The price of privacy compliance: What Google’s Texas settlement signals for Big Tech

Texas Attorney General (AG) Ken Paxton has announced a $1.375 billion settlement with Google resolving two lawsuits brought by the state alleging violations concerning the collection and use of Texans’ biometric and geolocation data. This enforcement action reinforces the growing importance of verifiable compliance with state-level data privacy and consumer protection statutes. 

The lawsuits and their allegations 

In 2022, AG Paxton brought lawsuits against Google for alleged violations of Texas’ Capture or Use of Biometric Identifier Act (CUBI) and the Texas Deceptive Trade Practices-Consumer Protection Act (DTPA).

One lawsuit alleged that Google’s practices collected geolocation data through Android OS, Google Apps and Services, and Google Chrome’s “Incognito Mode,” without adequate informed consent. Google purportedly collected location data via “Web & App Activity” even though users were told that disabling “Location History” would stop tracking. 

Separately, the AG charged Google with collecting biometric identifiers, including voiceprints and records of face geometry, without consent through Google Photos, Google Assistant, and Nest Hub Max. Specifically, the lawsuits discussed technologies like Face Grouping in Google Photos and face Match in Nest Hub Max, which allegedly captured and stored biometric identifiers of both users and non-users, including minors, without consent. 

Settlement details 

The $1.375 billion settlement resolves these allegations without Google admitting any wrongdoing. Google confirmed the agreement resolves multiple claims, including some already settled in other jurisdictions. Notably, the agreement does not require Google to change its business practices or product disclosures, aside from the significant financial penalty.

Key takeaways

• AGs fill the enforcement gap in the absence of Federal legislation

With no comprehensive federal privacy law in place, nearly half of the states have passed general data privacy laws to regulate personal data collection, use, and disclosure. Most of these state-level laws lack a private right of action and instead arm the Attorney General to bring suit for violations. Although these regulations vary, fundamentally they all underscore the importance of building consumer trust through clear communication of data handling practices.

• Texas sets itself apart as a high-risk enforcement jurisdiction

AG Paxton has sought to lead the charge against Big Tech when it comes to privacy enforcement and accountability, particularly in the absence of comprehensive federal privacy regulation. Since initiating a “Data Privacy and Security Initiative” within the Consumer Protection division of Texas’ Office of the Attorney General (OAG) in June 2024, the state has prioritized assigning resources towards protecting Texans’ sensitive data. 

In July of 2024, Texas and Meta Platforms reached a comparable settlement as to biometric data and facial recognition concerns, at a similar cost of $1.4 billion. More recently, Chinese companies were put on notice by the OAG about potential data privacy violations under the Texas Data Privacy and Security Act (“TDPSA”). TP-Link, Alibaba, CapCut, and several other Chinese companies have 30 days to cure these violations and comply with Texas’ heightened privacy protections.

Texas’ OAG has thus uniquely positioned itself, through the rapid passage and aggressive enforcement of CUBI, DTPA, and TDPSA, as a jurisdiction that demands rigorous and verifiable compliance. As enforcement actions become more frequent, organizations should ready their data governance framework for heightened scrutiny and potential legal challenges coming out of Texas. 

• Patchwork of State Laws compels compliance investment 

Navigating state-level privacy laws can be complex and costly. However, the large settlements by Google and Meta highlight the importance of investing in compliance, particularly with respect to tracking technologies and biometric data. Further, eight states (CA, CO, CT, DE, IN, NJ, and OR) have established a privacy enforcement and information sharing consortium, further evidencing a nationwide intent to leverage shared resources and collaborate on enforcement, thereby generating a more demanding compliance landscape. Management, leadership, and boards should analyze their data management approach in order to adhere to all applicable state data privacy regulations.

•  Transparent, straightforward, and meaningful controls are crucial 

Implementing clear, user-centric privacy controls that genuinely reflect consent and respect user choices is essential to mitigate legal risks and enhance consumer trust. When collecting sensitive data such as geolocation or biometric information, offering additional protections (such as prior opt-in consent) is necessary to help ensure compliance.