Texas Positions Itself as a Privacy Enforcement Leader

Since the Texas Data Privacy and Security Act (TDPSA) took effect in July 2024, Texas has emerged as a leader in privacy enforcement. The Texas attorney general (AG) recently announced: “Any entity abusing or exploiting Texans’ sensitive data will be met with the full force of the law.” This article discusses four developments that highlight Texas’ commitment to safeguarding consumer personal data.

Launch of the Data Privacy and Security Initiative

In June 2024, the AG’s Consumer Protection Division launched its Data Privacy and Security Initiative, with new funding and resources. According to the AG, this team is poised to become among the largest in the country focused on enforcing privacy laws. The initiative is dedicated to the enforcement of both state and federal privacy laws, including the TDPSA, Texas’ Capture or Use of Biometric Identifier Act (CUBI), HIPAA, data broker laws, and laws prohibiting unfair or deceptive business practices. As shown below, the initiative aims to safeguard Texans’ personal data from illegal exploitation by technology, AI and other companies.

Meta’s Record-Breaking Settlement

In July 2024, the AG reached a $1.4 billion settlement with Meta (formerly Facebook) for its unauthorized use of biometric data, including facial recognition technology. Meta’s Tag Suggestions feature processed facial recognition geometry on photographs uploaded to Facebook, capturing detailed biometric identifiers without user consent. This landmark settlement began as a lawsuit filed by the AG that alleged violations of CUBI and Texas’ Deceptive Trade Practices Act. This is the largest privacy-related settlement ever obtained in the U.S. from an action brought by a single state.

Lawsuit Against General Motors

In August 2024, the AG filed a lawsuit against General Motors (GM), alleging that the carmaker unlawfully collected and sold driving data from over 1.5 million Texans without their knowledge or consent. The lawsuit claims GM used “invasive technology” to transform its vehicles into a “comprehensive surveillance system,” gathering detailed driving data without adequate disclosure. Consumers were allegedly misled into believing that consenting to GM’s data collection platform was necessary to activate certain vehicle safety features. GM allegedly failed to inform consumers that their data was being collected and used to generate “Driving Scores,” which GM then sold to insurance companies. Notably, the AG filed this lawsuit under the Texas Deceptive Trade Practice – Consumer Protection Act, rather than Texas’ comprehensive state privacy law, TDPSA.

Lawsuit Against TikTok

In October 2024, the AG filed a lawsuit against TikTok for operating its social media platform in a manner that puts Texas children at risk and violates the Texas Securing Children Online through Parental Empowerment (SCOPE) Act. The SCOPE Act prohibits digital service providers from sharing, disclosing or selling a minor’s personal data without permission from the child’s parent or legal guardian. The SCOPE Act also requires companies to provide parents with tools to manage and control the privacy and account settings of their child’s account. The lawsuit alleges that TikTok collects and sells a wide range of data from minors, including names, birth dates, device IDs, and online or social media activities, without permission and without providing the required parental tools. The lawsuit seeks damages of $10,000 per violation and injunctive relief.

No Applicability Thresholds in the TDPSA

The TDPSA sets itself apart from other state privacy laws by excluding minimum thresholds for the number of consumers a business serves, or the revenue that it generates, to determine compliance obligations. Although there are some exceptions for small businesses under the TDPSA, most companies that operate in Texas or collect personal data from even a small number of Texas residents will need to comply. This unique aspect broadens the law’s applicability, holding businesses of all sizes to the same standards for protecting consumer data.

Businesses operating in Texas should take these developments seriously and ensure compliance with the TDPSA and other state privacy laws, including CUBI and the Texas Deceptive Trade Practice – Consumer Protection Act. Failing to do so could lead to severe financial penalties and reputational harm. Please reach out to our Privacy, Cybersecurity and Data Innovation team for additional assistance on how to comply with emerging privacy laws.