In a significant shift in regulatory strategy, the Texas Attorney General’s office has initiated a coordinated series of lawsuits targeting companies with alleged ties to China and the Chinese Communist Party (CCP). Notably, these enforcement actions are not grounded in national security or data privacy statutes, but rather leverage the broad powers of the Texas Deceptive Trade Practices Act (DTPA). This strategic deployment of the DTPA signals an aggressive new enforcement posture with far-reaching implications for businesses operating within Texas, particularly those with complex international supply chains, sophisticated technology products, or extensive data collection practices. Attorneys Brandt Leibe, Grant Nichols, and Michael Galdo from King & Spalding have highlighted the significance of this enforcement approach, urging companies with Chinese supply chain exposure to immediately review their marketing claims and disclosure obligations.
The recent surge in legal actions, commencing in mid-February 2026, saw the Texas Attorney General’s office file multiple lawsuits in rapid succession. These actions specifically target companies alleged to have connections with China, seeking a range of remedies including injunctive relief, substantial civil penalties, and other legal redress. While the specific allegations vary across the individual lawsuits, a consistent pattern of common themes has emerged, underscoring the AG’s focused strategy.
The Texas Deceptive Trade Practices Act: A Broad Consumer Protection Statute
At the heart of these enforcement actions lies the Texas Deceptive Trade Practices Act (DTPA), codified in Texas Business & Commerce Code ยงยง 17.41-17.63. This comprehensive consumer protection statute broadly prohibits any "[f]alse, misleading, or deceptive acts or practices in the conduct of any trade or commerce." The legislative intent behind the DTPA is explicitly stated as promoting its underlying purposes: to safeguard consumers against fraudulent business practices, unconscionable actions, and breaches of warranty. The statute mandates a liberal construction and application to achieve these consumer protection goals.
A critical aspect of the DTPA’s enforcement mechanism is its low threshold for proving a deceptive act. Under the statute, an act is considered false, misleading, or deceptive if it possesses "the capacity to deceive" even an "ignorant, unthinking or credulous person." This standard does not necessitate the demonstration of actual deception or demonstrable consumer harm. The focus is on the potential for deception, a considerably less demanding evidentiary burden for the prosecuting authority.
Enumerated Prohibited Acts and Attorney General Enforcement Powers
The DTPA meticulously enumerates specific acts deemed false, misleading, or deceptive within Section 17.46(b). These prohibitions are not exhaustive, meaning the scope of enforcement extends beyond this list. Examples of such prohibited acts include:
- Misrepresenting the source, sponsorship, approval, or certification of goods or services.
- Misrepresenting affiliations, connections, or associations with another entity.
- Misrepresenting the characteristics, uses, benefits, quantities, or qualities of goods or services.
- Making false or misleading statements of fact concerning the reasons for, existence of, or amounts of price reductions.
- Advertising goods or services with the intent not to sell them as advertised.
- Representing that goods or services have sponsorship, approval, characteristics, ingredients, uses, benefits, or quantities that they do not have.
- Disparaging the goods, services, or business of another by false or misleading representation of fact.
- Advertising or engaging in conduct that creates a likelihood of confusion or of misunderstanding.
The consumer protection division of the Texas Attorney General’s office is empowered by DTPA Section 17.47 to initiate enforcement actions whenever it "has reason to believe that any person is engaging in, has engaged in, or is about to engage in any act or practice declared to be unlawful" and when "proceedings would be in the public interest." Crucially, the state is not obligated to allege any actual injury to consumers to bring such actions or to seek civil penalties. This empowers the AG’s office to act proactively to prevent potential harm.
Significant Remedies and Penalties Under the DTPA
Enforcement actions brought under the DTPA can result in substantial remedies and penalties designed to deter future misconduct. These include:
- Injunctive relief: Court orders compelling a company to cease specific deceptive practices.
- Civil penalties: Fines that can reach up to $10,000 per violation for conduct that occurred before September 1, 2019, and up to $20,000 per violation for conduct occurring on or after that date. For violations involving conduct directed toward individuals aged 65 or older, these penalties are doubled.
- Restitution for consumers: Requiring companies to compensate consumers for losses incurred due to deceptive practices.
- Attorneys’ fees and costs: Reimbursement of legal expenses incurred by the state in pursuing the action.
In determining the appropriate penalty amounts, the trier of fact is mandated to consider several factors: the seriousness of the violation, the defendant’s history of previous violations, the amount necessary to deter future violations, the economic impact on the defendant, the defendant’s knowledge of the illegality of their actions, and any other relevant matter that justice may require. This framework allows for tailored penalties that reflect the severity and context of the offense.
Expanding Scope: DTPA as a Tool for National Security and Data Privacy Concerns
The recent wave of lawsuits signifies a deliberate expansion of the DTPA’s application, with the Texas Attorney General leveraging it as a potent instrument to address issues traditionally falling under national security and data privacy umbrellas. This strategic move extends the statute’s reach far beyond its conventional consumer protection mandate. Businesses must remain acutely aware that the Attorney General’s office may now scrutinize practices involving:
- Supply chain integrity and country-of-origin claims: Misrepresenting the origin or manufacturing location of products or components, particularly when those origins are linked to entities under scrutiny by the U.S. government.
- Data privacy and security representations: Making unsubstantiated claims about the security, privacy, or protection of consumer data, especially when such data may be subject to foreign government access or surveillance.
- Affiliations with foreign entities: Failing to disclose material connections or affiliations with foreign governments or state-controlled enterprises, particularly when these affiliations could influence product design, data handling, or operational integrity.
- Foreign government access risks: Not adequately informing consumers about potential risks of their data being accessed by foreign governments due to the company’s operational structure or the jurisdictions in which it operates.
Responding to legal inquiries from the Attorney General’s office can be an arduous and costly undertaking. The spectrum of enforcement options, ranging from substantial fines per violation to broad injunctive relief, means that not only can investigations disrupt business operations, but significant financial penalties can follow.
Heightened Disclosure Obligations: A Call for Transparency
These recent lawsuits underscore a critical point: the failure to disclose material information can, in itself, constitute a DTPA violation. Businesses are now under intense pressure to meticulously consider what information consumers would reasonably deem material to their purchasing decisions. This includes, but is not limited to:
- Country of origin: Clearly and accurately disclosing where products are manufactured and where key components are sourced.
- Data handling practices: Transparently outlining how consumer data is collected, used, stored, and shared, including any potential cross-border transfers.
- Foreign government access risks: Informing consumers about any potential for foreign governments to access their data based on the company’s operational footprint or affiliations.
- Supply chain vulnerabilities: Disclosing known vulnerabilities or risks within the supply chain that could impact product safety, security, or reliability.
Furthermore, broad marketing claims regarding product safety, security, and privacy are facing unprecedented scrutiny. Companies that market their products as "secure," "private," or "safe" while possessing knowledge of inherent vulnerabilities or risks associated with foreign government access face significant legal exposure. Such representations, if not fully substantiated and qualified, can be deemed deceptive under the DTPA.
Recommended Compliance Steps for Businesses
In light of the allegations in these lawsuits and the expansive requirements of the DTPA, businesses should implement a robust suite of compliance measures. These proactive steps are crucial for mitigating the risk of enforcement actions and their attendant penalties:
Review and Audit Supply Chain Disclosures
A thorough review of existing supply chains is paramount. Companies must ensure that all marketing materials, product labels, and website disclosures accurately reflect the true origin of products and the sourcing of components. Particular attention should be paid to country-of-origin claims, verifying compliance with both federal labeling requirements and state consumer protection laws. This audit should extend to identifying any entities within the supply chain that are subject to U.S. government sanctions or restrictions.
Assess Foreign Government Access Risks
Businesses that collect consumer data must undertake a rigorous evaluation of whether any applicable foreign laws could compel the disclosure of that data to foreign governments. This analysis may require a close examination of subsidiaries, affiliates, and even third-party vendors with operations or data processing capabilities in jurisdictions with such legal frameworks, particularly China. If such disclosure laws are found to apply, companies should consider clear and conspicuous disclosure of this risk to their consumers.
Review Privacy Policies and Consent Mechanisms
Privacy policies must be meticulously crafted to clearly and specifically disclose all data collection practices. This includes detailing the types of data collected, the precise ways in which data is used, and with whom data may be shared. Vague, incomplete, or misleading disclosures are highly susceptible to being classified as deceptive under the DTPA. Furthermore, ensuring that consent mechanisms are robust and genuinely inform consumers about data practices is essential.
Substantiate Marketing Claims
All claims related to product safety, security, and privacy must be rigorously substantiated and factually accurate. Companies should refrain from making absolute claims, such as "100% secure," unless they possess irrefutable evidence to support such representations. Any marketing statements should be grounded in verifiable data and consistent with the product’s actual capabilities and limitations.
Monitor Government Restriction Lists
Businesses must actively monitor federal and state restriction lists. This includes staying abreast of Texas’s prohibited technologies list, the U.S. Department of Commerce’s Entity List, and designations by the Department of Defense. Any relationships or dealings with entities appearing on these lists can trigger heightened disclosure obligations and significantly increase enforcement risk.
Implement Vulnerability Management Processes
Establishing and maintaining robust processes for identifying, disclosing, and remediating security vulnerabilities is critical. Failing to disclose known vulnerabilities while simultaneously marketing products as secure can constitute a DTPA violation. This measure is particularly vital for government contractors or companies supplying government contractors, due to overlapping exposure under the False Claims Act for misrepresentations related to cybersecurity.
Review Corporate Structure and Affiliations
For companies that have undergone restructuring to separate U.S. operations from foreign affiliates, it is imperative to ensure that marketing materials and corporate representations accurately reflect ongoing relationships, shared resources, and any continued affiliations. Any attempt to obscure or misrepresent these connections can be viewed as deceptive.
Conclusion
The Texas Attorney General’s coordinated enforcement actions represent a potent and strategic deployment of the Deceptive Trade Practices Act. This initiative demonstrates a clear willingness to aggressively pursue companies with alleged Chinese connections, with a particular focus on product representations, supply chain disclosures, cybersecurity risks, and data privacy practices. Businesses operating within Texas, especially those in the technology, consumer electronics, and e-commerce sectors, must undertake a thorough and critical evaluation of their current practices, marketing claims, and disclosure obligations in light of these significant developments. By implementing proactive and comprehensive compliance measures, companies can significantly mitigate the risk of enforcement actions that carry substantial civil penalties and far-reaching injunctive remedies. The evolving regulatory landscape demands vigilance and a commitment to transparency to navigate these complex legal challenges effectively.