ARTICLE
2 March 2026

Privacy Legislation In Texas: What Happened In 2025 And What's Next

HK
Holland & Knight

Contributor

Holland & Knight logo
Holland & Knight is a global law firm with nearly 2,000 lawyers in offices throughout the world. Our attorneys provide representation in litigation, business, real estate, healthcare and governmental law. Interdisciplinary practice groups and industry-based teams provide clients with access to attorneys throughout the firm, regardless of location.
Explore Firm Details
In 2025, Texas demonstrated its intention to be an aggressive privacy legislator and regulator...
United States Privacy
Bart Huffman,Haylie D. Treas, and Madison Fleischaker
Your Author LinkedIn Connections
Holland & Knight are most popular:
  • within Strategy topic(s)

Highlights

  • In 2025, Texas demonstrated its intention to be an aggressive privacy legislator and regulator – a trend that is expected to continue in 2026.
  • Significant legislative developments and regulatory enforcement actions in Texas in the privacy space have impacted – and will continue to impact – a broad variety of industries and data practices.
  • The Texas Attorney General is actively litigating alleged privacy violations, with particular focus on transparency and collection of data from vulnerable populations.

Legislative Developments in 2025

This Holland & Knight alert reviews several key privacy-related laws that became effective in 2025, with a regulatory outlook in 2026.

Texas Responsible Artificial Intelligence Governance Act

Effective January 1, 2026, the Texas Responsible Artificial Intelligence Governance Act (TRAIGA) imposes obligations on persons and entities developing or deploying artificial intelligence (AI) in Texas, as well as on governmental entities. TRAIGA prohibits any entity from developing or deploying AI systems for certain purposes, including intentional unlawful discrimination or other statutorily defined harms, such as the generation and distribution of illegal or explicit materials.

Governmental entities face additional requirements under TRAIGA. In particular, government entities must clearly and conspicuously disclose AI interactions to the public before or at the time of the interaction.

TRAIGA also establishes an AI advisory council with certain responsibilities, including providing guidance on AI ethics, recommending AI governance reforms to the legislature, identifying opportunities for AI implementation in state government operations and monitoring the newly established AI regulatory sandbox program. The regulatory sandbox allows persons and business entities to test new AI systems with temporary legal protections and limited liability.

In addition, TRAIGA amends the Texas Data Privacy and Security Act (TDPSA) to clarify that processors must assist controllers in adhering to security requirements. This amendment ensures that these responsibilities extend to data collected, stored and processed by AI systems.

TRAIGA also amends the Texas Capture or Use of Biometric Identifiers Act to clarify that training an AI system on data (such as images) that could constitute biometric identifiers is not necessarily a use of biometrics subject to the requirements of the Texas Capture or Use of Biometric Identifiers Act (e.g., where not used for unique identification of specific inpiduals).

Texas App Store Accountability Act

The short-lived Texas App Store Accountability Act would impose requirements and restrictions on app stores and app developers to implement age verification and obtain parental consent for downloads and purchases made by minors. Though scheduled to come into force on January 1, 2026, an injunction was issued on December 23, 2025, by the U.S. District Court for the Western District of Texas, preventing it from taking effect. The Texas App Store Accountability Act is similar to laws passed in Utah and Louisiana. It is likely to reappear (in modified form) with a still-broad scope and technical implications for app developers.

As written, the act would apply to "app stores," which, broadly interpreted, would include platforms that distribute software and apps to mobile devices, as well as to "developers," which would encompass entities distributing apps through covered platforms. The act would require developers to receive and appropriately respond to age signals sent from the app stores. This, in turn, would have direct implications under the federal Children's Online Privacy Protection Act (COPPA) and various other privacy and consumer protection laws.

Texas Data Broker Act Amendments

Two amendments to the Texas Data Broker Act, both of which took effect on September 1, 2025, clarify the definition of a "data broker" and impose additional requirements.

Senate Bill (SB) 2121, as passed, clarifies the definition of "data broker" under the Texas Data Broker Act. Previously, that definition encompassed a business whose "principal source" of annual revenue is derived from collecting, processing or transferring personal information. The amendment modifies the definition of "data broker" to align with the applicability thresholds in another section of the Texas Data Broker Act.

As amended, data brokers are businesses that:

  • derive more than 50 percent of annual revenue from processing personal information, or
  • derive revenue from processing or transferring personal information of more than 50,000 Texas residents in a year (not including inpiduals from whom the business collected the information directly)

SB 1343, as passed, adds to the notice obligations of data brokers to inform consumers how to exercise rights they may have under the TDPSA. This notice requirement is in addition to the existing requirements that a data broker must post a conspicuous notice on its website or mobile application that 1) states it is maintained by a data broker and 2) contains any additional content requirements mandated by the Texas Secretary of State (of which there are none as of this writing).

Texas Genomic Act

The Texas Genomic Act of 2025, effective September 1, 2025, focuses on national security concerns related to genetic data. It prohibits medical facilities, research facilities, companies, and nonprofit organizations that conduct genome sequencing or research in Texas from using genome sequencers or software produced by or on behalf of foreign adversaries, storing genomic data within foreign adversary countries, or allowing persons located in such countries to access Texas residents' genomic data.

Foreign adversaries, as of February 2026, include China, Cuba, Iran, North Korea, Russia, and Venezuela. The act requires covered entities to submit annual certifications of compliance to the Texas AG, who has investigative authority over potential violations.

Notably, the Genomic Act provides a private right of action – Texas residents harmed by violations may recover actual damages or statutory damages up to $5,000 per violation, plus attorneys' fees.

This is not the only recent legislation in this space. In 2023, Texas enacted legislation regulating direct-to-consumer genetic testing by establishing inpidual property rights in genetic samples, data, and analysis.

2026 Outlook

Under Texas' biennial legislative schedule, the legislature will not be in regular session again until 2027. New privacy legislation is unlikely unless the Texas governor calls a special session and the topic is addressed during that session.

Regulatory Action

The Texas AG (self-described as a national leader in data privacy enforcement) continued along an aggressive path in the enforcement of data privacy and consumer protection laws, using litigation as a primary enforcement tool.

Enforcement has been directed at organizations leveraging AI, geolocation data and automated content recognition, especially where these technologies intersect with sensitive populations, such as children, or occur without sufficient disclosures or other transparency measures.

In 2025, the Texas AG brought suits and initiated investigations for alleged violations of the TDPSA and Texas' Securing Children Online Through Parental Involvement (SCOPE) Act, among other laws. A little further back, the Texas AG sent notices to more than 100 companies in 2024 for their apparent failure to register under the Texas Data Broker Act and has since included alleged violations of that act in broader actions it has brought under the TDPSA.

View enforcement actions and litigation initiated by the Texas AG.

Key Takeaways

  • Organizations may wish to review again the audience of their mobile app, keeping in mind that even if Texas' App Store Accountability Act remains enjoined, other child-protective, age-verification laws will continue to be passed and take effect. It seems likely that organizations will need to be ready to not only meet the technical requirements of these laws (and address user interface and other design implications) but also analyze the implications of having increased knowledge of the age of users under other privacy and consumer safety laws.
  • Both enforcement actions and legislative efforts signal that companies collecting data from or interacting with minors face heightened scrutiny in Texas. If working with children's data, companies should regularly review their information governance practices for compliance with this developing area of law.
  • With no regular legislative session until 2027, the Texas AG will be the primary one to watch when it comes to privacy enforcement and policy developments in Texas in 2026.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Bart Huffman
Bart Huffman
Photo of Haylie D. Treas
Haylie D. Treas
Photo of Madison Fleischaker
Madison Fleischaker
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More