Skip to Content
(713) 783-3110
Hendershot Cowart P.C. Hendershot Cowart P.C.
Top

Texas Attorney General Using Deceptive Trade Practices Act to Enforce AI, Data Privacy: How This Impacts Texas Businesses

Texas State Capitol building in Austin
|

Over the past year, Texas Attorney General Ken Paxton has systematically built what may be one of the nation’s most aggressive state-level data privacy enforcement programs.

Through a series of announcements and enforcement actions, the AG’s office has made it clear that the Texas Deceptive Trade Practices Act (DTPA) will be a central tool in their arsenal against companies that mishandle consumer data or misrepresent their data practices.

This article examines the three pivotal developments in this enforcement initiative and provides critical guidance for Texas businesses navigating these emerging compliance challenges.

June 4, 2024: A New Era: The Launch of a Dedicated Privacy Enforcement Team

On June 4, 2024, AG Paxton announced the creation of a specialized data privacy and security enforcement team within the Consumer Protection Division. This team was explicitly positioned to become “among the largest in the country focused on enforcing privacy laws.”

The AG’s enforcement initiative specifically targets compliance with Texas’s privacy protection laws, including:

  • Texas Data Privacy and Security Act: Effective July 1, 2024, this law requires businesses operating in Texas to (a) provide transparent privacy notices, (b) allow consumers to opt out of the use of their personal data for certain purposes (such as targeted advertising or profiling by financial services companies), and (c) limit their collection of personal data to “what is adequate, relevant, and reasonably necessary.”
  • Identity Theft Enforcement and Protection Act: Also known as the Texas Data Breach Act, this law requires businesses to (a) implement and maintain reasonable safeguards to protect sensitive personal information (such as an individual’s name in combination with their driver’s license number, Social Security Number, or financial account numbers) from unlawful use or disclosure and (b) notify the Texas Attorney General’s office in the event of a breach.
  • Data Broker Law: This newly enacted law requires companies that buy and sell personal data to (a) register with the state annually, (b) maintain comprehensive security measures, and (c) post conspicuous notices on their website or app disclosing their data broker status.
  • Biometric Identifier Act: This law, in effect since 2009, prevents the collection, use, and storage of an individual’s biometric identifiers (such as fingerprint, voiceprint, or face geometry) for commercial purposes without prior notice and consent.
  • Deceptive Trade Practices Act: This “mini-FTC act” has existed in Texas since the 1970s and prohibits false, misleading, or deceptive business practices, providing the Texas AG with broad enforcement authority and significant penalties for violations.

The team’s enforcement authority will also extend to federal laws including the Children’s Online Privacy Protection Act (COPPA) and the Health Insurance Portability and Accountability Act (HIPAA).

The DTPA Connection: A Strategic Enforcement Approach

The inclusion of the Deceptive Trade Practices Act – Texas’s primary consumer protection statute – represents a significant strategic choice. By explicitly naming the DTPA as part of this initiative, the AG signaled that deceptive statements about data privacy practices would be treated as consumer protection violations.

This approach provides the AG’s office with considerable enforcement flexibility, as the DTPA allows for:

  • Civil penalties up to $10,000 per violation
  • Injunctive relief
  • Restitution for consumers
  • Recovery of attorney’s fees, court costs, and investigative costs

June 18, 2024: Mass Notification Campaign Targets Data Brokers

Just two weeks after establishing the privacy enforcement team, the AG’s office demonstrated its commitment by issuing notification letters to “over one hundred companies” regarding their apparent failure to register under the Texas Data Broker Law.

How the DTPA Amplifies Enforcement

While the AG’s data broker mass notification campaign on June 18, 2024, directly referenced the Data Broker Law (Chapter 509 of the Texas Business and Commerce Code), the AG’s accompanying statement emphasized that the office would be enforcing “the full slate of Texas privacy laws,” including consumer protection laws like the DTPA.

This signals that the AG may pursue companies using multiple legal claims simultaneously, treating failures to comply with specific privacy statutes as potential DTPA violations as well – significantly increasing potential liability for non-compliant businesses.

Sept. 18, 2024: Setting Precedent: First-of-its-Kind AI Settlement Shows DTPA in Action

The most revealing development in this initiative came on September 18, 2024, when AG Paxton announced a settlement with Pieces Technologies, a Dallas-based healthcare artificial intelligence (AI) company. This case provides a concrete example of how the DTPA is being applied to data privacy and AI issues.

The DTPA as a Tool Against AI Misrepresentation

The Pieces Technologies settlement resolved allegations that Pieces had made “false and misleading statements about the accuracy and safety of its products.” Specifically, the company had claimed its healthcare AI products had an error rate or “severe hallucination rate” of “<1 per 100,000,” which the AG’s investigation found “likely inaccurate.”

This case demonstrates that the AG is applying traditional consumer protection principles to AI and technology:

  • Claims about AI accuracy are being treated as product claims subject to the DTPA
  • The settlement required accurate disclosure of product limitations, a well-established remedy for DTPA violations
  • The AG framed AI misrepresentations as putting “the public interest at risk,” language consistent with DTPA enforcement

High-Risk Texas Industries: Most Impacted by the Enforcement Initiative

Based on the AG’s announcements and enforcement actions, several industries face heightened scrutiny and elevated compliance risks under this initiative:

  1. Healthcare Technology Companies: Companies developing or using AI tools for patient care, medical record analysis, or healthcare administration face particular scrutiny, especially regarding claims about accuracy and reliability.
  2. Data Brokers: The mass notification to over 100 companies about Data Broker Law compliance makes it clear that data brokers – companies that buy, sell, trade, and process personal data – are priority targets. This includes marketing data companies, people-search websites, background check services, and advertising technology firms.
  3. Technology Companies Using AI: The AG specifically named “tech, AI, and other companies” in its press release, signaling that technology companies deploying AI solutions face increased scrutiny, particularly if they make claims about AI performance or accuracy. The AG may deem such claims misleading under the DTPA.
  4. Companies Collecting Biometric Data: Businesses that collect, acquire, capture, or enroll, for commercial purposes, biometric identifiers or information about an individual, should expect enforcement attention. This includes employers using biometric time clocks, security companies, and consumer technology manufacturers.
  5. Any Business Making Privacy Claims: The broad application of the DTPA means that any business making public statements about its data privacy practices could face enforcement if those statements are found to be misleading or deceptive.

Practical Guidance: Key Takeaways and Strategies for Texas Businesses

The AG’s enforcement initiative necessitates that Texas businesses consider these risk mitigation strategies:

1. Audit Marketing Claims About Data Practices and AI: Review all public-facing statements about your data privacy practices, AI capabilities, and data security measures. The DTPA prohibits misrepresentations, so accuracy in marketing materials, privacy policies, and terms of service is essential.

2. Understand the Full Scope of the DTPA: The DTPA is a broad consumer protection statute with significant penalties. In the context of data privacy, this means:

  • Companies can face liability even without a data breach if they misrepresent their practices – with or without intent.
  • The AG can pursue cases under multiple legal theories simultaneously.
  • Remedies can include one or more of the following: monetary penalties, court orders to stop harmful practices, and consumer restitution.

3. Document the Basis for Technical Claims: If your company makes specific claims about AI accuracy, data security, or privacy protections, maintain thorough documentation supporting those claims.

When You Need Legal Assistance: DTPA Investigations by the Texas Attorney General

At Hendershot Cowart P.C., our administrative law attorneys are experienced in DTPA and privacy matters and can help your business navigate this aggressive enforcement environment.

If your business is contacted by the Texas Attorney General’s office regarding AI or data practices – whether through a formal Civil Investigative Demand, notice letter, or informal communications from AG staff such as a phone call or email – contact our offices to schedule a consultation immediately. Your business may already be under investigation.

Categories: