On May 9, 2025, the Texas Attorney General Ken Paxton announced a $1.375 billion settlement with Google—by far the largest state-level privacy settlement reached against Google to date. The settlement resolves lawsuits filed in 2022 alleging that Google unlawfully collected, stored, and used Texans’ sensitive personal data without consent, including location information, biometric identifiers, and web browsing activity.
The billion-plus settlement number dominates the headline, but the broader signals this case sends about state privacy enforcement are equally important. At a time when the status of privacy enforcement under the second Trump Administration remains unclear, state enforcement— including evolving biometric data risks and increased regulatory scrutiny facing large-scale consumer data collection practices—is trending upward.
What Was Alleged
According to the Texas Attorney General, Google engaged in several practices that violated the Texas Deceptive Trade Practices Act (DTPA):
- Location Tracking Despite Opt-Outs: Even when users disabled location services, Google allegedly continued to collect and use precise location data through other mechanisms such as search activity and Wi-Fi signals.
- Misleading ‘Incognito Mode’ Promises: The State argued that Google’s Chrome browser misrepresented the privacy protections afforded in “Incognito” mode, misleading users into thinking their activity was not being tracked.
- Unauthorized Biometric Collection: Through products like Google Photos and Google Assistant, Google allegedly captured and used biometric identifiers—including voiceprints and facial geometry—without informed consent, in violation of the Texas Capture or Use of Biometric Identifier Act.
Why This Matters
For companies that collect, buy, or sell user data—especially location, voice, or facial recognition information—this case is instructive. Several key points stand out:
- States May Be Willing to Go It Alone: Unlike other multistate settlements, this was a Texas-only action. It was also Texas-sized. The $1.375 billion figure dwarfs the previous $391.5 million multistate Google settlement from 2022, signaling that individual states may increasingly pursue aggressive enforcement on their own. Texas did not participate in the multistate settlement and instead elected to initiate an action independently.
- Biometric Data Is a High-Risk Category: This is the second billion-dollar biometric settlement Texas has entered into in the last year. Texas, Illinois, and other states are positioning biometric privacy as a top-tier enforcement priority, regardless of whether federal privacy legislation advances or federal privacy enforcement eventually ticks up from the FTC and others.
- Consent and Clarity Matter: Companies may want to consider revisiting how they describe data collection and tracking features—especially when terms like “Incognito” or “private browsing” may be interpreted by consumers as providing stronger protections than actually exist.
- No Admission of Liability: As with many privacy settlements, Google admitted no wrongdoing. However, the size of the monetary payment reflects the increasing reputational and legal stakes tied to perceived data misuse.
-
Practical Takeaways for Organizations
- Audit Biometric Collection and Use: Consider implementing clear, advance, opt-in consent prior to any use of facial recognition, voice detection, or other biometric tools—especially in states with standalone biometric laws.
- Reassess Location Tracking Disclosures: Confirm that disclosures are clear when location data is collected, and that opt-out mechanisms function as described.
- Expect More from States: In the absence of a federal privacy law and an expected tick down in privacy enforcement on the federal side, state attorneys general—particularly in large states like Texas and California—are likely to continue to fill the void with aggressive enforcement efforts.
