Texas Attorney General's Landmark Privacy Lawsuit Signals New Era in Data Privacy Enforcement

Alert
|
5 min read
F. Paul Pittman |
Hope Anderson

The Texas Attorney General has emerged as a significant regulatory enforcement authority for data privacy in the US. Traditionally, data privacy enforcement in the US has emanated from the Federal Trade Commission and other sector specific regulators, and more recently from the California Attorney General and California Privacy Protection Agency. Even among these enforcers, the Texas Attorney General stands out for its strong reputation of prioritizing consumer privacy enforcement in the past several years.

Texas's Expanding Role in Consumer Privacy Enforcement

A few weeks before the Texas Data Privacy and Security Act ("TDPSA") took effect on July 1, 2024, Texas Attorney General Ken Paxton announced the establishment of the privacy enforcement team within the Consumer Protection Division of the Office of the Attorney General. This team was tasked with enforcing Texas's privacy protection laws, including, but not limited to, the TDPSA, the Data Broker Act, and the Capture or Use of Biometric Identifier Act ("CUBI").

Since the team's formation, it has been active in investigating potential violations, filing privacy-related lawsuits, and reaching settlements. Notable enforcement actions include:

  • Launching an investigation under the Texas Deceptive Trade Practices-Consumer Protection Act into several car manufacturers for allegedly collecting large amounts of data about drivers from their vehicles and selling this information to third parties;
  • Issuing letters to over one hundred companies notifying them of their alleged failure to register as data brokers with the Texas Secretary of State, as required by the newly enacted Data Broker Act;
  • Reaching a $1.4 billion settlement with a global social media company over its alleged unauthorized capture of biometric data in violation of Texas's CUBI;
  • Reaching a settlement with Pieces Technologies for alleged violations of the Texas Deceptive Trade Practices-Consumer Protection Act concerning the accuracy and safety of its generative AI products used in hospitals;
  • Filing a lawsuit against General Motors under the Texas Deceptive Trade Practices-Consumer Protection Act for allegedly collecting and selling private driving data of over 1.5 million Texans without their knowledge or consent;
  • Filing two lawsuits against a social media company: one under the Securing Children Online through Parental Empowerment ("SCOPE") Act and another under the Texas Deceptive Trade Practices-Consumer Protection Act; and,
  • Launching an investigation into 15 tech companies for alleged failure to comply with the safety and privacy requirements of the SCOPE Act and the TDPSA.

Texas Files First-Ever State Comprehensive Privacy Law Lawsuit

Texas reinforced its position as a leading enforcer in state data privacy regulatory space when Attorney General Ken Paxton filed the first-ever lawsuit to enforce a comprehensive data privacy law. On January 13, 2024, Paxton sued Allstate and its subsidiary, Arity (collectively "Allstate"), accusing them of unlawfully collecting, using, and selling sensitive geolocation data (such as consumers' phone latitude, longitude, speed, GPS time, bearing and altitude) and behavioral data from 45 million Americans, including Texas consumers, through secretly integrated software in mobile apps. The lawsuit claims that Allstate used this driving data to generate scores and assess driving risks for its car insurance business. It also alleges that Allstate profited by selling the data to third parties, resulting in higher premiums, denied coverage, or policy non-renewals for consumers. Allstate reportedly did not inform or obtain consent from Texas consumers for these activities.

Alleged Violations

Allstate is facing charges for violating several Texas laws, including the TDPSA, the Texas Insurance Code, and the Texas Data Broker Act.

Under the TDPSA, Allstate is allegedly in violation of the following requirements:

  • Failure to provide clear privacy notices – Allstate allegedly did not provide a clear and accessible privacy notice that explains how sensitive data, including precise geolocation information, is processed.
  • Failure to disclose the sale of sensitive personal data – The privacy notice allegedly did not include a required disclosure that sensitive personal data might be sold.
  • Failure to obtain informed consent – Allstate allegedly did not obtain consumers' freely given, affirmative, and informed consent before processing their sensitive data.
  • Failure to disclose profiling activities and opt-out options – Allegedly Allstate did not inform consumers that their personal data would be sold for profiling purposes, nor did it provide a way for consumers to opt-out of this practice.
  • Failure to make privacy rights accessible – Allegedly Allstate did not provide an accessible privacy notice that clearly explained how consumers could exercise their privacy rights.

Moreover, under the Texas Insurance Code, Allstate is charged with engaging in unfair or deceptive business practices for unlawfully collecting, processing and monetizing sensitive personal data without consumers' consent. Finally, the lawsuit claims that Allstate failed to register with the Texas Secretary of State's Data Broker Registry portal. This registration is required for companies doing business in Texas that process or transfer the personal data of more than 50,000 individuals, particularly when the data is not collected directly from those individuals. Allstate is accused of failing to comply with this requirement, as it allegedly collects data through third-party app developers.

Takeaways

As 2025 progresses, businesses can expect increased scrutiny and enforcement from state authorities, driven in part by proactive actions in Texas. This trend in US privacy law highlights the need for robust compliance strategies to stay aligned with evolving state regulations.

To stay ahead of potential similar enforcement actions and ensure compliance with data privacy laws, organizations should take the following steps:

  • Update privacy notices – Regularly revise privacy notices to clearly reflect data collection, processing and sharing practices. If engaged in the sale of sensitive personal data, organizations must include the required disclosure under the TDPSA, i.e., "NOTICE: We may sell your sensitive personal data."
  • Obtain informed consent for processing sensitive personal data – Obtain informed and affirmative consent from consumers before processing sensitive personal information. Since different states may have varying definitions of what constitutes "sensitive personal data," it's important to understand and comply with these definitions in each jurisdiction where the organization operates.
  • Provide accessible privacy rights – Create user-friendly interfaces that allow consumers to easily exercise their privacy rights, such as right to access, correction, deletion or opt-out rights.
  • Address opt-out requests effectively – Establish systems, including browser privacy recognition controls, to manage opt-out requests, ensuring that consumer preferences are respected and reflected in business practices.
  • Utilize cure periods – Take advantage of cure periods if violations arise. Under the TDPSA, organizations have 30 days (with no sunset period) to remedy any violations after being contacted by the Attorney General's office. This period provides an opportunity to address issues before enforcement actions are taken, helping organizations to minimize reputational risk and potential legal consequences.

Burak Haylamaz (White & Case, Staff Attorney, Los Angeles) contributed to the development of this publication.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2025 White & Case LLP

Contacts

F. Paul Pittman
F. Paul Pittman
Partner|Washington, DC
Services
Data, Privacy & Cybersecurity, Commercial Litigation, Fintech, Technology, Mergers & Acquisitions, Life Sciences and Healthcare
Hope Anderson
Hope Anderson
Partner|Los Angeles
Services
Data, Privacy & Cybersecurity, Technology, Artificial Intelligence (AI), Privacy Advisory and Compliance, AI Regulatory, Content and non-privacy data regulation

Service areas

Top