Blog

What the New Texas Crackdown Means for Data Privacy Regulations

Written by Bob Lam | June 16 2024

In recent years, the data privacy landscape has become increasingly complex, with new regulations seeming to crop up every other month.

Laws like the California Consumer Privacy Act, the Colorado Privacy Act, and the Florida Digital Bill of Rights have created a patchwork of varied regulations that businesses must navigate. Vermont is the most recent to join their ranks, with state legislators passing one of the nation’s toughest data privacy laws last month. (The bill has yet to be signed by the governor.)

Meanwhile, the EU’s GDPR may soon face scrutiny in a potential Schrems III case, following the approval of the EU-US Data Privacy Framework. And other nations aren’t far behind, with laws like Brazil’s LGPD, China’s PIPL, and South Africa’s POPIA creating a complex web of cross-border data protection requirements that multinational corporations must adhere to.

Despite the abundance of legislation, though, enforcement has generally been weak. Other than some high-profile GDPR and PIPL fines, we’ve seen a lack of resources or political will to hold companies accountable for data privacy violations.

Two weeks ago, however, the state of Texas launched a new team that might change the enforcement landscape. The team, housed within the Consumer Protection Division of the Texas Office of the Attorney General, is focused on the “aggressive enforcement of” both state and federal data privacy and security laws.

Today, we dive into the new Texas data security crackdown, explaining what’s going on and exploring why enforcement is the key to privacy-driven security spending.

Overview: The new Texas data privacy team

Announced in early June, the new Texas unit will be part of larger consumer protection efforts in the state. The data privacy team, which could become the largest in the country, will focus primarily on state laws governing data privacy and security, identity theft, biometric information protection, and consumer protection. These include the Texas Data Privacy and Security Act, the Texas Identity Theft Enforcement and Protection Act, the Texas Capture or Use of Biometric Identifier Act (CUBI), and the Texas Deceptive Trade Practices Act (DTPA).

The team will also focus on the two federal laws that cover privacy for children (the Children’s Online Privacy Protection Act, COPPA) and for healthcare data (the Health Insurance Portability and Accountability Act, HIPAA).

“Any entity abusing or exploiting Texans’ sensitive data will be met with the full force of the law,” said Texas Attorney General Ken Paxton in a statement. “Companies that collect and sell data in an unauthorized manner, harm consumers financially, or use artificial intelligence irresponsibly present risks to our citizens that we take very seriously. …With companies able to collect, aggregate, and use sensitive data on an unprecedented scale, we are strengthening our enforcement of privacy laws to protect our citizens.”

A brief history of Texas’s data privacy laws

The AG’s announcement comes just before the Texas Data Privacy and Security Act goes into effect on July 1, 2024. It also indicates a particular concern about the illegal exploita­tion of consumer data by big tech, AI companies, and data brokers.

The Texas Attorney General has invited controversy with his indictment for securities fraud, his false claims of national voter fraud, and other accusations of wrongdoing. But on the data privacy score, his office has been at the forefront of enforcement. In 2022, it sued Meta for Facebook’s practice of capturing and using Texans’ biometric data without consent, including storing millions of biometric identifiers about Texans’ facial geometry and voiceprints taken from Facebook photos and videos. The same year, it sued Google for collecting and indefinitely storing similar biometric information about Texans’ facial geometry and voiceprints without their consent.

Here are the state laws that we expect to generate the most scrutiny from the new Texas data privacy team.

The Texas Data Privacy and Security Act. As we’ve detailed in our blog post, the Texas Data Privacy and Security Act is one of the most broadly applicable of the US state data privacy laws. Signed into law in June 2023, it applies to any entity that 1) conducts business in Texas or produces products or services consumed by Texas residents, 2) processes consumer personal data, and 3) is not considered a “small business” by the US Small Business Administration (SBA). The TDPSA gives consumers the right to access and control certain aspects of their personal data, and it affords special protections to sensitive data. It also requires businesses to offer universal opt-out mechanisms, and it broadens the definition of personal data, making it one of the most consumer-friendly of the US data protection laws.

The Texas Identity Theft Enforcement and Protection Act. Passed in 2005, this law requires businesses to protect against the unlawful use or disclosure of any sensitive personal information they collect or maintain in the course of business. The act focuses specifically on personally identifiable information (PII) like Social Security, credit card, and driver’s license numbers.

The Texas Deceptive Trade Practices Act (DTPA). Enacted in 1973, this law protects consumers against false and misleading business and insurance practices. It mainly governs consumer transactions involving both goods and services, although it excludes professional services like consulting. The DTPA provides for both public enforcement by the Texas AG and private remedies. 

The Texas Capture or Use of Biometric Identifier Act. Known as CUBI, this law regulates the capture, receipt, possession, sharing, and retention of biometric identifiers, which includes retina and iris scans, fingerprints, voiceprints, and records of “hand or face geometry.” Under CUBI, organizations are generally prohibited from capturing biometric identifiers for commercial purposes unless they obtain consent first. Companies are also limited in their disclosures and retention of biometric identifiers. Although there is no private right of action, the law can impose civil penalties up to $25,000 per violation.

What the Texas data crackdown tells us about data privacy enforcement

Worldwide, the reality of enforcement has often fallen short of what legislators and privacy advocates might hope for. In 2023, for example, only about 550 GDPR fines were issued across the entire EU, with many being for relatively small amounts. Similarly, the Federal Trade Commission (FTC) in the US has been criticized for its limited authority to pursue enforcement. Even when fines are issued, they often represent a small fraction of a company’s revenue, making them more of a cost of doing business than a true deterrent.

The gap between legislation and enforcement has significant implications for corporate spending on privacy-driven security. If the perceived risk of enforcement is low, businesses are likely to do a basic cost-benefit analysis and choose to underinvest in privacy measures. This is particularly true for tech giants and data brokers, whose business models rely heavily on large-scale data processing. Without robust enforcement, these organizations have little incentive to alter their practices.

However, if enforcement becomes more consistent and penalties more severe — as they likely will in Texas under the new crackdown — businesses will start to reassess their privacy investments. With robust enforcement, the cost of non-compliance could quickly outstrip the cost of implementing strong data protection measures.

What’s more, consistent enforcement can motivate companies to avoid privacy violations in order to escape reputational risks. High-profile fines can lead to loss of consumer trust, decreased market share, and strained relationships with business partners. As consumers become more privacy-conscious, businesses that prioritize data protection may gain a competitive edge.

So far, the impact of our myriad data privacy laws has been blunted by inconsistent enforcement. But we seem to be on the verge of a landscape where enforcement will become a key driver of data privacy and security spending.

ShardSecure: A robust solution for data privacy and protection 

As Texas’s enforcement efforts get underway, businesses will need to move beyond mere legal compliance to embrace data privacy and security as a fundamental part of their operations. The good news? Companies that act proactively may find themselves not only avoiding hefty fines but also earning the loyalty of their more security-conscious customers.

The ShardSecure platform offers robust data privacy, security, and resilience for data stored in on-prem, cloud, and multi-cloud architectures. Our technology safeguards critical data — including consumer personal data and sensitive data — against unauthorized third-party access.

The ShardSecure platform also reduces the risk of noncompliance with various state and international data privacy laws. For example, our technology meets the European Data Protection Board’s requirements as a supplemental technology to enable cross-border data transfers under the GDPR. 

Last year, ShardSecure was named a Gartner® Cool Vendor in the August 2023, Cool Vendors™ for Privacy report.

To learn more, visit our resources page and explore our other compliance blog posts.

Sources

Vermont’s data privacy law sparks state lawmaker alliance against tech lobbyists | Politico

Texas Identity Theft Enforcement and Protection Act | Smart Global Governance

Texas Enforcement of Biometric Law Focuses on Artificial Intelligence | Holland & Knight

Consumer Rights | Office of the Attorney General

Attorney General Ken Paxton Launches Data Privacy and Security Initiative to Protect Texans’ Sensitive Data from Illegal Exploitation by Tech, AI, and Other Companies | Office of the Attorney General

Paxton Sues Facebook for Using Unauthorized Biometric Data | Office of the Attorney General

Texas Attorney General Ken Paxton sues Google for compiling Texans' biometric data | Texas Tribune

BUSINESS AND COMMERCE CODE - CHAPTER 503 | Texas Constitution and Statutes

GDPR Enforcement Tracker | enforcementtracker.com

The FTC is Currently the Primary Privacy Enforcer but its Authority is Limited | New America

Data Privacy Through the Lens of Big Tech | The Regulatory Review

 

Gartner Disclaimer

GARTNER is a registered trademark and service mark of Gartner and Cool Vendors is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.