Blog | 12/26/2021

Texas Aims to Lead the United States in Data Privacy

Team Contact: John Rondini , Abha Fadipe

  • Cybersecurity, Privacy & Artificial Intelligence
  • Cybersecurity
  • Cybersecurity & Privacy
  • Data Privacy
  • Texas Data Privacy and Security Act (TDPSA)
  • Securing Children Online Through Parental Empowerment (SCOPE) Act
  • Deceptive Trade Practices Act (DTPA)
  • Child privacy and safety laws
  • Age verification
  • Consumer data
Share

On December 12th, 2024, Texas Attorney General Ken Paxton launched investigations into 15 companies over potential violations of children’s privacy and safety laws. These investigations follow a prior lawsuit against TikTok for violating the Securing Children Online Through Parental Empowerment (SCOPE) Act. Unlike the TikTok lawsuit, the new investigations also cite violations of Texas’s recently enacted Texas Data Privacy and Security Act (TDPSA). These actions demonstrate Texas’s increasing commitment to becoming a leader in data privacy enforcement.

TDPSA and SCOPE

The TDPSA, effective July 2024, grants Texas residents significant rights over their personal data, including the right to know what data is being processed and to opt out of targeted advertising and profiling. It applies to businesses operating in Texas or serving Texas residents and mandates clear privacy notices and consent for processing sensitive data such as biometric and geolocation data. Notably, Texas sets itself apart from other states by not imposing a minimum consumer threshold—engaging with even one Texas resident makes the law applicable.

The SCOPE Act, effective September 2024, protects minors under 18 by requiring digital service providers to implement measures to safeguard children’s data and limit exposure to harmful content. Key provisions include age verification during account creation, parental consent for data collection, and preventing subsequent alterations to age-related information.

Texas’s Path to Data Privacy Leadership

Although the TDPSA and SCOPE Act took effect this year, Texas has been building its reputation for data privacy enforcement for several years. Past enforcement relied on legacy laws such as the Deceptive Trade Practices Act (DTPA), with high-profile cases against companies like Meta, Google, and General Motors.

Just this summer, Paxton secured a $1.4 billion landmark settlement from Meta after accusing the company of unlawfully collecting biometric data from Texans in violation of the DTPA in 2022. This settlement stands as the largest ever obtained by a single state. Paxton also filed a lawsuit against General Motors (GM), alleging the unauthorized collection and sale of private driving data from 1.5 million Texans, and accuses GM of deceptive enrollment practices tied to its OnStar services.

In October, Texas filed a lawsuit against TikTok for violating the SCOPE Act by failing to obtain parental consent and sharing minors’ personal data without authorization. The lawsuit seeks penalties of $10,000 per violation. Building on this momentum, Paxton recently announced investigations into Character.AI, Reddit, Instagram, Discord, and 11 other companies for potential violations of the SCOPE Act and TDPSA. Emphasizing the protection of children, Paxton warned that his office is committed to enforcing Texas’s data privacy laws vigorously.

To solidify this leadership, Paxton has assembled one of the nation’s largest state privacy enforcement teams within the Consumer Protection Division. This team is tasked with enforcing the TDPSA and ensuring companies respect Texans’ privacy rights.
Given Paxton’s past successes, it will be interesting to see if he can leverage the new legislative tools effectively. With 2024 winding down, further enforcement actions under these laws are likely.

Broader Implications

Texas’s proactive approach to data privacy will likely influence national practices. Companies doing business in Texas must adopt robust data governance frameworks to avoid enforcement actions. For privacy-conscious consumers, Texas’s stance offers stronger protections and signals a clear priority on safeguarding data rights.

Keep Reading