TRAIGA Is Six Months Old. No Enforcement Actions — But the Machinery Is Being Built.

Six months after TRAIGA took effect, there are no publicly reported enforcement actions. But quiet is not the same as dormant.

The Texas Attorney General’s office has been building its TRAIGA enforcement infrastructure since the law was signed in June 2025 — staffing up, developing technical capacity, and training state agency personnel on disclosure obligations. The statute requires the AG’s public complaint portal to be live by September 1, 2026 — and it may already be accepting complaints — meaning the quiet period may be short.

How enforcement actually works

The path from consumer grievance to civil penalty has five steps.

A consumer files a complaint through the AG’s online portal. The AG may then issue a civil investigative demand (CID) — requiring the company to hand over AI system descriptions, training data categories, performance metrics, known limitations, and post-deployment monitoring records. If the AG finds a violation, the entity receives a notice and a 60-day window to cure it and submit a written explanation.

If that cure period closes without resolution, the AG seeks civil penalties in court.

One catch: Norton Rose Fulbright attorneys Marc Collier and Ethan Glenn noted in March 2026 that 60 days “may be insufficient time to ‘cure’ a violation of TRAIGA, particularly because a ‘cure’ might mean that the party must substantially modify an AI system.” In practice, a notice of violation can function as a cease-and-desist.

The penalty tiers

TRAIGA’s civil penalties are tiered, not flat. Curable violations carry $10,000–$12,000 per violation. Uncurable violations jump to $80,000–$200,000. Continuing violations accrue at $2,000–$40,000 per day.

What separates curable from uncurable is not yet settled. The statute doesn’t define the distinction; Norton Rose Fulbright expects it to be “developed by experts, the courts and the resulting common law.” That uncertainty cuts both ways: companies have less guidance, but so does the AG.

Paxton’s pre-TRAIGA track record

AG Ken Paxton is not new to AI-adjacent enforcement. In 2024, his office launched investigations into Character.AI, Reddit, Instagram, and Discord over children’s privacy and safety concerns, and created a specialized data privacy enforcement team.

That track record suggests the office has the appetite and the infrastructure to act. Whether TRAIGA enforcement begins with a high-profile target or a quieter CID to a lesser-known company is unknowable — but the complaint portal opening this fall will give consumers a direct channel to the AG’s desk.

DIR rulemaking under TRAIGA remains still-developing; no formal agency guidance has been confirmed as published.

Frequently asked questions

Can the Texas AG bring a TRAIGA enforcement action against a company for an AI system it is still testing and has not launched?

No. TRAIGA explicitly prohibits the AG from bringing a civil penalty action for an AI system that has not yet been deployed. Under Tex. Bus. & Comm. Code § 552.105(f), enforcement reach begins at deployment — pre-launch development and testing are outside the AG’s penalty authority.

What is a Civil Investigative Demand under TRAIGA, and how does it differ from a formal lawsuit?

A CID is an investigative tool the AG can use before filing any court action. Under Tex. Bus. & Comm. Code § 552.103, it can compel a company to hand over AI system descriptions, training data categories, inputs and outputs, performance metrics, known limitations, post-deployment monitoring records, and user safeguard measures — plus any other documentation the AG deems reasonably necessary. A CID is not itself a penalty; it is the information-gathering step that precedes a notice of violation and, ultimately, civil litigation.