The Power of Precedent: Texas’s Legal Strategy Against General Motors

By Joshua Vaughan, Zaviant

Many states have passed privacy laws that are now in effect, but we have seen very little activity outside of California when it comes to enforcement. Texas’s new privacy law, Texas Data Privacy and Security Act (TDPSA) went into effect on July 1st, 2024. Yet when Texas Attorney General, Ken Paxton, sued General Motors (GM) for privacy violations it used the older Texas Deceptive Trade Practices-Consumer Protection ACT (DTPA) and not Texas’s new privacy legislation.  

Texas is the first to file a lawsuit against an automotive company for collecting and selling customer’s PII without sufficient notice of their business practices. Texas alleges General Motors deceived its customers by compelling them to enroll in its products during the “onboarding” process. Texas alleges GM coerced customers by telling them declining enrollment would disable the vehicles safety features. Texas claims that despite lengthy and convoluted disclosures, GM failed to inform customers of its actual conduct. 

This behavior seems to be the type of privacy deception that the new TDPSA was passed to confront. So why might Texas have chosen to file a suit for violating the deceptive trade practices legislation versus the new privacy law?  

DTPA is an established legal framework 

The DTPA is an established legal framework that has existed since 1973. It is familiar to both the courts and businesses. Texas does not want to spend resources litigating a novel piece of legislation for the first time against a large well-funded corporation with unlimited resources like GM. Using the DTPA is advantageous because there are decades of case law and precedent for Texas to pull from. This includes lawsuits brought at the federal level by the FTC. 

Scope of the law is broader 

The DTPA is intentionally broad, prohibiting a wide range of “false, misleading, or deceptive acts or practices” in trade or commerce. This broad language allows the Attorney General to pursue claims that might not be specifically covered under a newer, more narrowly defined law like the TDPSA. Using the DTPA emphasizes the consumer protection angle of the lawsuit, which might resonate more with a court or jury than a newer, more technical privacy law. This changes the focus from the more technical question of whether GM gave notice to customers to whether the notice given was deceptive, confusing, or misleading.  

Potential remedies and penalties are greater with TDPSA 

The DTPA offers a broader range of remedies including a consumer private right of action and treble damages for egregious conduct where the company intentionally or knowingly violated. The TDPSA provides for civil penalties of up to $7,500 per violation whereas the DTPA allows fines of up to $20,000 per violation. However, unlike the TDPSA, these penalties don’t usually multiply for widespread or systemic violations unless each individual affected is counted as a separate violation. The TDPSA has the potential to result in much higher fines, especially when dealing with multiple violations related to data privacy breaches. The DTPA generally has lower penalty caps per violation but may include significant damages in individual cases, particularly when enhanced damages (such as treble damages) are awarded. However, for large-scale violations affecting many people, the TDPSA would likely result in substantially higher penalties. 

Although the potential fines would likely be higher under the new TDPSA, the broader more flexible scope and the established legal precedent of the DTPA appear more advantageous to the District Attorney’s office. Perhaps this will change in the future as legal precedents are made and courts become more accustomed to these new laws.  

The decision not to file under both laws is probably a strategic one. By focusing on the DTPA, Texas can ensure a cohesive legal argument, avoiding conflicts between the legal standards and interpretations, allowing Texas to argue a clear and straightforward case to the jury or court with only one legal theory.  

Some states, like Colorado, have integrated their privacy laws into existing consumer protection frameworks. In Colorado, a violation of the Colorado Privacy Act automatically constitutes a violation of the Colorado Consumer Protection Act. This integration allows the Colorado Attorney General to leverage established legal precedents and more easily pursue enforcement actions. As other states observe this approach, they may consider following suit, using their Unfair and Deceptive Acts and Practices legislation to pursue similar cases. Over time, as more cases are brought under the TDPSA and comparable laws, we may see a growing reliance on these newer statutes as courts develop precedents and businesses become more familiar with their obligations.