While California was the first state to implement a comprehensive consumer privacy rights law and the first to bring an enforcement action for violations, Texas is quickly becoming the next privacy regulator to watch. The Texas Privacy and Data Security Act (TPDSA) became effective in July 2024, and the Texas Securing Children Online through Parental Empowerment (SCOPE) Act became effective in September 2024. Texas Attorney General, Ken Paxton, launched a privacy and security enforcement initiative in June 2024. This initiative led to the establishment of a team focused on enforcing privacy laws based in the Consumer Protection Division of the Office of the Attorney General. Attorney General Paxton has boasted that the team is “poised to become among the largest in the country focused on enforcing privacy laws.” What does that mean for businesses that process or collect personal information of Texans? Now is the time to make sure that your business is in compliance with the TPDSA.

Here are just a few recent examples of the Texas Attorney General’s focus on consumer privacy and security of consumer data:

  • October 2024: Lawsuit against TikTok for allegedly sharing personal information of minors in violation of the SCOPE Act (which prohibits digital service providers from sharing, disclosing, or selling personal information of minors without permission from the child’s parent or legal guardian).
  • July 2024: First-ever settlement under the Texas biometric law (Capture or Use of Biometric Identifier Act) based on an allegation that Meta captured Texans’ biometric data through its photo-tagging feature without consent.
  • June 2024: Over 100 companies received letters from the Texas Attorney General of their alleged failures to register as data brokers with the Texas Secretary of State under the recently enacted Data Broker Law (similar to the Data Broker registration law under the California Consumer Privacy Act).
  • June 2024: Investigation into car manufacturers for practices relating to the collection and sale of drivers’ data.

Attorney General Paxton has been citing the Texas deceptive practices law to enforce privacy violations against companies under the specific privacy statutes at issue. Businesses should consider reviewing their data processing and collection practices and confirm that the business is complying with not only the TPDSA, but all applicable U.S. state privacy rights and protection laws and regulations.