In a move that underscores Texas’s growing focus on consumer protection, the state has amended its Regulation of Telephone Solicitation (RTS) law—often called the “mini-TCPA” due to its similarities to the federal Telephone Consumer Protection Act (TCPA)—to impose new registration requirements on businesses sending marketing text messages. Effective September 1, 2025, these changes expand the law’s scope to include SMS and short-code messaging, requiring most sellers to register with the Texas Secretary of State before targeting Texas residents. This applies even to messages sent with recipient consent or opt-in, unless a specific exemption applies.
This increases the risks of Texas private right of action lawsuits and ironically was also covered by Tauler Smith who has been the biggest filer of private right of action demands for data privacy violations last quarter.
Texas Mini-TCPA: Expanded Scope and Compliance Challenges
The RTS law, codified in Chapter 302 of the Texas Business and Commerce Code, has long regulated telephone solicitations to protect consumers from unwanted calls. However, Senate Bill 140 (SB 140), enacted during the 89th Legislative Session and signed into law, marks a significant expansion effective September 1, 2025. This amendment redefines “telephone solicitation” to explicitly include not just voice calls but also text or graphic messages, images, and other transmissions sent to mobile numbers for the purpose of inducing a purchase, rental, claim, or receipt of goods or services. This shift addresses a gap in prior regulations, where text-based marketing often escaped scrutiny, allowing companies to send unsolicited SMS without robust oversight. The law now treats these as equivalent to traditional telemarketing calls, whether initiated by humans, automated dialing systems, or recorded messages.
A core component of the mini-TCPA is the mandatory registration for sellers engaging in such solicitations from any business location. Sellers must file a verified registration statement with the Texas Secretary of State, providing detailed information including names, addresses, telephone numbers, organizational structure, criminal convictions related to fraud or theft, sales scripts, and more. The process involves a $200 filing fee and a $10,000 security deposit in the form of a bond, irrevocable letter of credit, or certificate of deposit, which serves as protection for consumers in cases of bankruptcy or breach. Registration is valid for one year, requiring annual renewal, and sellers must submit quarterly updates on salespersons and report material changes promptly. This requirement extends to out-of-state businesses if they target Texas residents, emphasizing the extraterritorial reach of the law.
The amendment’s tie-in with telemarketing is evident in its alignment with broader prohibitions, such as restrictions on automated dialing without consent and mandatory disclosures during calls (e.g., seller’s name, purpose, and registration number). Violations now fall under the Deceptive Trade Practices-Consumer Protection Act (DTPA, Chapter 17), classifying them as false, misleading, or deceptive acts, which opens the door to both public enforcement by the Attorney General and private lawsuits by consumers. This integration amplifies litigation risks, as DTPA allows for treble damages in cases of willful violations, potentially leading to class actions that mirror federal TCPA suits.
Penalties for noncompliance are severe, with administrative fines up to $1,000 per violation, civil penalties up to $20,000 under DTPA, and criminal charges as Class A misdemeanors for knowing violations. Specifically for unregistered text solicitations, penalties can reach $5,000 per message, making even small-scale campaigns costly if noncompliant. Consumers can seek damages of up to $500 per violation (or actual losses), with treble damages for intentional acts, and recover attorney fees. The law also prohibits certain practices, like using blocked caller ID or making calls outside permitted hours (8 a.m. to 8 p.m.).
To navigate this, businesses should understand exemptions, which provide relief for certain entities but require proof in enforcement actions. Here’s a bullet-point list of key exemptions and compliance tips:
- Exempt Entities: Publicly traded companies and their subsidiaries, banks and financial institutions regulated by federal laws like Gramm-Leach-Bliley, accredited educational institutions, 501(c)(3) nonprofits, and entities regulated by the PUC or FCC.
- Customer Relationship Exemptions: Businesses sending texts only to existing customers, provided they’ve operated under the same name for at least two years and the messages relate to prior purchases or maintenance.
- Other Exemptions: Media subscription sellers, catalog-based sales meeting specific criteria, food solicitations, and isolated transactions not part of a pattern.
- Compliance Steps: Audit all SMS campaigns for Texas numbers; verify consent documentation (though registration is still required); register promptly via the Secretary of State’s form; maintain records of scripts and opt-outs; consult legal counsel for exemption claims to avoid burden-of-proof issues.
This expansion reflects Texas’s proactive stance against invasive marketing, potentially increasing litigation as seen in other states with mini-TCPAs. Businesses, especially in e-commerce and lead generation, face heightened risks if they rely on web-form consents without registration, as the law applies broadly. It’s clear the mini-TCPA is evolving into a robust tool for consumer empowerment, demanding immediate action from marketers.
This amendment doesn’t exist in isolation—it’s part of Texas’s broader push to regulate emerging technologies and protect consumer data. Enter the Texas Responsible Artificial Intelligence Governance Act (TRAIGA), signed into law on June 22, 2025, and set to take effect January 1, 2026. Often misspelled as “TRIAIGA”, TRAIGA establishes a comprehensive framework for AI development, deployment, and oversight, aiming to mitigate risks like bias and misuse while fostering innovation. For companies using AI in marketing—such as automated text campaigns powered by generative AI for personalized messaging—TRAIGA introduces compliance layers. Businesses must ensure AI systems adhere to transparency, accountability, and ethical standards, potentially overlapping with RTS requirements if AI handles consent management or targeting Texas numbers. This convergence highlights Texas’s strategy: balancing tech growth with safeguards, especially as AI tools increasingly intersect with consumer communications.
Ken Paxton Ramping Up Enforcement Thanks to The Texas Data Privacy and Security Act (TDPSA): Provisions, Enforcement, and Implications
Fueling this regulatory momentum is the Texas Data Privacy and Security Act (TDPSA), codified in Chapter 541 of the Business and Commerce Code, which took effect on July 1, 2024. Modeled after comprehensive privacy laws like Virginia’s CDPA, the TDPSA grants Texas residents robust rights over their personal data while imposing stringent obligations on businesses that process or sell such data. It applies to entities conducting business in Texas or targeting its residents, excluding small businesses (per SBA definitions) except for sensitive data sales, and carves out exemptions for nonprofits, higher education, financial institutions under GLBA, HIPAA-covered entities, and utilities. The law’s scope covers personal data—any information linked or linkable to an individual—but exempts deidentified data, employment records, and data under federal laws like FCRA or FERPA.
Key consumer rights under Subchapter B empower individuals to control their data in marketing and AI contexts. Residents can confirm processing, access, correct inaccuracies, delete, or port their data, and opt out of targeted advertising, data sales, or automated profiling with legal effects. Controllers must respond within 45 days (extendable), free twice yearly, and establish appeal processes. Businesses (controllers) face obligations like limiting collection to necessary purposes, implementing data security, providing transparent privacy notices detailing categories processed, purposes, and rights exercise methods. They cannot discriminate against rights-exercising consumers or process sensitive data (e.g., health, biometrics, precise geolocation) without consent. High-risk activities, including AI-driven profiling or selling personal data for marketing, require data protection assessments weighing risks against benefits. Processors must follow controller instructions, assist with compliance, and maintain subcontracting agreements.
In marketing, TDPSA intersects with RTS by scrutinizing data used for text targeting; for AI, it mandates assessments for automated decision-making in personalization. Enforcement is exclusively by Attorney General Ken Paxton, who has built a dedicated team and launched aggressive actions. Before suing, the AG provides a 30-day cure notice, but post-cure, penalties reach $7,500 per violation, plus injunctions and fees. No private right exists, focusing power with the state.
Paxton’s “tear” includes the first TDPSA lawsuit in January 2025 against Allstate and Arity for allegedly collecting and selling geolocation data from Texans’ devices without consent, seeking millions in penalties. He’s investigated over 100 data brokers and companies, notifying them of noncompliance and demanding registrations. Probes target AI firms like Character.AI, social platforms (Reddit, Instagram), and CCP-linked Chinese companies for child privacy violations and data exploitation. A landmark $1.375 billion settlement with Google in 2025 resolved tracking allegations, the largest privacy settlement by a state AG. These actions, part of a June 2024 initiative, position Texas as a national leader in privacy enforcement.
TDPSA key elements and enforcement highlights:
- Consumer Rights: Access, correction, deletion, portability, and opt-outs for advertising, sales, and profiling; agents can act for consumers, especially in sensitive data cases.
- Business Duties: Privacy notices, consent for sensitive data, security measures, assessments for AI/marketing risks; small businesses barred from unconsented sensitive data sales.
- Exemptions: Government, nonprofits, regulated finance/health sectors, deidentified data, emergency processing, research aligned with expectations.
- Enforcement Actions: Allstate suit (geolocation sales); 100+ data broker probes; AI/social media investigations (e.g., Character.AI for child data); Google settlement ($1.375B); CCP-affiliated tech warnings.
- Implications for Marketing/AI: Requires opt-outs for targeted texts using data; AI assessments for personalization; ties to RTS by regulating data fueling solicitations.
The TDPSA’s framework and Paxton’s vigorous enforcement underscore Texas’s commitment to data sovereignty, intersecting with RTS and TRAIGA to create a multifaceted compliance landscape.
Overall, Texas is positioning itself as a leader in tech accountability. Businesses engaging in text marketing, AI applications, or data handling should prioritize privacy compliance audits and use Captain Compliance privacy software right now—integrating RTS registration, TRAIGA governance, and TDPSA protections—to navigate this interconnected regulatory web without facing Paxton’s enforcement hammer which is only ramping up from here.
