Key Takeaways
- Texas’ new law governing artificial intelligence, which takes effect at the start of 2026, introduces both familiar and novel regulations on the use of AI by companies and government entities.
- Provisions of TRAIGA include prohibiting certain uses of AI, requiring disclosures in healthcare settings, creating an AI regulatory “sandbox,” and more.
- TRAIGA also creates new exemptions to Texas’ preexisting biometrics law for certain AI use cases.
- Failure to comply with TRAIGA can carry steep financial penalties, so covered entities should act now to assess their obligations and prepare for compliance.
Overview
Recently signed into law, HB 149, the Texas Responsible Artificial Intelligence Governance Act (TRAIGA) goes into effect January 1, 2026. TRAIGA imposes new requirements on companies and government entities that use “artificial intelligence systems” for biometrics, healthcare, manipulation of human behavior, social scoring, discrimination, and explicit content. Although some of TRAIGA’s provisions are similar to facets of AI laws recently enacted in other states (e.g., Utah, Colorado, and California), other provisions appear to reflect a novel approach to AI-related issues.
Key Provisions
Narrows scope of Texas biometrics law. TRAIGA introduces important carve-outs to Texas’ preexisting Capture or Use of Biometric Identifier law (CUBI), one of the strictest biometric privacy laws in the country. Most critically, TRAIGA introduces exemptions to CUBI for (1) developing and deploying AI systems that are not used to uniquely identify individuals and (2) developing and deploying AI systems used to prevent or respond to security incidents, identity theft, fraud, harassment, or other illegal activity.
The law also clarifies that an individual will not be deemed to have consented to biometric collection merely because an image or other media containing their biometric identifiers is publicly available online, unless the individual themselves made the image or media publicly available. The precise contours of this provision are not yet clear, as the statute does not define what would constitute an individual making an image “publicly available.”
- Prohibits certain uses of AI systems.TRAIGA also prohibits any “person” from developing or deploying AI systems for the following purposes:
- With the intent to manipulate human behavior in a manner that is intentionally aimed at inciting or encouraging (1) self-harm, (2) harm to another person, or (3) criminal activity
- With the intent to discriminate against protected classes in violation of state or federal civil rights laws, but this is subject to certain exceptions and disparate impact is not itself sufficient to demonstrate an intent to discriminate
- With the “sole intent” of producing (or assisting/aiding in producing) or distributing visual child sexual abuse material or certain sexually explicit content
- With the “sole intent” for the system to “infringe, restrict, or otherwise impair an individual’s rights guaranteed under the United States Constitution.” Time will tell how the Texas attorney general (AG) intends to interpret and enforce this interesting new prohibition. But recent press releases from the AG’s office about the Texas social media law and its investigation into DeepSeek suggest the office could seek to use TRAIGA to bolster the state’s fight against perceived censorship.
- Requires disclosure of AI in healthcare treatment.TRAIGA requires providers of healthcare services or treatments to clearly and conspicuously disclose their use of AI systems in certain contexts.
- Regulates governmental entities’ use of AI systems. The law also introduces a host of requirements for the use of AI systems by Texas governmental entities, including (1) requiring governmental agencies to disclose to consumers when consumers are interacting with an AI system, (2) prohibiting governmental entities from developing or deploying AI systems that engage in so-called “social scoring” (i.e., classifying individuals by behavior or personal characteristics) in specific contexts, and (3) prohibiting governmental entities from developing or deploying AI systems to uniquely identify individuals (and from collecting images from publicly available sources without consent if such collection would infringe on constitutional or legal rights).
- Offers a regulatory development sandbox/safe harbor and creates an AI council. The law creates the framework for a regulatory “sandbox,” which will authorize companies to test innovative AI systems within the state subject to certain limitations. Participants in this program will be protected from certain types of prosecution and be exempt from various licensing requirements for a limited period. TRAIGA also creates a Texas Artificial Intelligence Advisory Council with authority to issue reports to the legislature and to educate state agencies and local governments on AI-related issues.
Enforcement Authority
TRAIGA does not include a private right of action. Instead, the Texas AG has exclusive enforcement authority, except as to some licensing agencies. Some violations of the law are subject to a 60-day cure period, and civil penalties range from $10,000 to $200,000 per violation, depending in part on whether the violation is determined to be “curable,” or $2,000 to $40,000 per day for a continued violation.
How To Prepare
In the six months remaining before TRAIGA goes into effect, companies should evaluate whether they have developed or deployed systems that may fall within TRAIGA’s scope. Given the Texas AG’s increasing activity in privacy protection and litigation, as well as the alignment between the law’s more novel provisions and some of the AG’s announced special initiatives, TRAIGA presents a regulatory framework justifying close legal review for compliance.
