The Texas Lawbook

Free Speech, Due Process and Trial by Jury

There’s a New Sherriff in Town — Texas as Privacy Regulator

For many years, the privacy community took the position that the state of California was the leading data privacy regulator. The state of New York, with its active cyber enforcement by the New York Department of Financial Services, was a close second. However, in the past two years, Texas has emerged not only as a significant privacy regulator but also as an aggressive enforcer of its laws.

Texas has passed a comprehensive series of laws relating to consumer and children’s data privacy, artificial intelligence and data brokers, among other things. And the state’s attorney general has secured multibillion-dollar settlements against major technology companies for alleged violations of state laws. While the federal government and many other states have taken a light-touch approach to privacy and AI, Texas has been out front.

Proliferation of Privacy Regulation

Texas has taken a comprehensive approach to digital regulation, beginning with a long-standing biometric privacy statute and consumer privacy law, and recently adding a series of new laws to its arsenal that address emerging areas of privacy concern.

Like a growing number of states (19 as of Jan. 1, Texas has enacted a general-purpose consumer privacy law that became effective in 2024. That law, the Texas Data Privacy and Security Act, is similar to many of the other state privacy laws in most respects. It requires certain businesses that process residents’ personal data to limit their collection of data to that which is reasonably necessary and grants consumers the right to delete, correct or access their data and to opt out of the sale or processing of their personal data for targeted advertising.

The TDPSA differs in a few key respects. Unlike other states’ laws, including California’s, Texas does not have a revenue or consumer threshold that limits the law’s application to businesses. Rather, the TDPSA applies to any entity that conducts business in Texas or produces a product or service consumed by state residents and that processes personal data — so long as it’s not a small business. Additionally, the TDPSA requires that businesses selling sensitive personal data include a warning label. 

Texas is also one three states with a standalone biometric privacy law — its longstanding Capture or Use of Biometric Identifier Act has required notice and consent prior to capturing biometric identifiers like a person’s fingerprint or facial geometry since 2009. While Illinois’ biometric privacy law has received outsized attention over the last several years for its private right of action and significant statutory damages, Texas’ attorney general has recently entered into sky-high settlements for alleged CUBI violations.

Beyond these foundational laws, Texas has gone further in regulating consumer data and AI. Since enacting the TDPSA, Texas has passed a series of statutes in rapid succession that will shape how those that do business in Texas handle consumer data.

  • Artificial Intelligence: Texas is the second state — after only Colorado — to pass a general AI regulation. While parts of the law specifically regulate government use of AI, the Texas Responsible AI Governance Act prohibits the private development or deployment of AI systems that (1) encourage harm or criminal activity, (2) circumvent an informed decision, (3) unlawfully discriminate against a protected class, (4) intentionally result in political viewpoint discrimination or infringe upon free speech or association, or (5) solely intend to produce explicit videos, images and child pornography.

The law also includes the concept of a regulatory sandbox program. Although details of the program have not yet been provided, it would allow businesses to test and deploy AI for a limited time without risk of enforcement. The law also instituted an Artificial Intelligence Counsel to advise the state on AI matters. TRIAGA allows for attorney general enforcement and includes fines of up to $200,000 for any violation a court determines is uncurable.

The law became effective Jan. 1, although an executive order from the Trump administration preempting “onerous and excessive” state AI regulation casts some doubt on it future.

  • Children’s Privacy: Texas has also been active in the area of children’s privacy and online safety. Since 2024, the Securing Children Online Through Parental Empowerment Act regulates digital service providers that permit users under 18. Among other things, the platforms must allow parents to supervise their children’s use of the service and have a duty to prevent known minors from being exposed to harmful content. The law prohibits those providers from sharing or selling known minors’ personal information, from collecting their precise geolocation data or from displaying targeted ads to known minors. However, as with several similar laws in other states, a federal district court preliminarily blocked enforcement of certain provisions of the SCOPE Act on First Amendment grounds — that decision is currently on appeal before the U.S. Court of Appeals for the Fifth Circuit.

Texas also enacted H.B. 1181 in 2023, which requires certain commercial websites that publish sexually explicit content to verify the ages of their users. That law was also challenged on First Amendment grounds. However, it was upheld by the U.S. Supreme Court last summer, which determined that the law withstood First Amendment scrutiny because it “directly regulates unprotected activity (accessing material that is obscene to minors without submitting to age verification) while only incidentally burdening protected activity (ultimately accessing that material).” The opinion suggests that the First Amendment may not be as substantial an obstacle for new digital regulations with the current composition of the Supreme Court.

  • App Store Age Verification: Texas is one of four states that is enacting significant new requirements for online apps and app marketplaces. The Texas App Store Accountability Act requires app stores to verify the age category of app users and obtain parental consent for minor users prior to download or purchase. It also obligates the apps themselves to assign an age rating to their app and verify that the app store has determined the user’s age and obtained parental consent where appropriate. Texas’s law was supposed to take effect on Jan. 1. To the relief of many app developers, however, the law is currently blocked pending a First Amendment challenge.
  • Data Brokers: Texas is also one of just four states with a so-called data broker law. A data broker is a business whose principal source of revenue is derived from the collecting, processing or transferring of personal data that it did not collect directly from the individual — they often play a role in the online targeted advertising ecosystem. Data brokers must publicly register with the secretary of state and implement a comprehensive information security program. Unlike other states with a data broker law, Texas also requires that data brokers post a conspicuous notice on their websites or mobile apps of their status as a data broker.

Aggressive Privacy Enforcement

The Texas Office of the Attorney General has been vested with broad authority to enforce data privacy, security and technology-related laws in the state. The AG has used this slate of laws at its fingertips to achieve high dollar, highly publicized settlements. It has also sought to regulate AI using existing consumer laws and to quickly bring investigations and lawsuits under newer privacy laws, including the TDPSA and SCOPE Act. The volume and speed of the AG’s privacy enforcement stands in contrast to many other states.

In June 2024, a few weeks before the TDPSA took effect, the AG announced the creation of the Tech and Privacy Team within in its Consumer Protection Division. With roughly 20 staff, the Tech and Privacy Team is one of the largest privacy enforcers in the country. In their first year, the team investigated over 200 companies for potential violations of state data laws.  

The AG has made so-called “big tech” companies a focus of its enforcement, stating that “[i]n Texas,  Big Tech is not above the law.” The AG finalized a $1.4 billion settlement with Meta for alleged violations of the state’s biometric privacy law in July 2024. The state alleged that Meta ran facial recognition software on photos uploaded to Facebook without requisite notice or consent — Meta denied any wrongdoing. That settlement represents the largest ever from a single-state AG action. And the following year, the AG finalized a similarly-sized $1.375 billion settlement with Google related to alleged violations of the state’s biometric law for collecting voiceprints and facial geometry without requisite notice or consent and alleged violations of the state’s deceptive trade practices act for continuing to track users’ browsing and location histories when they had turned off tracking. The AG has also used its powers under the SCOPE Act to sue several online platforms for allegedly failing to provide parents with legally required tools to manage their children’s privacy and account settings.

The AG has sought to regulate AI through its existing authority to go after unfair and deceptive consumer practices. In September 2024, the AG announced a first-of-its-kind settlement against generative AI healthcare company Pieces Technologies for using allegedly deceptive and misleading statements regarding the accuracy and safety of its products. Pieces deployed its generative AI products at Texas hospitals to synthesize and summarize patient charts and notes. The AG alleged that Pieces developed inaccurate metrics to support its claim that its healthcare AI products were “highly accurate.”

And in the last few months, the AG has initiated several enforcement actions involving technology and e-commerce platforms operated by companies with Chinese ownership or ties. The AG stated that “[c]ompanies, especially those connected to the Chinese Communist Party, have no business illegally recording Americans’ devices inside their own homes.”

Texas will elect a new AG in 2026 — the first time that office has changed hands since 2014. It remains to be seen whether the winner of that race will continue AG Ken Paxton’s consumer privacy priorities. And Paxton is currently locked in a Republican primary runoff for the U.S. Senate against incumbent Sen. John Cornyn. Cornyn has been supportive of certain federal privacy legislation, including a kids online safety bill that is currently being considered.

Conclusion

With limited federal regulation, states have become primary regulators and enforcers of consumer privacy. While many have considered California as the leading regulator, Texas has recently taken a comprehensive and relatively aggressive approach to consumer privacy. For the many companies that are Texas based or that sell to Texas consumers, they should carefully consider the application of Texas’ slate of laws to their business.

Garrett Lance focuses his practice on privacy, cybersecurity, and AI matters, as well as commercial litigation. He is a managing associate based in Dallas.

©2026 The Texas Lawbook.

Content of The Texas Lawbook is controlled and protected by specific licensing agreements with our subscribers and under federal copyright laws. Any distribution of this content without the consent of The Texas Lawbook is prohibited.

If you see any inaccuracy in any article in The Texas Lawbook, please contact us. Our goal is content that is 100% true and accurate. Thank you.

© Copyright 2026 The Texas Lawbook
The content on this website is protected under federal Copyright laws. Any use without the consent of The Texas Lawbook is prohibited.