Are You a Small Business? It Still Matters: Understanding Privacy Law Thresholds
Are You a Small Business? It Still Matters: Understanding Privacy Law Thresholds
One of the most common beliefs among Texas small business owners and online sellers is:
“I’m too small for privacy laws to apply to me.”
In many ways, that’s true.
Most statewide privacy laws—like California’s CCPA or Colorado’s CPA—apply only to large businesses processing huge amounts of consumer data.
But here’s the part business owners often miss:
✔ Even if you're exempt from those laws, the Texas Deceptive Trade Practices Act (DTPA) still applies to every Texas business.
✔ And failing to disclose how you collect or use customer information can violate the DTPA, even when no privacy law applies.
Let’s take a closer look at why size doesn’t actually remove your responsibility to be transparent.
Understanding Privacy Law Thresholds
Many state privacy laws only apply to businesses that meet certain “thresholds” related to:
Annual revenue
Number of consumers processed
Volume of personal data handled
Whether the business sells personal information
Texas Deceptive Trade Practices Act
Texas’s own privacy law exempts small businesses unless they sell sensitive data. So yes, most Texas small businesses are exempt from major privacy laws. But that does not mean you can skip transparency.
DTPA Applies to EVERY Texas Business
Unlike the privacy laws, the Texas DTPA has:
No revenue requirement
No customer minimum
No industry limitation
No “small business” exemption
If you collect customer information—names, emails, phone numbers, payment details, website behavior—you must not mislead or confuse customers about how you use that information.
Common Ways Small Businesses Violate the DTPA (Without Realizing It)
1. Collecting emails without disclosing marketing use
Example:
A customer signs up for a free download.
Then they unexpectedly get added to your newsletter.
Even if you think “everyone does this,” failing to disclose it is misleading.
2. Using analytics or tracking without telling customers
Tools like:
Google Analytics
Meta Pixel
TikTok Pixel
Heat mapping tools
…collect visitor behavior.
If your website doesn’t tell users this is happening, it’s a transparency issue under the DTPA.
3. Claiming “we don’t share data” when you actually do
If you use:
Stripe, Square, or PayPal
Shopify or Etsy
Mailchimp or Flodesk
Calendly
CRM systems
…then you share data with third parties.
Even if it’s automatic, customers must be told.
4. Having no privacy disclosures at all
If you collect any personal information and your website says nothing about it, a customer can claim you misled them.
Why a Privacy Policy Still Matters (Even If You’re Exempt)
A privacy policy:
Helps you meet DTPA transparency requirements
Tells customers exactly what to expect
Reduces confusion and complaints
Makes online platforms happier (many require privacy policies)
Builds trust and credibility
Protects your business from accusations of misleading practices
You don’t need something complicated—just something honest and accurate.
Bottom Line
Your size determines whether privacy laws apply to you.
But transparency is required regardless, because the DTPA applies to every Texas business.
A simple privacy policy is one of the easiest ways to meet those expectations and protect your business.
Book a quick call — we’ll help you sort out what matters for your business. https://calendly.com/client-meetings-fwl
Legal Disclaimer: The information in this blog is provided for general educational purposes only and does not constitute legal advice. Laws and regulations change frequently, and the application of law depends on the specific facts of each situation. Reading this post does not create an attorney-client relationship with Fair Winds Law PLLC.