Article illustration 1

Texas, often celebrated for its pro-business, hands-off regulatory approach, is defying expectations. The state's Attorney General, Ken Paxton, has transformed its Consumer Protection Division into a formidable privacy enforcement juggernaut, aggressively wielding the Texas Data Privacy and Security Act (TDPSA) and other state laws. Since the TDPSA took effect on July 1, 2024, this unit has launched numerous investigations and secured landmark settlements, marking a seismic shift in the US privacy landscape.

Big Staff, Bigger Ambitions

What sets Texas apart isn't just its political stance, but its significant investment in enforcement capability. In June 2024, the AG's office announced the formation of a dedicated privacy unit within the Consumer Protection Division, boasting approximately 20 personnel – including attorneys, analysts, technologists, and support staff. This dwarfs the resources of most other states; Oregon, for example, has just four staff focused on privacy. "Earmarking funds so you can actually adequately staff your office is the only logical move," noted Ron De Jesus, Field Chief Privacy Officer at Transcend. "Why pass a law without the resources to enforce it? It doesn’t really make sense, and yet it happens a lot."

The Enforcement Rodeo: High-Profile Targets & Hefty Fines

Texas isn't just talking tough; it's taking down giants:

  • Google: Settled for $1.375 billion over allegations of tracking location and capturing biometric data without consent.
  • Meta: Settled for $1.4 billion related to unauthorized biometric data use, including facial recognition.
  • Allstate/Arity: Sued (the first TDPSA enforcement action) for allegedly selling Texan drivers' location data.
  • General Motors: Sued for collecting and selling driver data to insurers without consent.
  • TikTok: Sued for allegedly mishandling minors' data.
  • 100+ Companies: Notified for failing to register as data brokers under the new Texas Data Broker Act.

This aggressive posture leverages not only the TDPSA but a suite of existing Texas laws, including biometric (2009), child data (2005), identity theft (2009), and deceptive trade practices (1973) statutes.

Article illustration 3

Lab techs representing legislators experiment with state privacy law provisions. (Credit: AdExchanger)

"Howdy, Not Gotcha": The Texas Approach to Compliance

Despite the hardline enforcement, the Texas AG's office signals a pragmatic approach. Tyler Bridegan, Director of Privacy and Tech Enforcement, emphasizes "the lens of reasonableness" during investigations. "Engage early and engage often," Bridegan advised businesses during a recent webinar. He clarified that enforcers aren't seeking "gotchas" over minor discrepancies in the patchwork of state laws. Demonstrating compliance with another major state law, like California's CCPA/CPRA, is viewed favorably. "We’re not trying to needle people on the nitty gritty... we’re looking for compliance with the spirit of the law," Bridegan stated.

Why This Matters: Ripples Across the Tech Ecosystem

Texas's vigorous enforcement carries profound implications:

  1. Increased Legal & Financial Risk: Major settlements set precedents and embolden other states. Tech companies, data brokers, automakers, and any entity handling Texan data face significantly heightened liability.
  2. Compliance Complexity Amplified: While Texas promotes "reasonableness," its active use of multiple overlapping laws alongside the TDPSA adds layers to an already complex state-by-state compliance puzzle.
  3. Resource Disparity Highlighted: Texas's well-funded unit starkly contrasts with under-resourced agencies elsewhere, potentially creating enforcement havens or forcing companies to default to the strictest standards (like Texas's or California's) nationwide for operational simplicity.
  4. Pressure for Federal Action: The sheer scale of Texas's actions, particularly against national players, intensifies the argument that a single federal privacy standard is needed to replace the growing, inconsistent state patchwork.

Texas has proven it possesses both the "hat" and the "cattle" when it comes to data privacy enforcement. For the tech industry, the message is clear: Ignoring state privacy laws, even in traditionally business-friendly states, is no longer an option. The era of symbolic compliance is over; tangible, demonstrable respect for consumer data is now table stakes, enforced by an unlikely sheriff.