In a forceful assertion of state-level data sovereignty, Texas Attorney General Ken Paxton has issued formal warnings to several Chinese technology firms including TP-Link, Alibaba, CapCut, and other companies with ties to the Chinese Communist Party (CCP) alleging widespread violations of Texans’ privacy rights. If you’ve been following our recent educational series on data privacy you would have noticed that Ken Paxton has been aggressive along with other regulators on ramping up enforcements.
Relying on newly granted powers under the Texas Data Privacy and Security Act (TDPSA), which can live in July of 2024, Paxton’s office has given these companies 30 days to bring their practices into compliance or face further legal action.
The TDPSA, one of the most robust consumer data privacy laws in the United States, requires covered entities to:
- Disclose whether and how they process personal data
- Provide consumers with clear rights to opt out of data collection
- Enable complete deletion of personal information upon request
If TP-Link, Alibaba, CapCut, and others fail to meet these standards within the deadline, the Texas Attorney General’s Office has pledged to initiate formal legal proceedings, which could result in significant civil penalties and injunctive relief.
This move marks a sharp escalation in the ongoing tension between U.S. privacy authorities and China-affiliated technology platforms, particularly those accused of surveilling or profiling American users.
Legal Action Against Chinese Companies: Beyond TikTok
While TikTok and its parent company ByteDance remain at the center of public scrutiny, Paxton’s announcement broadens the scope of enforcement. By explicitly calling out TP-Link (a major manufacturer of internet routers and surveillance equipment), CapCut (a widely used video editing app), and Alibaba (a global e-commerce and cloud services powerhouse), the Texas AG’s office is signaling that no entity is beyond reach if it processes sensitive consumer data without lawful transparency and control mechanisms and this is in line with the USA’s war of dominance with China.
These companies are suspected of collecting user data, such as browsing history, device identifiers, location information, and behavioral patterns, in ways that bypass opt-out mechanisms or fail to offer meaningful consent options—a direct violation of TDPSA mandates.
China’s Personal Information Protection Law (PIPL): A Sharp Contrast
Interestingly, China has implemented its own data privacy framework the Personal Information Protection Law (PIPL) which is similar to the EU’s GDPR. PIPL:
- Restricts data transfers outside China
- Requires informed consent for data collection
- Gives Chinese citizens rights to correct, delete, and access their data
Yet, critics argue that PIPL is selectively enforced, and when it comes to Chinese companies operating abroad, compliance with foreign data protection laws is inconsistent at best. This inconsistency underscores why states like Texas are moving aggressively to protect their residents from foreign data exploitation especially as Texans are aware of the data implications with the Chinese.
TikTok’s Global Privacy Violations Reinforce Scrutiny
Earlier this year, TikTok was fined €530 million ($600 million) by the European Union for unlawfully transferring user data from the EU to servers in China and failing to implement adequate transparency measures. The Irish Data Protection Commission (DPC), which led the investigation, found that TikTok’s privacy practices violated several key GDPR provisions—including failure to notify users that Chinese-based employees could access their personal data.
TikTok’s fine has emboldened U.S. regulators to demand similar accountability, particularly as the company negotiates a potential divestment deal with the U.S. government under national security pressure. Paxton’s legal stance aligns with bipartisan concerns in Congress over TikTok’s growing influence on U.S. soil.
Texas’ Broader Privacy Enforcement Record
Attorney General Paxton’s recent action is part of a larger strategy to make Texas a national leader in privacy enforcement. Over the past two years, his office has aggressively pursued settlements and lawsuits aimed at curbing unlawful data collection and enhancing consumer privacy protections.
Notable Cases Include:
- Meta (Facebook): Texas secured a $1.4 billion settlement over allegations of unauthorized biometric data harvesting through facial recognition systems.
- Google: A $1.375 billion settlement followed a lawsuit over location tracking without user consent.
- Allstate: Paxton sued the insurer for selling Texans’ precise geolocation data, allegedly without meaningful consumer knowledge or opt-out mechanisms.
These actions have positioned Texas as one of the few states outside California with a robust privacy enforcement agenda, now powered by the TDPSA.
Understanding the Texas Data Privacy and Security Act (TDPSA)
Passed in 2023 and coming into full effect starting in July of 2024, the TDPSA introduces sweeping rights and responsibilities for businesses handling Texans’ personal data.
Key TDPSA Requirements:
- Businesses must conduct data processing impact assessments.
- Consumers must have clear rights to access, delete, and opt out of the sale or sharing of their personal data.
- Data processors must establish reasonable security procedures and vendor oversight.
- Violators can face civil penalties of up to $7,500 per violation, enforceable by the Attorney General.
Notably, there is no private right of action under the TDPSA enforcement authority lies solely with the AG’s office.
What Businesses Need to Do Now
This latest legal salvo from AG Paxton should serve as a wake-up call not just to foreign tech firms, but to any company operating in Texas or collecting data from Texas residents. With the TDPSA as the enforcement framework, companies should urgently:
- Audit their data collection and retention practices
- Implement granular opt-out mechanisms
- Train staff on data subject rights and request handling
- Evaluate third-party trackers, analytics, and data flows for compliance risks
- Disclose processing practices clearly in their privacy policies
Enforcement Is Just Getting Started So Don’t Mess With Texas
By targeting CCP-affiliated firms like TP-Link, CapCut, and Alibaba, Paxton is not only enforcing domestic privacy laws but also staking out a geopolitical position on data sovereignty. The TDPSA gives Texas unprecedented enforcement tools to hold foreign and domestic companies accountable and Paxton appears ready to use them.
With global scrutiny of platforms like TikTok intensifying and state privacy laws becoming more aggressive, businesses should expect continued enforcement waves in 2025 and beyond. The question is no longer whether privacy compliance matters—but whether your organization is ready for regulator scrutiny when it comes.
