Texas AG Prepares for “Aggressive Enforcement” of Privacy Laws

Want to receive these privacy recaps that matter to consent management, adtech and martech in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

Texas AG Prepares for “Aggressive Enforcement” of Privacy Laws

Texas Attorney General Ken Paxton announced a “data privacy and security initiative”, establishing a team focused on “aggressive enforcement” of Texas privacy laws to “ensure companies respect Texans’ privacy rights and safeguard their personal data”.

TAKEAWAY

The Texas Data Privacy and Security Act takes effect July 1, 2024, the same day as the Oregon Consumer Data Privacy Act. Most of the Texas law borrows elements from existing privacy laws, but there are also some unique new elements, in particular with respect to sensitive data. For example, the Texas law requires specific language (“NOTICE: we may sell your sensitive personal data”) be disclosed with the privacy notice, where applicable. The Texas AG’s June 4 announcement specifically cited “sensitive data”, warning “any entity abusing or exploiting Texans’ sensitive data will be met with the full force of the law”, so companies doing business in Texas, particularly if sensitive data is involved, may want to pay attention to the Texas nuances before the July 1 effective date.  

Get the up-to-date Sourcepoint overview of US state consent and data privacy laws.

California Court Denies Google’s Motion to Dismiss CIPA Class Action

A class action (Case No.  23-cv-03527-PCP) alleging that Google violated the California Invasion of Privacy Act (CIPA), the federal Wiretap Act and the Florida, Texas and Illinois wiretapping statutes by collecting financial data through Google Analytics tools installed on several tax preparation websites has overcome Google’s motion to dismiss. Google will have until July 18 to answer or respond to the complaint. 

TAKEAWAY

The specifics of the Court’s responses to Google’s arguments may provide some useful insights to help both third-party vendors and first-party websites navigate CIPA compliance in the context of tracking and analytics tools. Specifically, the Northern District of California judge denied Google’s arguments that: (1) plaintiffs consented to the tax sites’ use of Google Analytics through terms of service and privacy policies; (2) that Google acted as a “mere vendor” of a tool that allows websites to record their own interactions with their users; and (3) that the complaint didn’t adequately plead Google’s intent or the specific contents of communications transmitted to Google. 

In response to these arguments, the court found that: (a) the mere existence of terms of service and privacy policies was insufficient to establish consent; and (b) that if, as plaintiffs’ suggest, Google read or used the data collected about users, then Google was not simply a vendor of a tool that websites can use to record their own users’ interactions on their websites; (c) that the plaintiffs’ allegations that Google would have known of, or at best turned a blind eye to, the use of its tools to collect users’ tax information was sufficient to plead Google’s willfulness; and (d) allegations of the kinds of information that the tax filing services would have been able to transmit and the mechanism for transmission were sufficient to state a claim that the contents or meaning of plaintiffs’ confidential information were read and/or used by Google.

Want more of the privacy highlights that matter for consent management, adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.