Texas AG Paxton Sues Meta Over WhatsApp Encryption Claims | DTPA Lawsuit May 2026

Texas Attorney General Ken Paxton filed a landmark lawsuit on Thursday, May 21, 2026, accusing Meta Platforms Inc. and WhatsApp LLC of systematically deceiving millions of Texans about the privacy of their messages. The complaint was filed in Harrison County state district court under the Texas Deceptive Trade Practices Act (DTPA) and targets WhatsApp's signature marketing claim: that its end-to-end encryption ensures "not even WhatsApp" can read user conversations.

The filing is the latest escalation in Texas's running campaign against big technology companies and arrives one day after the AG's office announced a separate facial-recognition data probe targeting Meta's Ray-Ban smart glasses product line. For context on Meta's broader legal exposure in 2026, see our coverage of Meta's double child-safety verdicts and the Instagram encrypted DMs reversal.

What the Lawsuit Actually Alleges | The Gap Between Marketing and Operations

The state's case does not challenge the mathematical strength of the Signal Protocol, the open-source cryptographic system that powers WhatsApp's encryption. Instead, Paxton's petition targets the gap between what the company promises in marketing and what it allegedly does in practice.

Three specific operational claims form the core of the complaint:

• Internal task system: The petition alleges that Meta personnel and third-party contractors can pull and view specific message content after it has been sent using an internal "task" access workflow that bypasses the encryption layer applied to messages in transit.
• The Commerce Department memo: The lawsuit relies heavily on a leaked internal memo from a federal Commerce Department investigation that was abruptly closed earlier this year. That memo alleged there was "no limit" to the types of WhatsApp communications Meta could access internally.
• Abuse-reporting cleartext: When a user flags or reports a conversation inside WhatsApp, the recent message history is forwarded to Meta in cleartext for review. Legal analysts note this workflow directly contradicts the absolute claim that nobody outside the conversation can view message content, because the report-and-flag pipeline sends that content in readable form to Meta's trust-and-safety teams.^[1]

DTPA Penalty Math | Billions in Theoretical Exposure

WhatsApp has approximately 4.5 to 5 million active users in Texas. The DTPA allows the state to seek civil penalties of up to $10,000 per violation. Applying that figure to every affected account would produce theoretical exposure in the range of $45 to $50 billion, though courts routinely reduce aggregate DTPA penalties to the actual damage demonstrated. Paxton is not seeking that full figure in the petition, but naming the per-violation maximum gives the state significant settlement leverage.

Beyond fines, Paxton is seeking a permanent injunction that would legally block Meta from viewing users' messages without explicit, transaction-by-transaction consent and force the company to alter its marketing language within Texas borders. That injunction, if granted, would be the most operationally disruptive outcome for Meta, requiring product changes that would ripple across its global privacy architecture.^[2]

Meta's Defense | "Categorically False"

WhatsApp cannot access people's encrypted communications and any suggestion to the contrary is false. We will fight this suit as we continue defending our strong record on protecting people's messages.

, Rachel Holland, Meta Spokesperson

Meta's statement mirrors the defense it deployed against a similar federal class-action lawsuit filed in California in January 2026. The company's position rests on third-party audits of the Signal Protocol implementation and the absence of any verified backdoor discovered by independent security researchers in the open-source codebase.

Multiple cryptographers contacted by security trade press have urged caution on the technical claims in Paxton's complaint, noting that the abuse-reporting workflow is disclosed in WhatsApp's privacy policy and that its existence is not hidden. The legal question, however, is whether WhatsApp's broad advertising language constitutes a deceptive trade practice regardless of what the fine-print policy discloses, which is the DTPA argument the state appears designed to win.

Paxton's 48-Hour Big Tech Blitz | Three Actions, One Pattern

The WhatsApp lawsuit did not arrive in isolation. Over a 48-hour window ending May 21, the AG's office executed a three-part coordinated campaign:

• May 19: Lawsuit filed against a DFW roofing company for consumer data misuse (smaller in scale, signals the DTPA enforcement apparatus is operational).
• May 20: Formal investigation launched into Meta's Ray-Ban smart glasses program, alleging the product collects and processes facial recognition data from bystanders without consent in violation of Texas's Capture or Use of Biometric Identifier statute.
• May 21: This WhatsApp filing, the largest of the three by potential penalty scale.

The sequencing appears deliberate. Filing three actions in 48 hours creates a media narrative of systematic enforcement rather than isolated legal posturing, which is tactically useful both for political signaling and for building a record ahead of settlement talks with Meta.

Why This Matters | The Biometric Settlement Precedent

The $1.4 billion settlement Meta paid Texas in 2024, resolving claims under the state's biometric privacy statute over Facebook's old facial-recognition feature, is the most important precedent in this case. That settlement was the largest privacy-law payout ever secured by a single state attorney general at the time. Paxton is explicitly signaling he will use the same litigation posture here: file aggressively, invoke maximum per-violation penalties, and force a settlement rather than litigating technical merits through trial.

The key difference is that the biometric case had a clear, discoverable dataset, namely Facebook's face-template database. The WhatsApp case requires Paxton to prove internal access actually occurred at scale, which will likely turn on whether discovery surfaces internal Meta documentation about the task system described in the petition. The leaked Commerce Department memo, if authenticated, could serve that purpose.