There’s a saying in Texas: “All hat and no cattle.” It means all talk and no action.
That idiom does not apply to the folks within the Consumer Protection Division of the Texas attorney general’s office.
They’re the ones tasked with enforcing the recently passed Texas Data Privacy and Security Act (TDPSA) and they’ve been highly aggressive.
Since the TDPSA took effect on July 1, 2024, the division has launched numerous investigations and brought multiple lawsuits against major tech companies, social platforms, data brokers and even car manufacturers for mishandling consumer data.
It’s a little surprising, though.
Texas stands out as the only large, pro-business, usually hands-off and solidly Republican-led state to vigorously pursue comprehensive digital privacy enforcement.
Big hats, big staff
What’s up with that, y’all?
For one, Texas Attorney General Ken Paxton believes it’s his mission to make privacy a top priority, and his office is putting its money where its mouth is.
In June 2024, right before TDPSA became enforceable, the Texas AG announced its formation of the Consumer Protection Division, which is now one of the largest privacy enforcement teams in the nation.
“Any entity abusing or exploiting Texans’ sensitive data will be met with the full force of the law,” Paxton was quoted saying in a press release about the launch.
Compared to other state agencies, the Consumer Protection Division in Texas is incredibly well resourced, with roughly 20 personnel, including attorneys, analysts, technologies and support staff specifically focused on privacy.
With the exception of California, which has just over 40 people and is the only state in the US with its own independent data protection authority that’s separate from the AG’s office, most regulatory agencies are notoriously underfunded. They usually only have a handful of staff, typically far fewer than 10, who have direct responsibility for privacy-related issues.
The privacy unit within Oregon, for example, currently has one policy analyst, one tech-oriented research analyst and two assistant AGs, although it’s in the process of recruiting a third.
Which is why it’s remarkable that Texas is getting some cattle to go along with its hat.
If you think about it, though, “earmarking funds so you can actually adequately staff your office is the only logical move,” said Ron De Jesus, field chief privacy officer at data governance and privacy platform Transcend.
“I mean, why pass a law without the resources to enforce it?” he told me. “It doesn’t really make sense, and yet it happens a lot.”
Enforcement rodeo
But the Texas Consumer Protection Division not only has the resources; it’s got a lot of different laws at its disposal to enforce.
There’s the TDPSA, of course, but there’s also the Texas Data Broker Act (passed earlier this year), a child-focused data protection law (passed in 2005), the Texas Capture Or Use Of Biometric Identifier Act (passed in 2009), the Texas Identity Theft Enforcement and Protection Act (also passed in 2009) and the Deceptive Trade Practices-Consumer Protection Act (passed way back in 1973).
The state is out there enforcing them all.
As of now, the Consumer Protection Division has initiated or resolved at least nine major privacy and data protection lawsuits or settlements under various Texas state laws.
- In January, Texas sued Allstate and its subsidiary Arity for allegedly illegally collecting, using and selling the location data of Texan drivers, which marked the first enforcement action under the TDPSA.
- Google settled with Texas for $1.375 billion for tracking location and capturing biometric data without consent.
- Meta reached a $1.4 billion settlement with Texas over the unauthorized use of biometric data, including facial recognition.
- Texas has sued General Motors for collecting and selling driver data to insurers without consent.
- Texas also sued TikTok for allegedly mishandling the data of people under the age of 18.
- The AG’s office sent letters to more than 100 companies notifying them of their failure to register as data brokers in the state.
And the list goes on.
Howdy, not gotcha
Despite its tough, non-nonsense approach to enforcement, the Texas Consumer Protection Division says it’s rather approachable.
It’s always better for businesses to be proactive and reach out with questions rather than wait for the AG’s office to come knocking with questions of their own, said Tyler Bridegan, director of privacy and tech enforcement for the Texas AG, speaking during a webinar in April about the state’s privacy priorities.
“Even with the smallest investigations, engage early and engage often,” Bridegan said.
Also, he said, enforcers aren’t looking for gotchas or to catch companies in the gaps between the patchwork of different US privacy laws.
Bridegan and his colleagues view privacy practices through what he calls “the lens of reasonableness.”
“If you tell me that ‘We did this because it complies with California,’ that’s great … we’re willing to seed your practice to another state,” Bridegan said. “We’re not trying to needle people on the nitty gritty of what word choice you used in your privacy notice; we’re looking for compliance with the spirit of the law.”
In other words, be reasonable and enforcers will be reasonable, too.
🙏 Thanks for reading! In keeping with the Texas theme, regular cats say “meow” and Texan cats say … 😹 As always, feel free to drop me a line at [email protected] with any comments or feedback.
