On Tuesday, Texas Attorney General (AG) Ken Paxton announced the creation of a team dedicated solely to the prosecution and enforcement of Texas’ privacy laws. The team will focus on handling cases under at least seven different laws, including the state’s relatively new comprehensive consumer privacy law, and will be part of the office’s Consumer Protection Division. In his announcement, the AG touts the team as the largest such unit in the U.S., and one that will aggressively enforce the state’s privacy laws.

The unit’s creation comes on the eve of Texas’ comprehensive consumer privacy law, the Data Privacy and Security Act, taking effect on July 1. Eighteen states have now enacted comprehensive consumer privacy laws over the past six years, with several additional states currently considering similar legislation. Common to other such laws, Texas’ version requires companies that control or process consumers’ personal identifying information to allow those consumers to access, edit, or delete their data, and to opt out of the sale of that data and targeted advertising that utilizes that data. It also requires collection of such data for only the stated purpose provided in a mandated notice to consumers at the point of collection. Enforcement rests with the AG, and statutory penalties include a maximum $7,500 civil penalty per violation and injunctive relief.

In addition to the Data Privacy and Security Act, the newly created team will enforce other privacy-related laws, including the Identify Theft Enforcement and Protection Act, the Data Broker Law, the Biometric Identifier Act, the Deceptive Trade Practices Act, and federal laws, including the Children’s Online Privacy Protection Act (COPPA) and the Health Insurance Portability and Accountability Act (HIPAA).

Texas’ creation of a specific unit dedicated to privacy enforcement highlights the rapid proliferation of privacy-related laws and underscores a shifting focus toward privacy enforcement in state AG offices. Many state AGs have previously struggled with marshaling sufficient resources dedicated solely to privacy enforcement, as they are often hamstrung by state budgetary concerns, and have thus assigned such enforcement to existing consumer protection or computer crime divisions. Indeed, the AGs often pool resources to investigate data breaches and privacy-related incidents through multistate coalitions that are part of the National Association of Attorneys General. But the Texas AG’s commitment to devoting an entire unit solely to privacy enforcement may signal a sea change within individual AG offices and a willingness to prioritize privacy over other areas, given the sharp increase in data breaches and cyber incidents over the past several years. Other AGs may follow suit to demonstrate their own shared commitment to privacy enforcement.

Companies handling consumer data must carefully navigate a gauntlet of varying state privacy laws, in addition to industry-specific federal regulations. This increased regulatory scrutiny by the Texas AG highlights the urgency to ensure compliance with state privacy laws. Companies should consult skilled legal counsel to ensure they are meeting the rapidly developing patchwork of regulatory standards. Stay tuned as the Troutman Pepper Incidents and Investigations team keeps you apprised of future developments in this area.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Stephen C. Piepgrass Stephen C. Piepgrass

Stephen leads the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He focuses his practice on enforcement actions, investigations, and litigation. Stephen primarily represents clients engaging with, or being investigated by, state attorneys general and other state or local governmental enforcement bodies,

Stephen leads the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He focuses his practice on enforcement actions, investigations, and litigation. Stephen primarily represents clients engaging with, or being investigated by, state attorneys general and other state or local governmental enforcement bodies, including the CFPB and FTC, as well as clients involved with litigation, with a particular focus on heavily regulated industries. He also has experience advising clients on data and privacy issues, including handling complex investigations into data incidents by state attorneys general other state and federal regulators. Additionally, Stephen provides strategic counsel to Troutman Pepper’s Strategies clients who need assistance with public policy, advocacy, and government relations strategies.

Photo of Sadia Mirza Sadia Mirza

Sadia leads the firm’s Incidents + Investigations team, advising clients on all aspects of data security and privacy issues. She is the first point of contact when a security incident or data breach is suspected, and plays a central role in her clients’

Sadia leads the firm’s Incidents + Investigations team, advising clients on all aspects of data security and privacy issues. She is the first point of contact when a security incident or data breach is suspected, and plays a central role in her clients’ cybersecurity strategies.

Photo of Gene Fishel Gene Fishel

Gene is a member of the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) practice, based in the Richmond office. He brings extensive regulatory experience, having most recently served as senior assistant attorney general and chief of the Computer Crime Section in the Office

Gene is a member of the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) practice, based in the Richmond office. He brings extensive regulatory experience, having most recently served as senior assistant attorney general and chief of the Computer Crime Section in the Office of the Attorney General of Virginia, and as special assistant U.S. attorney in the Eastern District of Virginia for 20 years.