We need to talk about Texas Attorney General Ken Paxton. The Texas Data Privacy and Security Act partially went into effect July 1 and went into full effect on January 1, 2025. Ahead of the law, the attorney general announced a “data privacy and security initiative,” essentially teasing all the enforcement actions his office would take. Since then, his office has filed numerous privacy-related lawsuits and investigations, going after companies that:
- Collect, use, and sell data without consent. The Texas AG sued Allstate and its subsidiary Arity for capturing consumers’ location data and using it to feed a “driving behavior database,” which other insurance companies could use to adjust rates and premiums. In March, The New York Times reported that car companies collect driving data, often without consent, and resell it to insurance companies. Texas was the first state to take legal action, suing GM in August.
- Share sensitive data inappropriately. SiriusXM, MyRadar, Miles, and Tapestri were all caught in the AG’s crosshairs for sharing sensitive data without proper consent and/or disclosure. All four companies collected users’ precise location data; SiriusXM allegedly collected vehicle data, as well. The state court is also hearing a case against Google that claims the company collected Texans’ biometrics data without consent; Meta already settled a similar suit for $1.4 billion. (These biometrics lawsuits were filed in 2022, before the state law.)
- Fail to adequately protect children’s data. Similar to federal regulators, Texas has also been very busy enforcing children’s privacy protections. The AG sued TikTok and launched investigations into Character.AI, Instagram, Reddit, Discord, and others, all centered on whether they protected minors’ data to the extent required by the law and met parental control and consent requirements.
The State Regulatory Patchwork Is Painful, But You Can’t Ignore It
The Texas law is one of 13 state privacy laws already in effect, with six more going into effect over the next year. The attorney general’s running list of lawsuits and investigations provides important caveats for companies:
- Don’t put all your eggs in the federal administration’s basket. Many companies and consumers are expecting a significantly different regulatory landscape with the Trump administration. While the future of the Consumer Financial Protection Bureau and other key agencies is unknown, Texas reminds us that states can still wield their own power, separate from the federal tides.
- Keep an eye on state enforcement. California has gotten the most attention for having the most stringent state privacy law, and it has the benefit of being a first mover. But as Texas’ flurry of activity shows, other state laws could be a bigger focal point. Even if their requirements are weaker, more active or more stringent enforcement could call for more compliance resources.
- Stay on the right side of consumers’ expectations. In some cases, the first mover to take legal action for a privacy breach isn’t regulators but consumers themselves. They’ve stepped in to sue Google for its misleading Incognito mode disclosures, LinkedIn for using their data to train AI models without proper consent, and Patagonia and The Home Depot for disclosing consumer data to third parties. Consumers are increasingly aware of the extent to which their data is shared, and they are paying more attention to privacy policies and disclosures. When making decisions about data collection and disclosure, factor in not just what’s legally allowed but also what consumers will realistically be comfortable with.
If you’re a Forrester client and need guidance on consumer privacy attitudes and data strategy decisions, set up a guidance session, and be sure to check out The Forrester Take for ongoing privacy developments in the B2C marketing space. Happy Data Privacy Day!