Lawyers: Texas Takes Significant Role in Privacy Enforcement
Sensitive information and transparency are key privacy issues that will continue attracting litigation, including in Texas, which has become a major player in regulation and enforcement, Odia Kagan, a partner in the law firm Fox Rothschild, said in an interview.
Sign up for a free preview to unlock the rest of this article
"There is a focus on sensitive information ... like precise geolocation data," she said. Texas Attorney General Ken Paxton (R) sued Allstate in January for the alleged unlawful collection, use and sale of location data from Texans’ cellphones (see 2501130047).
Precise geolocation data has "pretty much always been considered to be sensitive information," Kagan said. But "the more we have mobile apps and the use and the prevalence of profiling and targeted advertising and everything, the significance of that [location data] has gotten bigger."
Kagan uses transparency "in the true sense of the word," she said. "My interpretation of what I'm seeing in those enforcements is [that] transparency needs to be real transparency," Kagan said. "Privacy notices need to be effective, they need to be truthful, they need to be complete."
As an example, Kagan mentioned Texas' HB-1709, aimed at increasing AI transparency by elevating clarity concerning risks in the development, deployment and use of AI systems and limiting collection of personal data. HB-1709 "requir[es] details with respect to the model and to the AI, and then training data and stuff like that."
In addition, the new Republican leadership at the FTC also "is going to be more focused on traditional, true, core ... implementations of unfair and deceptive" laws. "The magic antidote potion to deceptive is transparent. How do you not deceive somebody? You give him or her the correct and complete and pertinent information to make the decision."
Whether or not a law can be cured is also a question Texas is facing head on, Kagan said. "All of the new privacy laws have this right to cure, and some of them have a permanent right to cure," she noted. "But it's really important to understand that not everything is curable ... especially because one of the things that's not curable relates to the right to opt out of sale."
Kagan recently penned a blog on the status of the Texas Privacy Act, citing a report from the Texas Department of Information Resources that said more than 1,000 consumers filed complaints through the complaint portal of the Texas Data Privacy and Security Act (TDPSA) during the first four and a half months of activation. Roughly 70% of them were privacy-focused. Key issues included how difficult the process made it for citizens to exercise their rights, difficulty understanding how the right to opt-out applies and for how long, Kagan wrote in the blog.
“The old saying goes, ‘Don’t mess with Texas,’” she blogged. “The same can be said of the Texas Privacy Act.”
In addition, Texas uses consumer protection laws when conducting enforcement actions. "You have a privacy violation because you didn't say things under the privacy notice, but we have no idea what you actually said, so that's a failure of transparency," she said. "That's deceptive, so we're [going to] use the unfair and deceptive laws as well."
Another blog, from Feb. 3, authored by Paul Pittman and Hope Anderson, White & Case lawyers, said that Texas stands out for its reputation of prioritizing consumer privacy enforcement in recent years.
"The Texas Attorney General has emerged as a significant regulatory enforcement authority for data privacy in the US," the lawyers wrote. "Traditionally, data privacy enforcement in the US has emanated from the Federal Trade Commission and other sector specific regulators, and more recently from the California Attorney General and California Privacy Protection Agency," but even among them, Texas is notable.
Pittman and Anderson said that after Paxton established the privacy enforcement team within the Consumer Protection Division of his office, it investigated potential violations, lawsuits and reached settlements. In addition to the Allstate case, the enforcement team launched an investigation into 15 tech companies for possibly violating Texas kids online safety and consumer protection laws, issued notices to more than 100 companies for failing to register as data brokers and reached a $1.4 billion settlement with a social media company after it unlawfully collected biometric data, the lawyers noted.
"As 2025 progresses, businesses can expect increased scrutiny and enforcement from state authorities, driven in part by proactive actions in Texas," Pittman and Anderson said. "This trend in US privacy law highlights the need for robust compliance strategies to stay aligned with evolving state regulations."