Texas Privacy Enforcement: Navigating the Attorney General’s Aggressive Approach

In the world of data privacy, the Texas Attorney General’s office is akin to a sheriff from a classic Western—unyielding, ever-vigilant, and relentless in pursuit of justice. Businesses operating in Texas or serving its residents must take heed: The Texas Attorney General (AG) has vigorously enforced privacy laws, even predating the Texas Data Privacy and Security Act (TDPSA), turning the Lone Star State into a formidable force for data compliance.

Texas: Championing consumer privacy

Texas’s aggressive consumer protection stance is marked by an impressive record of enforcement actions and staggering financial settlements. Over the past four years alone, the Texas State AG has initiated numerous high-profile investigations and lawsuits, underscoring his determination to protect Texans’ personal data from misuse and exploitation.

From suing tech giants to car manufacturers, the state AG’s office has repeatedly demonstrated zero tolerance for privacy violations. In 2022, the AG launched multiple lawsuits against Google for deceptive tracking practices, misleading Texans about the privacy protections of “Incognito Mode,” and unlawfully capturing biometric data. These aggressive legal maneuvers culminated in a historic $1.375 billion settlement with Google in May 2025, a potent reminder of Texas’s determination to hold corporations accountable.

Major Enforcement Milestones in Texas Privacy Law

• Jan 2022: Sued Google for deceptively tracking users’ location without consent.
• Feb 2022: Sued Facebook (Meta) for unauthorized use of biometric data.
• Feb 2022: Investigated TikTok for potential facilitation of human trafficking and child privacy violations.
• May 2022: Amended Google lawsuit to include deceptive practices related to “Incognito Mode.”
• Oct 2022: Sued Google again for unauthorized capture and use of biometric data.
• Dec 2023: Led multi-state amicus brief against Google for alleged privacy violations.
• June 2024: Launched Texas Data Privacy and Security Initiative targeting data misuse by tech and AI firms.
• July 2024: Secured a $1.4 billion settlement with Meta over the misuse of biometric data.
• Aug 2024: Sued General Motors for collecting and selling drivers’ private data.
• Oct 2024: Sued TikTok for violating Texas parental consent laws by sharing minors’ personal data.
• Dec 2024: Issued violation notices to SiriusXM, MyRadar, Miles, and Tapestri for data-sharing without consent.
• Dec 2024: Launched investigations into Character.AI, Instagram, Reddit, Discord, and others over children’s privacy practices.
• Jan 2025: Sued TikTok for deceptively promoting the app as safe for children.
• Jan 2025: Sued LinkedIn for using data to train AI models without proper consent.
• Jan 2025: Sued Allstate and Arity for unlawfully collecting and selling over 45 million Americans’ driving data.
• May 2025: Secured a $1.375 billion settlement with Google to resolve long-standing privacy lawsuits.

Early enforcement: Using existing laws to pave the way

Even before the TDPSA took effect on July 1, 2024, the state AG’s office skillfully leveraged existing Texas laws like the Capture or Use of Biometric Identifiers Act (CUBI) and the Deceptive Trade Practices Act (DTPA) to hold companies accountable and enforce stringent privacy standards and accountability.

In addition to the Google cases, Meta’s use of facial recognition without consent on Facebook led to a landmark $1.4 billion settlement in 2024. The case revealed that Meta indiscriminately scanned photos and videos uploaded to its platform, storing facial geometry records without informing or obtaining consent from users, a direct violation of CUBI and DTPA.

Texas secured a record $1.4B privacy settlement from Meta—the largest ever by a single state privacy case.

Other pre-TDPSA cases include lawsuits against TikTok for deceptive marketing to minors and potential facilitation of child exploitation, and LinkedIn for allegedly using private messages to train AI models without user consent. These cases showcase the Texas AG’s long-standing commitment to consumer protection using the legal tools available, even before a comprehensive privacy law existed.

TDPSA: A new era in Texas privacy enforcement

With a population of more than 30 million, virtually every nationally available service has Texas users, so even companies based outside the state are likely subject to the TDPSA. This vast jurisdictional reach significantly raises the stakes for noncompliance.

The Texas Data Privacy and Security Act, effective July 1, 2024, has formalized Texans’ privacy rights and introduced strict compliance requirements for businesses. Unique among state privacy laws, the TDPSA gives the Attorney General exclusive enforcement authority. This includes issuing civil investigative demands (CIDs), assessing organizations’ data protection efforts, and initiating legal actions when necessary.

Businesses benefit from a 30-day cure period to address violations before enforcement kicks in. To avoid fines of up to $7,500 per violation, organizations must swiftly document and implement corrective actions. The law also allows the AG to recover attorney’s fees and investigative costs, adding further financial stakes to enforcement.

TDPSA requires businesses to:

• Respond to consumer rights requests within 45 days.
• Provide clear, accessible privacy notices detailing data collection and processing practices.
• Obtain explicit opt-in consent before collecting sensitive data, including biometric identifiers and precise geolocation.
• Conduct data protection assessments for high-risk processing activities, such as profiling, sensitive data use, or targeted advertising.

Vendor Management and Contractual Safeguards

A critical yet often overlooked component of TDPSA compliance is vendor management. Controllers must establish formal contracts with processors, clearly defining data handling instructions, confidentiality obligations, and security practices. Contracts must ensure:

• Processors only act under the controller’s instructions.
• Sensitive data is returned or deleted upon termination.
• Subcontractors are held to the same privacy obligations.

Failure to enforce these contracts can expose organizations to enforcement actions if third parties violate the law while processing data on their behalf.

Want to know more about TDPSA requirements and timelines? Read the Background Brief: Texas Data Privacy and Security Act.

Lessons from recent enforcement actions

The enforcement actions against Allstate and its subsidiary Arity vividly illustrate the stringent new landscape. The 2025 lawsuit accused these companies of secretly collecting and selling driving behavior data from consumers’ mobile devices and vehicles without adequate consent or transparency, highlighting failures in providing clear opt-out mechanisms.

Similarly, General Motors faced litigation for using in-car technology to monitor drivers’ movements, recording sensitive data, and sharing it without meaningful disclosure. These cases stress the importance of clear opt-out mechanisms, user education, and detailed privacy policies.

Protecting minors and policing emerging tech

Protecting children online has become a cornerstone of the State of Texas’s privacy platform. Under the Securing Children Online Through Parental Involvement (SCOPE) Act, companies are prohibited from collecting or sharing children’s data without parental consent. TikTok, Instagram, Discord, and Character.AI have all come under investigation for allegedly putting minors’ safety at risk.

Emerging technologies like AI and IoT are also under the AG’s microscope. Lawsuits against LinkedIn and Allstate’s Arity have flagged the risks of using personal data to train algorithms without transparency or consent. As technology evolves, the State AG’s approach indicates that Texas intends to remain at the forefront of privacy oversight.

What privacy professionals need to know

Given Texas’s robust enforcement regime, privacy professionals must urgently reassess their strategies:

• Audit your data practices: Ensure compliance with TDPSA, focusing particularly on consent mechanisms and robust consumer rights frameworks.
• Transparency is non-negotiable: Privacy policies should be clear, accessible, and truthful. Even unintentional misleading practices can attract substantial fines.
• Prioritize sensitive data: Carefully manage biometric data, precise geolocation, and children’s information. These are highly scrutinized under Texas law.
• Review contracts: Ensure all processor agreements meet TDPSA standards, including breach notification and data deletion clauses.
• Regularly update training: Ensure your team fully understands compliance obligations and the high stakes involved. Train staff to identify and avoid dark patterns, honor opt-out signals, and handle sensitive data with care.

Warning signs you may be on the Texas State AG Office radar

• You collect location, biometric, or children’s data without explicit opt-in.
• Your privacy policy hasn’t been updated since 2023.
• You rely on third-party SDKs or analytics tools but haven’t conducted a vendor risk review.
• You process data from children or minors but don’t verify age or request parental consent.
• You engage in targeted advertising or profiling but haven’t conducted a data protection impact assessment.

Note on enforcement structure: Unlike California’s privacy laws, the TDPSA does not allow private lawsuits. Only the Texas AG can enforce the law, including civil investigative demands, hefty financial penalties, and cost recovery for enforcement actions.

Staying ahead of enforcement: A compliance imperative

The AG’s assertive stance on privacy enforcement sends a clear message: Texas is serious about protecting consumers’ data rights. Businesses must act decisively to fortify their privacy programs against regulatory scrutiny.

For privacy professionals, the urgency is clear—robust compliance isn’t just prudent; it’s imperative. After all, in the dynamic arena of Texas privacy enforcement, vigilance isn’t merely advisable; it’s essential to survival.

Risk Ready. Map Smart.

Uncover blind spots and demonstrate accountability with dynamic data mapping and risk assessments built for privacy pros. Visualize data flows, automate ROPAs, and meet TDPSA and global requirements with ease.

Map risk smarter

Consent That Clicks. Compliance That Scales.

Capture, manage, and honor user choices with precision. Whether it’s sensitive data or cross-channel preferences, build trust while staying one step ahead of regulators.

Streamline consent