Given Texas’ pro-business proclivity, it’s a bit of a surprise to see the Lone Star State emerge as one of the top data privacy regulators in the country. Under Attorney General Ken Paxton, Texas has cracked down on unfair data surveillance practices from the data brokerage industry and Silicon Valley heavyweights. Over the past two years, the state has reached landmark settlements with Google ($1.375 billion) and Meta ($1.4 billion), the latter of which is the largest settlement ever obtained by a single state.
Paxton’s multipronged battle with Google
In addition to a 2020 antitrust lawsuit related to Google online ad sales, Paxton brought several other suits against the search giant, alleging deceptive trade practices and rampant user data privacy violations.
A January 2022 lawsuit alleged that Google had violated Texas’ “Deceptive Trade Practices-Consumer Protection Act” by running misleading advertisements on iHeartMedia networks in the Houston area. In this suit, Paxton contended that Google forced disk jockeys to record first-hand testimonials for Google products that the DJs had never used.
An additional suit, also brought in January 2022, claimed Google was again in violation of the Deceptive Trade Practices Act for surreptitiously tracking Texas users’ geolocation data against their will. According to the filing, Google continued to track Texas users’ locations even after users had disabled the “Location History” setting.
Paxton also accused Google of violating Texas’ “Capture or Use of Biometric Identifier” (CUBI) Act. Allegedly, the search giant used biometric data, specifically facial and voice recognition technologies from Google Photos, Nest Hub Max, and Google Assistant—all without asking Texans for permission. Lastly, Paxton filed an additional complaint to his geolocation data tracking suit, this time accusing Google’s “Incognito” browser mode of being anything but incognito.
In May 2025, Google reached a $1.375 billion settlement with Paxton’s office to end the myriad litigation. This is the largest amount Google has ever paid to settle an individual state’s claims. A previous 40-state antitrust settlement against Google netted $391 million, which pales in comparison to Texas’ recent recovery.
Meta caught in Paxton’s crosshairs
Google isn’t the only Silicon Valley titan forced to empty its coffers to Texas. In February 2022, Paxton sued Meta for violating CUBI and capturing Texans’ biometrics without obtaining consent.
In the largest privacy settlement ever captured by a state AG, Meta settled the suit in June 2024; Zuckerberg’s company is now scheduled to pay Texas $1.4 billion over the next five years.
In that suit, Paxton alleged that Meta had been illegally capturing Texans’ biometric data for over a decade. Back in 2011, Meta rolled out a facial recognition feature called “Tag Suggestions,” which ostensibly would make it easier for users to tag friends in photos. However, without providing informed consent to users, Meta allegedly deployed this feature onto users’ accounts and surreptitiously captured records of Texans’ faces for ten years.
Texas’ Data Privacy and Security Act (TDPSA) used to sue data broker
With no federal comprehensive data privacy act on the books, Texas is one of nineteen states to pass its own state legislation. And Texas, much like California, is actively enforcing it.
In January of this year, Paxton sued Allstate and its data broker subsidiary Arity for collecting and selling consumer geolocation and driving data, which was surreptitiously collected from an app on Texans’ phones. Given that there was no proper notice or consent given, Allstate has allegedly violated the Texas Data Privacy and Security Act (TDPSA), as well as the Texas Data Broker Law. Allstate and Arity also allegedly failed to disclose the sale of personal data, and they neglected to provide a way for users to opt out of the data collection.
This case hasn’t been settled yet; however, it sends a strong message to other businesses that the TDPSA will be enforced, and surreptitious collection of Texans’ user data will not be tolerated.
Texas’ other attempts to rein in Big Tech and the data brokerage industry
In June 2024, Paxton launched a data privacy and security initiative. Housed within the consumer protection division of the AG’s office, this initiative creates the largest legal team in the U.S. to focus on privacy law enforcement. In addition to federal laws like HIPAA and COPPA, the legal team will aggressively enforce Texas’ state-level data privacy laws, including TDPSA, CUBI, and its Data Broker Act.
To his credit, Paxton has taken meaningful steps to address the shadowy data brokerage industry. In fact, Texas is one of only a handful of states with a data broker registry. According to the state’s Data Broker Act, brokers are required to register annually with the Texas Secretary of State; pay the requisite fees, and post conspicuous notices on all their apps and websites informing users that they are a data broker. Also, brokers are required to take certain information security measures to protect any personal data that is collected.
Paxton’s political future and Texas’ data privacy enforcement moving forward
Under Paxton’s tenure, Texas has become a leader in consumer data privacy enforcement. In fact, after California, Texas is the most aggressive enforcer of privacy laws in the nation. However, whether this continues in the years to come remains to be seen.
Paxton will likely leave the AG office in the not-too-distant future, as he intends to challenge John Cornyn for his senate seat in March 2026. Despite being indicted for securities fraud in 2015, and more recently being accused of bribery, obstruction, and abuse of office charges (which 70% of Republicans supported in the TX house), Paxton has emerged as a powerful political force. In fact, recent polls have him and Cornyn neck and neck.
If his impressive crackdown on Big Tech consumer data privacy violations is a harbinger of things to come, Paxton’s future looks bright. And if he does leave the AG’s office, one can only hope his successor picks up right where he left off on the data privacy front.
