Texas Privacy Enforcement Marches On

It may still be winter, but privacy enforcement actions continue to heat up in the Lone Star State. The Texas Attorney General is intensifying efforts to enforce state privacy laws, indicating increased scrutiny for companies. Texas was already proving to be a leader in this space, as discussed in our previous alert, and this trend has continued unabated through the start of 2025. Recent enforcement actions by Texas Attorney General Paxton, highlighted below, underscore the critical need for companies to review their privacy practices to ensure compliance with applicable Texas privacy laws.

Recent Enforcement Actions

• In December 2024, Attorney General Paxton opened investigations into 15 technology companies regarding their privacy and safety practices for minors, pursuant to the Securing Children Online through Parental Empowerment (SCOPE) Act and the Texas Data Privacy and Security Act (TDPSA). Attorney General Paxton warned that social media and AI companies are “on notice” that the Attorney General’s Office is “vigorously enforcing” Texas privacy laws, particularly as they apply to minors.
• Enforcement activities vis-à-vis the SCOPE Act remain to be seen, as a federal judge in Texas recently issued a preliminary injunction against certain provisions, including the age verification requirements, on constitutional grounds. Other provisions, such as limitations on data use and collection and the requirement to supply parental monitoring tools, remain intact.
• In January 2025, Attorney General Paxon sued TikTok under the Texas Deceptive Trade Practices – Consumer Protection Act for allegedly marketing its app as safe for minors despite regularly showing them inappropriate and explicit material. This is the second lawsuit against TikTok in recent months: as discussed in our previous alert, Attorney General Paxton also sued TikTok in October 2024 for alleged violations of the SCOPE Act by sharing the personal data of minors with other TikTok users and third parties without parental consent.
• Also in January 2025, Attorney General Paxton sued Allstate and its subsidiary data analytics company, Arity, for allegedly collecting and selling personal data about the location and movement of Texas residents, in violation of the TDPSA’s heightened protections for Texans’ sensitive data. The Attorney General’s Office alleged several TDPSA violations, including a failure to: provide notice of and obtain consent for processing sensitive data; notify individuals about the sale of their personal data and provide an opt-out from such sale; and provide a method for consumers to exercise their individual rights. The Attorney General Paxton also claimed that Arity failed to register as a data broker under the Texas Data Broker Act.
• The Arity defendants have contested the state’s factual allegations and alluded to the GLBA and FCRA exemptions under the TDPSA.
• More recently, in February 2025, Attorney General Paxton announced an investigation into the Chinese-owned AI company DeepSeek, regarding its alleged violations of the TDPSA. Attorney General Paxton cautioned that the U.S. and Texas are at the “forefront of global AI innovation” and any company “aligned” with the Chinese Communist Party “that tries to undermine that dominance by violating the rights of Texans and illegally undercutting American technology companies will face the full force of the law.”

Takeaways for Companies

This continued enforcement activity has primarily focused on AI, minors, and driving information, and we expect to see additional activity and new trends emerge from both the Texas Attorney General’s Office and other state privacy regulators as 2025 unfolds.

To help mitigate the risk of an enforcement action and/or litigation, companies should review and update their privacy compliance programs to ensure compliance with any applicable U.S. state privacy laws and regulations.