Texas Privacy Enforcement Heats Up

Texas is rivaling California as the most active enforcer in the growing state data privacy regulatory space. In 2022, the California attorney general announced the first-ever settlement of a California Consumer Privacy Act (CCPA) enforcement action with Sephora over failure to resolve allegations that the company violated the CCPA. Today, the Texas attorney general’s lawsuits, enforcement actions, settlements, and investigative demands—all in the span of 2024—indicate that Texas is quickly becoming a privacy regulator that companies should have on their radar. As the Texas Privacy and Data Security Act (TPDSA, discussed further in a previous alert) became effective in July 2024 and the Securing Children Online through Parental Empowerment (SCOPE) Act became effective in September 2024, now is the time for companies to review their practices to ensure compliance with applicable Texas law.

Texas Enforcement Initiative

In June 2024, Texas Attorney General Ken Paxton launched a broad-reaching privacy and security initiative to enforce Texas data protection laws, including, but not limited to, the TPDSA, the Data Broker Law, and the biometric data privacy statute. This initiative involved the establishment of a team focused on aggressive enforcement of Texas privacy laws, based in the Consumer Protection Division of the Office of the Attorney General. Attorney General Paxton touted that the team is “poised to become among the largest in the country focused on enforcing privacy laws.”

Recent Enforcement Actions

The initiative has already borne fruit with significant developments over the last few months:

• In October 2024, Attorney General Paxton announced a lawsuit against TikTok for allegedly sharing the personal data of minors in violation of Texas’s SCOPE Act. The SCOPE Act prohibits digital service providers from sharing, disclosing, or selling personal data pertaining to minors under the age of 18 without permission from the child’s parent or legal guardian. The complaint alleges that TikTok unlawfully shared minors’ personal information with other TikTok users and third parties, such as business partners and search engines.
• In July 2024, Attorney General Paxton secured the first-ever settlement under the Texas biometric law, the Capture or Use of Biometric Identifier Act (CUBI). This settlement stemmed from the state’s 2022 lawsuit based on an allegation that a tech company captured Texans’ biometric data through the company’s photo-tagging feature without consent. CUBI lacks a private right of action and limits enforcement to the attorney general, unlike Illinois’ ubiquitous Biometric Information Privacy Act.
• In June 2024, Attorney General Paxton issued letters notifying over 100 companies of their alleged failure to register as data brokers with the Texas Secretary of State under the recently enacted Data Broker Law. Under the Data Broker Law, companies that buy, sell, trade, or process individuals’ personal data were required to register by March 1, 2024, among other obligations (including the implementation of specific security controls). The law imposes civil penalties of not less than $100 for each day that an entity is in violation, with a limit of $10,000 assessed against the same entity in a 12-month period.
• Also in June 2024, Attorney General Paxton opened an investigation into car manufacturers for practices relating to the collection and sale of drivers’ data. The investigation was opened following reporting that certain manufacturers have been collecting data about drivers directly from their vehicles without drivers’ awareness and selling the data to insurance providers, among other third parties.

Notably, Attorney General Paxton has consistently been using the Texas deceptive practices law as a tool to enforce privacy violations in addition to the specific privacy statutes at issue. For example, the Texas Deceptive Trade Practices – Consumer Protection Act empowers the Texas attorney general to investigate “false, misleading, or deceptive acts or practices.” Texas’s investigation into car manufacturers was predicated in part on the Deceptive Practices Act. In the state’s suit over alleged biometric data leaks, the attorney general sued under both the Deceptive Practices Act and CUBI. Violations of the Data Broker Law may also constitute a deceptive trade practice.

AI Legislation

Alongside the increasing privacy enforcement, Texas is also working on draft artificial intelligence legislation, the Texas Responsible AI Governance Act, that is expected to be introduced in the upcoming legislative session in 2025. The draft Texas bill is similar to the Colorado AI Act, and is designed to guard against algorithmic discrimination by automated decision-making systems. The draft bill imposes requirements on developers, distributors, and deployers of high-risk AI systems. If passed as drafted, the legislation would be enforced by the Texas attorney general, with fines up to $100,000 for certain violations, providing the attorney general with another tool in the already-expanding toolkit to regulate companies at the intersection of AI and privacy.

Takeaways for Companies

The flurry of activity discussed above is likely to motivate lawmakers at the federal, state, and local levels to not just enact, but also enforce statewide privacy legislation. We expect to see additional enforcement action ramp up under the California Privacy Protection Agency and the Colorado attorney general, among others.

To help mitigate the risk of an enforcement action and/or litigation, companies should review their data‑handling practices under applicable laws to ensure that they are collecting, maintaining, and disclosing personal data in compliance with any applicable U.S. state privacy laws and regulations.