Is Texas Displacing California As The New Privacy Sheriff?

In the last several years, privacy has mostly been enforced by the Federal Trade Commission (FTC) via the FTC Act or, in more recent years, by the California Attorney General and the California Privacy Protection Agency (CPPA).

But since Texas enacted the Texas Data Broker Act (effective September 1, 2023) and the Texas Data Privacy and Security Act (effective July 1, 2024), Texas has become a significant regulatory enforcement authority for data privacy in the U.S. This enforcement prowess was unexpected considering that 3 other states have enacted data broker laws (California, Vermont, and Oregon) and 12 states have comprehensive privacy laws in effect and yet, until Texas, California was essentially the only state enforcing its data privacy laws. 

Blazing Privacy Saddles

In June 2024, the Texas Attorney General, Ken Paxton, announced the launch of the Data Privacy and Security Initiative that establishes a team focused on the ‘aggressive enforcement’ of Texas privacy laws, including the Texas Data Privacy and Security Act, the Identify Theft Enforcement and Protection Act, the Texas Data Broker Law, the Biometric Identifier Act, the Deceptive Trade Practices Act, and federal laws including the Children’s Online Privacy Protection Act (COPPA) and the Health Insurance Portability and Accountability Act (HIPAA).

Let’s tally the Texas versus California enforcement count below and compare what the respective sheriffs are pursuing companies for.

Broker Texas Ranger

It should also be noted that the Texas Data Broker Act has greater obligations for data brokers’ security programs than any other enacted state data broker law. When sending notices to unregistered data brokers, Texas is asking about data brokers’ compliance with these security requirements.

Important note: Despite being active in sending notices to data brokers for failing to comply with the Texas Data Broker Act, many data brokers have reported that they have filed their application to the Texas Data Broker registry, but the Office of the Texas Attorney General is so backlogged that it is taking weeks for the Texas Office of the Attorney General’s office to approve applications and charge the businesses their $300 registration fee.

A Fistful of Sold Data Dollars

In addition to enforcement by the California Attorney General, the CPPA has been busy regulating California privacy laws, in particular, the CPPA released an enforcement advisory on data minimization, is in the formal rulemaking process for Cybersecurity Audits, Risk Assessments, and Automated Decision-Making, and adopted new regulations for data brokers in updating the California Delete Act.

Key Takeaways

• Texas is aggressively enforcing privacy under multiple laws, including the Texas Data Broker Act and Texas Data Privacy and Security Act.
• Texas’s 2 lawsuits suggest a focus on geolocation and consumer consent to sell data whereas California's enforcement suggests a focus on consent where advertisements are a ‘sale’.
• Compared to California’s CCPA, Texas’s enforcement is newer but expanding rapidly, signaling a growing trend in state-level privacy regulation, especially considering the FTC is expected to reduce its enforcement under the Trump administration.
• Other states like Colorado and Virginia have privacy laws but have not yet pursued major enforcement actions at the scale of Texas or California.

Conclusion

California isn’t the only privacy sheriff in town anymore. And while the expectation is that the FTC will enforce less under the Trump Administration, we can’t underestimate the states’ (especially Texas’) enforcement in the absence of federal enforcement. Texas has made no indication that it plans to slow down enforcement, so expect privacy enforcement to increase.