While California was the first state to implement a comprehensive consumer privacy rights law and the first to bring an enforcement action for violations, Texas is quickly becoming the next privacy regulator to watch. The Texas Privacy and Data Security Act (TPDSA) became effective in July 2024, and the Texas Securing Children Online through Parental Empowerment (SCOPE) Act became effective in September 2024. Texas Attorney General, Ken Paxton, launched a privacy and security enforcement initiative in June 2024. This initiative led to the establishment of a team focused on enforcing privacy laws based in the Consumer Protection Division of the Office of the Attorney General. Attorney General Paxton has boasted that the team is “poised to become among the largest in the country focused on enforcing privacy laws.” What does that mean for businesses that process or collect personal information of Texans? Now is the time to make sure that your business is in compliance with the TPDSA.

Here are just a few recent examples of the Texas Attorney General’s focus on consumer privacy and security of consumer data:

  • October 2024: Lawsuit against TikTok for allegedly sharing personal information of minors in violation of the SCOPE Act (which prohibits digital service providers from sharing, disclosing, or selling personal information of minors without permission from the child’s parent or legal guardian).
  • July 2024: First-ever settlement under the Texas biometric law (Capture or Use of Biometric Identifier Act) based on an allegation that Meta captured Texans’ biometric data through its photo-tagging feature without consent.
  • June 2024: Over 100 companies received letters from the Texas Attorney General of their alleged failures to register as data brokers with the Texas Secretary of State under the recently enacted Data Broker Law (similar to the Data Broker registration law under the California Consumer Privacy Act).
  • June 2024: Investigation into car manufacturers for practices relating to the collection and sale of drivers’ data.

Attorney General Paxton has been citing the Texas deceptive practices law to enforce privacy violations against companies under the specific privacy statutes at issue. Businesses should consider reviewing their data processing and collection practices and confirm that the business is complying with not only the TPDSA, but all applicable U.S. state privacy rights and protection laws and regulations.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.