Article Title
In February 2025, Texas Attorney General Ken Paxton launched a high-profile investigation into DeepSeek, a Chinese artificial intelligence (AI) company, over alleged violations of the Texas Data Privacy and Security Act (TDPSA). This enforcement action, part of a broader push to regulate AI systems and foreign tech firms, underscores the growing intersection of data privacy laws, national security concerns, and corporate responsibility in the AI era. As scrutiny over AI governance intensifies, businesses operating in Texas and beyond must understand the TDPSA’s implications, particularly in light of increasing state-led regulatory efforts.
The DeepSeek Investigation: A Case Study in AI Governance
The Texas Attorney General’s office has accused DeepSeek of failing to implement adequate data privacy safeguards while marketing its AI models as competitive with leading U.S. systems like OpenAI’s. Central to the investigation are concerns over potential data exploitation, transparency failures, and security vulnerabilities. Allegations suggest that DeepSeek’s ties to the Chinese Communist Party (CCP) could lead to unauthorized data collection, posing risks to consumer privacy and U.S. AI competitiveness.
Further complicating the case, DeepSeek reportedly withheld critical details about its data processing practices in submissions to major app marketplaces such as Apple and Google. In response to these concerns, Texas authorities banned DeepSeek’s platform from all Attorney General office devices in January 2025, citing potential espionage and censorship risks. This probe follows Paxton’s previous enforcement actions against TikTok and Meta, reinforcing a broader strategy of leveraging state laws to address perceived gaps in Federal AI oversight.
Understanding the Texas Data Privacy and Security Act (TDPSA)
The TDPSA, which took effect on July 1, 2024, establishes strict requirements for businesses handling the personal data of Texas residents. Unlike some privacy laws that apply only to large corporations, the TDPSA imposes compliance obligations on businesses of all sizes unless they qualify as small enterprises under Federal standards.
The law grants Texas consumers significant rights over personal data, including access, correction, and deletion requests. It also mandates that businesses obtain explicit consent before processing sensitive data such as biometric information, geolocation, and health records. Additionally, Texans can opt out of data processing for targeted advertising, profiling, or selling of personal information.
For businesses, compliance requires implementing strong security safeguards, minimizing data collection to only what is necessary, and ensuring third-party vendors adhere to TDPSA standards. Companies engaging in high-risk data processing — such as AI-driven profiling, targeted advertising, or biometric data analysis — must conduct formal Data Protection Assessments (DPAs) to evaluate risks and document mitigation strategies. The Texas Attorney General has exclusive enforcement authority under the TDPSA, with penalties reaching up to $7,500 per violation.
The Impact on AI-Driven Businesses
The DeepSeek case highlights how AI companies must navigate new privacy and security standards, particularly regarding data collection and algorithmic decision-making. One major challenge lies in training data practices — businesses using consumer data to refine AI models must ensure they collect only what is “reasonably necessary” under the TDPSA. Transparency is also critical, as AI systems that engage in profiling or automated decision-making must provide clear disclosures and allow consumers to opt out of such processes.
Third-party AI services further complicate compliance. Businesses integrating external AI tools — whether for customer support, analytics, or operational automation — must conduct thorough vendor audits. If a third-party AI provider engages in unauthorized data processing or lacks adequate privacy controls, liability may extend to the company using the tool. Given the heightened scrutiny on foreign AI firms, Texas regulators will likely impose stricter enforcement measures against companies with opaque data governance practices.
Regulatory Enforcement Trends
Texas has emerged as a leader in AI and data privacy enforcement, with Attorney General Paxton taking an aggressive stance on high-risk AI applications. Recent actions against Meta, TikTok, and DeepSeek suggest focusing on child safety, foreign tech influence, and AI systems impacting financial, healthcare, or employment outcomes. Businesses deploying AI in these sensitive areas should expect heightened regulatory scrutiny and prepare for compliance audits.
The state’s approach mirrors broader trends in AI governance, as policymakers increasingly emphasize transparency, accountability, and consumer protection. While federal AI regulations remain fragmented, Texas’ enforcement actions signal that state-level laws will be essential in shaping AI oversight nationwide.
Strategic Considerations for Business Leaders
For organizations integrating AI into their operations, ensuring compliance with the TDPSA and related regulations is a legal necessity and a strategic imperative. Conducting a comprehensive audit of AI data practices is the first step in mitigating risk. Businesses must map all data inputs used for AI training, confirm alignment with disclosed purposes, and validate that third-party AI vendors adhere to TDPSA requirements.
Transparency is equally vital. Companies should update privacy notices to clarify how AI-driven data processing occurs and implement layered consent mechanisms for sensitive applications such as biometrics or emotion recognition. Additionally, businesses engaged in AI-driven profiling or automated decision-making should conduct DPAs to evaluate potential risks and reinforce governance measures.
Beyond compliance, fostering an ethical AI culture is critical to long-term success. Establishing internal AI ethics committees can help organizations proactively identify risks related to bias, transparency, and regulatory compliance. Companies should also monitor legislative developments, such as the pending Texas Responsible AI Governance Act (TRAIGA), which could introduce even stricter AI safeguards.
Navigating the New Privacy-AI Frontier
The Texas Attorney General’s investigation into DeepSeek exemplifies the growing role of state laws like the TDPSA in regulating AI’s societal impact. For businesses, compliance is no longer just about avoiding fines — it is about building consumer trust, maintaining market credibility, and ensuring long-term AI sustainability. Companies that embed privacy-by-design principles into their AI systems, strengthen transparency, and anticipate regulatory shifts will be better positioned to lead in the evolving digital landscape.
AG Paxton’s office has clarified that the risks associated with unauthorized data collection, algorithmic bias, and foreign tech influence are being taken seriously. In this climate, proactive governance is not optional — it is the foundation for responsible AI innovation. Business leaders who embrace this shift and align AI strategies with emerging regulations will mitigate legal risks and set the standard for ethical AI adoption in the years ahead.
Want more insights like these? Explore the world of AI for business leadership in my book, From Data to Decisions: AI Insights for Business Leaders. It’s a curated collection of strategies and lessons from my LinkedIn articles published in 2024, available now on Amazon at https://a.co/d/3r49Cuq.
Want to learn more? Join our Wait List for our Printed Monthly Newsletter, Innovation Circle.
|