Ken Paxton was sworn into office in January 2015 as the 51st attorney general of Texas. He previously served as a member of the Texas House of Representatives and the Texas State Senate. During his time as attorney general, he has contributed to the strength of his office’s stances on data privacy and cybersecurity, building on the work of former Texas Attorney General and now-Governor Greg Abbott. His office is now one of the leading attorneys generals' offices nationwide on these issues, counting among its peers California, Massachusetts, Connecticut and Illinois. As an example, Texas, under Paxton’s leadership, has been one of the first states to enforce the federal Children’s Online Privacy Protection Act. Here, he talks with The Privacy Advisor about his state’s consumer protection efforts with regard to privacy and data security.

The Privacy Advisor: Your office reached a settlement with an app developer over concerns that the company’s products infringed children’s privacy in violation of COPPA. For example, the apps offered children’s games that featured advertisements, in-app purchases, and transmission of personal information. What do you see as the role of state attorneys general in enforcing federal privacy laws like COPPA? 

Paxton: Protecting children, an especially vulnerable population, is a priority of our office, including in the realm of privacy. Federal laws, like COPPA, provide one more tool for our enforcement toolbox when we seek to protect children. Indeed, we routinely take enforcement action against app developers and other businesses infringing on children’s privacy both under COPPA, as well as state law, including the Texas Deceptive Trade Practices Act. As you mentioned, we recently obtained a settlement with an app developer called Juxta Labs, whose apps, directed to children, were collecting personal information including GPS coordinates. With the ultimate goal of keeping children safe, we want app developers to prioritize children’s privacy when creating their apps. Considerations should include ensuring they obtain parental permission in accordance with the law, and determining whether the app’s advertisers would collect personal information in violation of COPPA. 

The Privacy Advisor: Texas law prohibits companies from selling personally identifiable information in violation of their own privacy policies. Under that law, you challenged RadioShack’s plan to sell personal data on 117 million customers during its bankruptcy proceeding based on the company’s explicit promise not to sell the personal data of its consumers. Do you see state attorneys general taking on a larger enforcement role in holding companies to their privacy promises? 

Paxton

: Yes, in the RadioShack case, we led a coalition of 38 states and prevailed in challenging a proposed bankruptcy plan to sell the personal identifiable information of 117 million consumers — despite the fact that the company’s privacy policy stated that consumer personal information would not be sold. The fact that 38 states joined that effort reflects the states’ deep understanding of the importance of safeguarding customer information and our commitment to hold companies accountable for commitments they make to customers about the privacy of personal information.

The Privacy Advisor: As part of settlements with your office under the Texas Deceptive Trade Practices Act, some companies have agreed to improve their privacy and data security disclosures and inform users of safeguards. What are your thoughts on the role state consumer protection legislation such as the Texas DTPA should play in this space?

Paxton: We believe that what is a fair and honest business practice does not really change with technology, and we think that most tech companies agree with and abide by that principle. As such, we believe that consumer protection laws, including the Texas DTPA, ensure emerging technologies are held to the same basic standards as all other businesses. Developers of new technology have an obligation to consider consumer privacy and security from the initial development stage, and time-honored laws like the DTPA still apply to make sure they follow through on those obligations.

The Privacy Advisor: The November 2017 shooting at a Sutherland Springs, Texas church revived some of the privacy debate that occurred in the wake of the San Bernardino tragedy. What are your thoughts on the methods Texas and federal law enforcement should be able to use to access a private phone?

Paxton: The Fourth Amendment to the United States Constitution recognizes the people have a God-given right to be free from unreasonable searches and seizures. No matter how much technology may advance and no matter how sophisticated terrorists and criminals may become, we can never lose sight of that bedrock principle. The requirement for law enforcement to establish probable cause and obtain a warrant for access to a private phone does not, and should not, ever waver. 

At the same time, the government has no less of an obligation to protect people in a world of multiplying threats to their life, liberty, and property. Today, virtually everyone has a mobile device at their fingertips that harnesses the ability to access and store a magnitude of information. Sadly, some people use those devices to commit crimes. In such a world, it is the duty of law enforcement officers, investigators and forensic examiners to remain vigilant in their training and understanding of technology so they can procure evidence in a manner consistent with the Constitution. The burden remains on the government to make its case. 

The Privacy Advisor: What can people in the privacy field expect from state attorneys general, and Texas, in particular, in 2018?

Paxton: Looking forward, I think my office, as well as other states’ attorneys general, will continue to make it a priority to utilize our authority and resources to rise to the challenge of data security and privacy protection in the 21st century. That will mean continuing data security enforcement to ensure that businesses maintain reasonable safeguards to protect customers’ personal information, continuing with COPPA enforcement to protect the privacy of our children, continuing our “no-call” enforcement against unlawful telemarketing and, last but not at all least, keeping our eye on marketplace product developments so that even as we support and encourage innovation, we take appropriate enforcement action to protect consumer privacy.

photo credit: JD Hancock Texas State Capitol via photopin (license)