Texas enacts broad artificial intelligence regulations
On June 22, 2025, Texas Governor Greg Abbott signed into law the Texas Responsible Artificial Intelligence Governance Act (TRAIGA), making Texas the fourth U.S. state to enact broad-based artificial intelligence (AI) legislation. Effective January 1, 2026, the law establishes a regulatory framework for the development and deployment of AI systems in private and public sectors, and will have a significant impact on companies doing business in or with Texas.
Key takeaways:
- TRAIGA applies to AI developers and deployers, similar to the EU AI Act.
- TRAIGA includes a list of prohibited uses of AI.
- The enforcement provision includes a notice and cure mechanism.
- TRAIGA provides for statutory penalties and fines, including additional fines for licensees of state agencies.
- TRAIGA includes certain safe harbors, most notably compliance with NIST’s AI Risk Management Framework.
- While there is no private right of action, the Texas Attorney General has actively enforced other state laws with significant financial impact on the businesses involved.
Summary:
Similar to the EU AI Act, TRAIGA applies to AI “developers” and “deployers.” TRAIGA also prohibits development or use of AI systems that: (1) intentionally are designed to manipulate behavior in a manner that causes physical harm to self or another or to engage in criminal activity, (2) unlawfully discriminate against a protected class of persons, (3) create or distribute sexually explicit content, such as child pornography or deepfakes of such content, and (4) infringe the Constitutional rights of others. TRAIGA is to be broadly construed and applied to promote TRAIGA’s underlying purposes, which include facilitating responsible development of AI.
Intersection with privacy laws:
Importantly, TRAIGA addresses certain situations in which business may develop or deploy AI systems in a way that implicates Texas’ biometric privacy law, Capture or Use of Biometric Identifier Act (CUBI), or Texas’ comprehensive privacy law, the Texas Data Privacy and Security Act (TDPSA). Specifically, TRAIGA provides for exemptions to CUBI related to the training and development of AI systems and during the development or deployment of AI systems to detect fraud or other illegal activities. As to TDPSA, TRAIGA creates an obligation for data processors to assist controllers meet their TDPSA requirements related to personal data.
Enforcement:
While there is no private right of action, businesses should be aware that the Texas Attorney General has been actively enforcing similar regulations, including a $1.375B settlement with Google and recent lawsuit against AllState for alleged violations of the state’s privacy law, and a $1.4B settlement with Meta for alleged violation of the state’s biometric data privacy law.
TRAIGA provides the Texas Attorney General with exclusive enforcement rights. Consumers may submit complaints to the Attorney General’s office. Penalties in the law are:
- $10,000 to $12,000 per violation for curable violations;
- $80,000 - $200,000 for uncurable violations; and
- $2,000 - $40,000 per day for a continuing violation.
The Attorney General may also seek injunctive relief and attorney and investigative fees and costs. It is unclear how violations accrue.
Additionally, the law empowers state agencies to fine licensees up $100,000, and revoke or suspend operating licenses if a licensee is found liable for TRAIGA violations.
TRAIGA’s enforcement mechanism is subject to a statutory 60-day notice and opportunity to cure. The law also includes safe harbor provisions, most notably compliance with NIST’s AI Risk Management Framework or similar.
If you have any questions regarding the content of this post, reach out to the attorneys in McDonald Hopkins' Data Privacy and Cybersecurity Practice Group.
Attorney Tanjeet Dhillon assisted in the writing of this article.
