going to be one right way to obtain consent… but when you’re burying the lead or not indicating the lead at all, you’re going to face an uphill battle with our office—and I assume most AGs—of convincing them that there was in fact consent.”​

In our conversation, we talked about how consent needs to be clear, specific, and use-case driven, particularly when sensitive personal information is involved. Planning to track users by geolocation? One screen to obtain consent might not cut it anymore. Bridegan emphasized that for consent to be valid under Texas Data Privacy and Security Act (TDPSA), companies must disclose how personal data will be processed—not just that it will be.

“A consumer might’ve agreed to have geolocation tracking on but are they agreeing for it to be used for specific purposes, which is required under our law?” he asked. “To have actual consent under our law, you have to disclose how you’re going to process the personal data.”​

That means use-case-level consent prompts, especially for higher-risk data types, are not just a best practice; they may soon be required.

I also appreciated Tyler’s point that his office evaluates enforcement through a lens of reasonableness, not perfection. If you can point to what you did and explain why you thought it was appropriate, they’re open to conversation and improvement. But that only works if the initial effort was made in good faith and designed to inform users, not obscure the truth. Like he explained:

“At a minimum, there needs to be a good faith effort to comply with the law and make sure consumers are informed about what you’re doing with their sensitive data.”​

3. Prepare for multi-state collaboration in privacy enforcement

While Texas is forging its own path, multi-state collaboration in privacy enforcement is becoming more common. States are aligning on shared principles and enforcement strategies, making it increasingly important for businesses to stay updated on state-specific requirements.

Stay proactive and be ready to adapt to the evolving patchwork of state laws. As Keir Lamont explained, “There’s a growing recognition that privacy laws are best enforced when states share insights, collaborate on investigations, and align on frameworks. This isn’t just a Texas thing, it’s becoming a national effort.”

4. Act quickly during cure periods—don’t drag your feet

Texas, like many other states, allows a 30-day cure period under the TDPSA for companies to address privacy violations before formal enforcement actions are taken. However, the cure period shouldn’t be seen as an opportunity to procrastinate—30 days goes by quickly, especially when the actions you need to take to cure involve product changes.

When you identify a violation, communicate your remediation plans promptly and stay transparent with regulators throughout the process—use it as a chance to show regulators you’re addressing issues in good faith. As Bridegan emphasized, “We understand that mistakes happen, but the key is how you respond. Proactive communication and a clear plan of action show that you’re committed to compliance and are taking the issue seriously.” Failing to act quickly could lead to formal enforcement and penalties, so make sure you move swiftly and responsibly to correct any issues.

5. Be ready for a national privacy law—but build for the patchwork

The U.S. still lacks a national privacy standard, but pressure is building for federal privacy legislation. States like Texas could serve as models for future federal laws, especially in how they balance operational feasibility with meaningful consumer protections.

Stay informed about both state and potential federal regulations. While Texas provides valuable insights into state-level enforcement, federal privacy law is still expected to arrive at some point, and its scope will likely impact your compliance strategies. As Lamont pointed out, “The United States is now the only G20 nation without a kind of national approach to consumer privacy rights and protections. Take me for example—I live in Washington, D.C. I’m a jogger. I can go three miles south and I’m in Virginia, which has a privacy framework. I can jog three miles north and I’m in Maryland, which has a totally different privacy framework. I can sit on my couch and drink chocolate milk to recover and be protected by basically no privacy rights. That’s no way to run a country. That’s not good for consumers. That’s not good for businesses.”

Until we get a federal standard, whenever that may be, privacy teams have to build for the world we’re in, not the one we’re hoping for. That means designing systems that can flex with state-by-state differences, whether it’s around disclosures, consent rules, or how sensitive data is defined. If you're treating the patchwork like a short-term problem, you're setting yourself up for a long-term scramble.

Final thoughts: be proactive, stay transparent, and expect collaboration

As Texas and other states ramp up privacy enforcement, compliance teams must remain proactive, transparent, and ready to collaborate. Whether you’re rolling out new features, managing third-party data sharing, or responding to consumer complaints, now is the time to strengthen your compliance posture and engage with regulators proactively.

🎥 Watch the full webinar here: Texas Privacy Roundup Webinar

Stay connected:
📨 Subscribe to our Newsletter: Subscribe
💼 Follow us on LinkedIn: Follow
▶️ Subscribe on YouTube: Subscribe


Share this article