The heightened U.S. state-level attention to data privacy matters in recent years raised the question of which state might take the lead on privacy enforcement. The answer hasn't materialized quickly, but recent activity out of Texas suggests the Lone Star State is trying to stake its claim to being a lead authority on alleged consumer protection and privacy violations.
The Texas attorney general's office recently netted the largest state privacy settlement to date, agreeing to a USD1.4 billion settlement with Meta over alleged nonconsensual biometric data use. The office followed that up with a lawsuit against automaker GM claiming sale of driving data to insurance companies without knowledge or consent.
The work against Meta dates back to 2020 while the GM lawsuit is a result of a June investigation into privacy practices in the car manufacturing industry.
Additionally, Texas also has its eyes on potential Data Broker Law violations. The attorney general's office sent more than 100 compliance letters to companies citing a lack of data broker registration.
Each of these actions fall under a broader privacy undertaking Texas Attorney General Ken Paxton announced 4 June. The office indicated the initiative would be conducted by the Consumer Protection Division and focus on the full range of privacy and data security laws Texas carries.
"Any entity abusing or exploiting Texans’ sensitive data will be met with the full force of the law," Paxton said in a statement. "Companies that collect and sell data in an unauthorized manner, harm consumers financially, or use artificial intelligence irresponsibly present risks to our citizens that we take very seriously. As many companies seek more and more ways to exploit data they collect about consumers, I am doubling down to protect privacy rights."
Ramping up
There are no particular motivations behind Texas' bulked-up privacy work. It may simply boil down to financial resources and appetite more than legal tools or new enforcement opportunities.
In the privacy initiative announcement from June, the attorney general's office said its new enforcement team is "poised to become among the largest in the country focused on enforcing privacy laws."
According to Orrick Partner Emily Tabatabai, CIPP/E, CIPP/US, the office recently picked up "an influx of new funding," facilitating the launch of the the privacy initiative with "sophisticated and experienced new counsel."
"They have the legal authority, the financial resources, the manpower, the top-level support, and enthusiasm to pursue these sorts of investigations," Tabatabai added.
Texas' efforts are also boosted by a willingness to utilize its full legal toolbelt, including the interplay between privacy and consumer protection law. Notably, the GM lawsuit was brought under the Texas Deceptive Trade Practices Act instead of the Texas Data Privacy and Security Act, which took effect 1 July.
"While states like Texas will want to enforce their new authority, one should always expect them to rely on their bread and butter deceptive trade practice authority as well," Kelley Drye & Warren Partner Paul Singer said. "And the theories behind these actions aren’t overly complicated or unique. Some recent cases, for example, are heavily focused on misrepresentations in privacy policies and marketing to consumers. These same theories have been part of a number of actions over the years in a variety of industries."
The attorney general's office indicated the Identity Theft Enforcement and Protection Act and the Biometric Identifier Act are additional statutes it will use for privacy violations moving forward.
What's old is new again
The aggressive approach is drawing attention, but privacy enforcement is not a novel area for Texas.
Singer, who served two decades in the Texas attorney general’s office and spent time leading the Consumer Protection Division and the office's privacy unit, confirmed the depth of Texas' privacy roots.
"It was the first state to file a state-led Children's Online Privacy Protection Act action, brought first of their kind unsolicited fax and do-not-call cases, and has led multiple multi-state and single-state actions related to major data breaches," Singer said. "I view recent actions as the culmination of this continued prioritization of privacy enforcement by the office that has existed for 20 years."
In a 2018 interview with the IAPP, Paxton discussed Texas' track record on privacy and his office's current endeavors, which included a settlement with app developer Juxta Labs over Children's Online Privacy Protection Act violations.
There was foreshadowing for what Paxton's office is doing now. He said the office would "continue to make it a priority to utilize our authority and resources to rise to the challenge of data security and privacy protection in the 21st century." There was additional emphasis on "keeping our eye on marketplace product developments so that even as we support and encourage innovation, we take appropriate enforcement action to protect consumer privacy."
The use of consumer protection law on privacy claims is as much of a focus for Paxton now as it was six years ago. He indicated Texas' DTPA application to emerging technologies holds developers "to the same basic standards as all other businesses."
"We believe that what is a fair and honest business practice does not really change with technology, and we think that most tech companies agree with and abide by that principle," Paxton said. "Developers of new technology have an obligation to consider consumer privacy and security from the initial development stage, and time-honored laws like the DTPA still apply to make sure they follow through on those obligations."
Eyeing compliance
The potential for Texas to apply varying statutes in case-by-case enforcement may create a moving target around privacy compliance. Companies may put more focus into one law while potentially overlooking how they are covered by another.
"The new Texas laws have some unique compliance obligations that distinguish them from other states’ laws. It’s not enough to take a one-size fits most approach," Orrick's Tabatabai said.
A common thread and potential starting point for companies falls back to consumer transparency and trust. While the Texas used its biometric and consumer protection laws against Meta and GM, respectively, each case revolved around alleged nonconsenual practices that weren't laid out in privacy notices.
"What emerges is a clear imperative for companies to better communicate with consumers," Privacy4Cars founder Andrea Amico said regarding the GM case. "Those very long and very complex documents are written by lawyers, for lawyers, and to meet specific legal requirements. But they are absolutely terrible at doing what the attorney general's underlying complaint is about. They can't transparently communicate in simple terms to consumers what data was going to be collected, for what purpose, and what of this was mandatory versus optional and for commercial purposes."
The other consideration is what impact Texas' leadership will have on privacy enforcement in other jurisdictions. Nineteen states have enacted comprehensive privacy legislation, but California is the only one among them that has used their effective statute in enforcement so far.
Singer said state attorneys general are "in constant communication" and privacy units across those offices "have regular calls with one another to discuss various enforcement priorities and initiatives."
"Your objective should be that your customers understand the full nature of any transaction they’re entering into, including what information is collected about them and how that information will be shared with others," Singer added. "Regardless of a state’s limitations on use of personal data, all states expect that your practices be clearly disclosed and understood by consumers."
Joe Duball is the news editor for the IAPP.