Texas Is Using Consumer Protection Law to Police Chinese Supply Chain Ties

The Texas attorney general’s office has filed a coordinated series of enforcement actions under the Texas Deceptive Trade Practices Act (DTPA) targeting companies with alleged connections to China and the Chinese Communist Party (CCP). These lawsuits signal an aggressive new enforcement posture that has significant implications for businesses operating in Texas, particularly those with international supply chains, technology products or data collection practices.  

The recent lawsuits

In mid-February 2026, the Texas attorney general filed multiple lawsuits in rapid succession against companies with alleged ties to China, seeking injunctive relief, civil penalties and other remedies, including:

• A networking devices and routers business: Sued for allegedly misrepresenting the origin of its products as “Made in Vietnam” when components are largely sourced from China and for failing to disclose cybersecurity vulnerabilities and Chinese affiliations.
• A drone business: Sued for allegedly selling rebranded Chinese-manufactured drones while misrepresenting that its products are independent from a Chinese drone manufacturer and free from national security concerns.
• A home and commercial security business: Sued for allegedly representing its products as safe, private and secure while concealing that they contain components from a designated Chinese military company with documented security vulnerabilities.

Common allegations

Each lawsuit alleges multiple violations of the DTPA, but several common themes emerge:

• False or misleading representations about product characteristics: The lawsuits allege that the defendants misrepresented the safety, security and privacy of their products when allegedly they contained components from a Chinese military company with significant security vulnerabilities.
• Failure to disclose material information: Certain actions also allege companies did not disclose critical information about their products, including connections to Chinese companies subject to US government restrictions, exposure of consumer data to potential access by the Chinese government and known security vulnerabilities.
• Purported misrepresentations regarding country of origin: Certain of the lawsuits indicate that Texas may intend to examine country-of-origin product labeling, although it is not presently clear how this aspect of the potential actions would address federal country-of-origin marking statutes and regulations administered by US Customs and Border Protection.
• Deceptive privacy and data collection practices: The lawsuits allege that defendants’ privacy policies are vague and fail to disclose that Chinese law may require the companies to share consumer data with People’s Republic of China (PRC) intelligence agencies.

Overview of the Texas Deceptive Trade Practices Act (DTPA)

The DTPA, codified at Texas Business & Commerce Code §§ 17.41-17.63, is a broad consumer protection statute that declares unlawful any “[f]alse, misleading, or deceptive acts or practices in the conduct of any trade or commerce.” The statute is to be “liberally construed and applied to promote its underlying purposes, which are to protect consumers against false, misleading and deceptive business practices, unconscionable actions, and breaches of warranty.”

Importantly, under the DTPA, “an act is false, misleading, or deceptive if it has the capacity to deceive an ignorant, unthinking or credulous person.” This is a low threshold that does not require proof of actual deception or actual consumer harm.

Specific prohibited acts

The DTPA enumerates specific false, misleading or deceptive acts in Section 17.46(b), including but not limited to:

• Representing that goods or services have sponsorship, approval, characteristics, ingredients, uses, benefits or quantities which they do not have.
• Representing that goods or services are of a particular standard, quality or grade, or that goods are of a particular style or model, if they are of another.
• Using deceptive representations or designations of geographic origin in connection with goods or services.
• Failing to disclose information concerning goods or services which was known at the time of the transaction if such failure was intended to induce the consumer into a transaction into which the consumer would not have entered had the information been disclosed.

The list of deceptive acts in Section 17.46(b) is non-exhaustive, meaning enforcement is not limited to these enumerated practices.

Enforcement by the attorney general

The consumer protection division of the Texas attorney general’s office has authority to bring enforcement actions under DTPA Section 17.47 whenever it “has reason to believe that any person is engaging in, has engaged in, or is about to engage in any act or practice declared to be unlawful” and “proceedings would be in the public interest.” Critically, the state is not required to allege actual injury to consumers to bring enforcement actions or seek civil penalties.

Available remedies and penalties

The DTPA provides for significant remedies in enforcement actions:

• Civil penalties: The state may recover up to $10,000 per violation of the DTPA. If the violation was calculated to acquire or deprive money or property from a consumer who was 65 years or older, an additional penalty of up to $250,000 per violation may be assessed.
• Injunctive relief: Courts may issue temporary restraining orders, temporary injunctions and permanent injunctions to restrain ongoing violations.
• Restitution: Courts may make additional orders necessary to compensate identifiable persons for actual damages or to restore money or property acquired through unlawful practices.
• Attorneys’ fees and costs: The state may recover attorneys’ fees and costs for the prosecution and investigation of actions.

In determining penalty amounts, the trier of fact must consider: (1) the seriousness of the violation; (2) the history of previous violations; (3) the amount necessary to deter future violations; (4) the economic effect on the defendant; (5) knowledge of the illegality; and (6) any other matter that justice may require.

Data Privacy

EU Data Act: Time for a Reality Check

by Zach Judge-Raza and Jamie Elbert

March 17, 2026

New rules could spark compliance tension: share too much personal data run afoul of GDPR, share too little and face Data Act enforcement

Read moreDetails

Expanding scope of DTPA enforcement

The recent lawsuits demonstrate that the Texas attorney general is using the DTPA as a tool to address national security and data privacy concerns, extending the statute’s reach beyond traditional consumer protection matters. Businesses should be aware that the attorney general may scrutinize practices involving:

• Products with components allegedly sourced from or manufactured in countries considered national security risks, particularly China.
• Technology products with known or potential cybersecurity vulnerabilities.
• Apps and platforms that collect consumer data, especially when data may be subject to foreign government access.
• Products or companies included on Texas’ prohibited technologies list or federal restriction lists.

Responding to legal inquiries from the office of the attorney general (OAG) can be a costly and time-consuming endeavor. Enforcement options ranging from fines based on each violation to injunctive relief, means that not only can OAG disrupt business with an investigation, but steep penalties can follow.

Heightened disclosure obligations

These recent lawsuits emphasize that failure to disclose material information can constitute a DTPA violation. Businesses must carefully consider what information consumers would consider material to their purchasing decisions, including:

• Supply chain relationships and component sourcing.
• Affiliations with foreign companies or governments.
• Applicable foreign laws that may require data sharing with foreign governments.
• Known security vulnerabilities or cybersecurity risks.

Further, broad marketing claims about product safety, security, privacy and supply chains are being scrutinized closely. Companies that market products as “secure,” “private” or “safe” while knowing of vulnerabilities or foreign government access risks face significant exposure.

Recommended compliance steps

Based on the allegations in these lawsuits and the DTPA’s requirements, businesses should consider the following compliance measures:

Review and audit supply chain disclosures

Companies should conduct thorough reviews of their supply chains and ensure that marketing materials, product labels and website disclosures accurately reflect where products are manufactured and where components are sourced. Pay particular attention to country-of-origin claims and ensure compliance with both federal labeling requirements and state consumer protection laws.

Assess foreign government access risks

Businesses that collect consumer data should evaluate whether any applicable foreign laws could compel disclosure of consumer data to foreign governments. This may involve a close look at subsidiaries, affiliates and potentially even vendors with a presence in China. If such disclosure laws apply, companies should consider disclosing this risk clearly and conspicuously to consumers.

Review privacy policies and consent mechanisms

Privacy policies should clearly and specifically disclose all data collection practices, including the types of data collected, how data is used and with whom data may be shared. Vague or incomplete disclosures may be viewed as deceptive under the DTPA.

Substantiate marketing claims

All claims about product safety, security and privacy should be substantiated and accurate. Companies should avoid absolute claims (e.g., “100% secure”) unless they can demonstrate the accuracy of such representations.

Monitor government restriction lists

Businesses should monitor federal and state restriction lists, including Texas’ prohibited technologies list, the Commerce Department’s entity list and Department of Defense designations. Relationships with listed entities create heightened disclosure obligations and enforcement risk.

Implement vulnerability management processes

Companies should establish robust processes for identifying, disclosing and remediating security vulnerabilities. Failure to disclose known vulnerabilities while marketing products as secure may constitute a DTPA violation. This step is especially important for any businesses that are government contractors or supply government contractors because of overlapping exposure under the False Claims Act for misrepresentations related to cybersecurity.

Review corporate structure and affiliations

Companies that have restructured to separate US operations from foreign affiliates should ensure that marketing materials and corporate representations accurately reflect ongoing relationships, shared resources and continued affiliations.

Conclusion

The Texas attorney general’s coordinated enforcement actions demonstrate a willingness to use the DTPA aggressively against companies with alleged Chinese connections, focusing on product representations, supply chain disclosures, cybersecurity risks and data privacy practices. Businesses operating in Texas — particularly those in the technology, consumer electronics and e-commerce sectors — should carefully evaluate their current practices, marketing claims and disclosure obligations in light of these developments. Proactive compliance measures can help mitigate the risk of enforcement actions carrying significant civil penalties and injunctive remedies.

This article was adapted from material first published by King & Spalding. It is republished here with permission.