Subodh KCSubodh KC/systems
let's talk →
Plain-English Legal Guide

Does the Texas AI Law
Apply to My Business?

A plain-English TRAIGA guide for small and midsize businesses — applicability checker, disclosure rules, penalties, examples, and final-law-vs-draft matrix.

By Subodh KC · July 15, 2026 · 30 min read

Last legally reviewed: July 15, 2026

Law reviewed: Texas Business & Commerce Code Chapters 551\u2013554, enacted through HB 149

Effective date: January 1, 2026

Educational notice: This guide explains the statute in practical terms. Applicability can depend on facts, contracts, industry rules, and other federal or state laws. It is not a substitute for legal advice.

Table of Contents

Synopsis

The Texas Responsible Artificial Intelligence Governance Act (TRAIGA), enacted through HB 149 and effective January 1, 2026, can apply to businesses of any size — but it is narrower than most commentary suggests. There is no small-business exemption, no general registration requirement, no mandatory impact assessment, and no universal private-chatbot disclosure rule. The law targets specific prohibited conduct (harm, crime, discrimination, illegal content), healthcare AI disclosure, biometric compliance, and Attorney General enforcement with a 60-day cure period. This guide explains what the final statute actually says, what it does not say, and what small and midsize businesses should do about it.

Texas-based businessesOut-of-state companies serving TexasHealthcare practices using AIEmployers using AI hiring toolsSaaS companies selling AI in TexasAny business using AI chatbots

For the full statutory compliance guide with section-by-section analysis, see the Texas AI Law (TRAIGA / HB 149) Compliance Guide.

The Direct Answer

The Texas Responsible Artificial Intelligence Governance Act, commonly called TRAIGA, can apply to businesses of any size.

The final law does not contain an express small-business exemption or minimum revenue threshold. Its scope includes persons conducting business in Texas, producing products or services used by Texas residents, or developing or deploying an AI system in Texas.

That does not mean every small business using ChatGPT, an AI receptionist, or an automated marketing tool must register its AI, conduct an annual impact assessment, or disclose every chatbot.

The final law is broad in potential reach but comparatively narrow in the commercial conduct it directly regulates.

For most private businesses, TRAIGA focuses on:

  • Intentional encouragement of self-harm, harm to others, or crime
  • Intentional unlawful discrimination
  • AI intended to impair federal constitutional rights
  • Certain illegal sexual, deepfake, and child-related content
  • Healthcare AI disclosure
  • Biometric-data compliance
  • Documentation that may be requested during an Attorney General investigation

The practical rule: Do not ask only, “Does my company use AI?” Ask, “What is the AI doing, whose data does it use, who may be affected, and which decisions or actions can it influence?”

Texas AI Law at a Glance

QuestionPlain-English answer
What is the law called?Texas Responsible Artificial Intelligence Governance Act, or TRAIGA
Which bill enacted it?House Bill 149
When did it take effect?January 1, 2026
Can it apply to small businesses?Yes. The final text contains no express small-business exemption
Does every private chatbot require disclosure?No, not under TRAIGA as a general rule
Is healthcare AI disclosure required?Yes, when AI is used in relation to healthcare services or treatment
Are annual AI impact assessments generally required?No
Does Texas classify private systems as “high-risk AI”?Not under the final TRAIGA framework
Can consumers sue directly under TRAIGA?No. TRAIGA creates no private right of action
Who enforces it?The Texas Attorney General, with limited additional sanctions by licensing agencies
Is there a cure period?Generally, 60 days after written notice
Maximum stated penalty for an uncurable violation?$200,000 for each violation
Can continuing violations create daily penalties?Yes, up to $40,000 per day

The Texas Legislature lists January 1, 2026, as the effective date, and the Attorney General\u2019s current guidance identifies the prohibited practices, disclosure requirements, penalties, and complaint mechanism.

What Counts as an AI System Under Texas Law?

TRAIGA defines an AI system as a machine-based system that infers from its inputs how to generate outputs\u2014including content, decisions, predictions, or recommendations\u2014that can influence physical or virtual environments.

That definition can include more than generative chatbots.

Likely examples

  • AI website chatbot
  • AI phone receptionist
  • Resume-ranking system
  • Predictive fraud model
  • Recommendation engine
  • Generative image or video tool
  • Clinical decision-support system
  • Customer-scoring model
  • Automated content generator
  • Facial or voice identification system
  • Agent that calls APIs or performs business actions
  • AI system that recommends prices, treatments, products, or decisions

Systems that may not qualify

Ordinary deterministic software may fall outside the definition when it follows fixed rules without inferring how to generate decisions, predictions, recommendations, or content.

  • Basic calculator
  • Static decision tree
  • Traditional form validation
  • Fixed “if–then” workflow
  • Standard database lookup
  • Non-adaptive scheduling rules

The distinction is not whether a vendor markets a product as “AI.” The question is how the system actually produces its outputs.

Does TRAIGA Apply to Out-of-State Businesses?

Potentially.

The statute is not limited to companies incorporated or headquartered in Texas. It reaches a person who:

  1. Promotes, advertises, or conducts business in Texas;
  2. Produces a product or service used by Texas residents; or
  3. Develops or deploys an AI system in Texas.

An out-of-state SaaS company selling an AI product to Texas customers may therefore fall within the statutory scope.

The next question is whether a particular TRAIGA duty or prohibition is triggered.

Being within the law\u2019s scope does not mean every provision applies to every system.

Quick TRAIGA Applicability Checker

This checker provides a preliminary classification. It is designed to identify issues requiring further review, not to provide a legal conclusion.

1
2
3
4
5

Quick TRAIGA Applicability Checker

This checker provides a preliminary classification. It is designed to identify issues requiring further review, not to provide a legal conclusion.

Educational notice: Applicability can depend on facts, contracts, industry rules, and other federal or state laws. This is not a substitute for legal advice.

What Private Businesses Actually Need to Watch

1. AI designed to encourage harm or criminal activity

A person may not develop or deploy an AI system in a manner that intentionally aims to encourage physical self-harm (including suicide), harm to another person, or criminal activity.

Example

A general customer-support assistant is not prohibited merely because a user asks a harmful question. The concern is whether the system is intentionally designed or deployed to encourage that conduct.

Practical control: test whether the system gives actionable self-harm instructions, encourages violence, assists criminal planning, escalates vulnerable users toward harmful conduct, or uses manipulative engagement to prolong harmful conversations.

2. Intentional unlawful discrimination

TRAIGA prohibits developing or deploying an AI system with the intent to unlawfully discriminate against a protected class. The statute states that disparate impact, by itself, is not sufficient to prove discriminatory intent.

Example

A staffing business deliberately configures a resume-ranking tool to reject applicants over a particular age. That presents a much clearer TRAIGA issue than an unintentional statistical disparity discovered during testing.

Important distinction: The TRAIGA intent standard does not eliminate obligations under other employment, lending, housing, healthcare, or civil-rights laws. Those laws may use different liability standards.

Practical controls: test decision outcomes by relevant groups, document the intended decision logic, remove protected attributes and close proxies, maintain human review for consequential decisions, investigate unexplained disparities, and record corrections and approvals.

3. Constitutional-rights interference

A person may not develop or deploy an AI system with the sole intent that the system infringe, restrict, or otherwise impair rights guaranteed under the United States Constitution. The use of “sole intent” makes this a narrow provision.

Example

A social-media content-moderation AI that is solely designed to suppress lawful political speech would be closer to this prohibition than a general-purpose AI that occasionally flags content under a vendor’s standard policy.

Practical control: document the system’s intended purpose, review moderation rules for viewpoint neutrality, maintain human appeal channels, and avoid configurations whose sole function is to restrict protected expression.

4. Illegal sexual, deepfake, and child-related content

The law prohibits intentionally developing or distributing AI systems for specified illegal sexual material, unlawful deepfakes, child pornography, or explicit text conversations that impersonate or imitate a child. Particularly relevant to image generators, video-generation platforms, companion chatbots, role-playing systems, and platforms serving minors.

Example

A companion-chatbot platform that allows users to generate explicit content impersonating minors would fall squarely within this prohibition. A general-purpose image generator with safety filters and age-gating is not the same as a system intentionally designed for that purpose.

Practical controls: implement content filters, age verification, minor-safety guardrails, impersonation protections, reporting mechanisms, and human review of flagged outputs.

Does Every Private AI Chatbot Require Disclosure?

No\u2014not under TRAIGA as a general rule.

The general consumer-interaction disclosure in Section 552.051 applies to a governmental agency that makes an AI system available to interact with consumers. A separate provision applies when AI is used in relation to healthcare services or treatment.

HVAC company with an AI receptionist

TRAIGA does not impose a general disclosure requirement solely because a private HVAC company uses an AI receptionist. The company may still choose to disclose for transparency, customer expectations, recording consent, or other legal reasons.

Retail website chatbot

No universal private-business TRAIGA disclosure requirement applies merely because the website uses AI chat.

City-government chatbot

The government disclosure requirement applies. The notice must be clear, conspicuous, written in plain language, and not use a dark pattern.

Medical-practice assistant

If the AI is used in relation to healthcare services or treatment, the healthcare disclosure provision may apply.

Do not copy a blanket statement saying “Texas requires every chatbot to identify itself.” The final law does not say that.

Healthcare AI Requirements

Healthcare requires separate analysis because TRAIGA overlaps with another Texas law enacted in 2025.

TRAIGA healthcare disclosure

When an AI system is used in relation to a healthcare service or treatment, the provider must disclose the use to the recipient or the recipient\u2019s representative no later than the date the service or treatment is first provided. In an emergency, disclosure must be made as soon as reasonably possible.

Texas SB 1188 diagnostic-AI requirements

A separate law, SB 1188, permits a healthcare practitioner to use AI for diagnostic purposes\u2014including recommendations concerning diagnosis or treatment based on a patient\u2019s medical record\u2014when the practitioner acts within scope, the use is not otherwise prohibited, and the practitioner reviews AI-created records consistently with Texas Medical Board standards. The practitioner must also disclose diagnostic AI use to patients.

Healthcare scenarios

Use casePractical interpretation
AI only schedules appointmentsTRAIGA’s healthcare-treatment wording may require fact-specific review; ordinary scheduling is less clearly a treatment use
AI answers general office-hours questionsLikely closer to administrative support than clinical decision support
AI drafts a clinical noteReview, medical-record accuracy, PHI security, and disclosure questions arise
AI recommends a diagnosisSB 1188 directly addresses diagnostic AI and patient disclosure
AI recommends treatmentPractitioner scope, review, disclosure, and medical-record controls apply
AI summarizes a patient recordPHI, accuracy, access, vendor, and human-review controls are critical
AI triages emergency symptomsHigh safety impact; disclosure, escalation, clinical oversight, and other healthcare law require review

Healthcare organizations must also evaluate HIPAA, Texas medical-privacy laws, medical-record rules, professional licensing standards, contracts, and security requirements. TRAIGA compliance alone does not establish healthcare compliance.

Biometrics and AI

Texas already regulated commercial biometric identifiers through Business & Commerce Code Section 503.001. HB 149 amended that law and connected violations of Section 503.001 to TRAIGA\u2019s biometric provision.

Biometric identifiers include

  • Retina or iris scans
  • Fingerprints
  • Voiceprints
  • Records of hand or face geometry

The mere existence of an image or other media on the internet does not automatically establish notice and consent for commercial biometric capture unless the individual made the material publicly available.

AI-training treatment

The amended biometric statute contains an exclusion for training, processing, or storing biometric identifiers to develop, train, evaluate, disseminate, or offer AI models or systems\u2014unless the system is used to uniquely identify a specific individual. If an identifier collected for AI training is later used for another commercial purpose, the law\u2019s possession, destruction, and penalty provisions may apply.

Small-business scenarios

Gym using facial recognition for entry

Review consent, purpose, storage, sharing, retention, destruction, and vendor access.

Call center using voiceprints for identity verification

A voiceprint can be a biometric identifier. Ordinary call audio is not automatically the same as a voiceprint used to identify a person.

Retailer analyzing security-camera images

Determine whether the system is performing ordinary object detection or uniquely identifying individuals through face geometry.

Employer using fingerprint time clocks

TRAIGA may overlap with the existing Texas biometric statute even when the primary system is not generative AI.

Hiring and Employee AI

The TRAIGA definition of “consumer” excludes an individual acting in an employment or commercial context. That does not mean employment AI is automatically outside the entire law.

The unlawful-discrimination prohibition applies broadly to a person developing or deploying AI with discriminatory intent.

A Texas employer uses AI to:

  • Rank resumes
  • Score interviews
  • Analyze employee behavior
  • Recommend promotion
  • Identify workers for termination

TRAIGA does not impose a general Texas applicant-notice, annual bias-audit, or impact-assessment requirement on these systems. However:

  • Intentional unlawful discrimination is prohibited.
  • Federal and Texas employment laws remain relevant.
  • Biometric rules may apply to voice, facial, or fingerprint analysis.
  • Employee monitoring can create privacy and labor concerns.
  • Vendor documentation and human review remain prudent.

TRAIGA is not the complete employment-AI rulebook.

The Final Law Versus Earlier Drafts

Texas AI commentary is unusually confusing because at least three different documents are often treated as though they were the same law.

Stage 1: Circulated pre-filing policy draft

A widely circulated 2024 policy draft contained a much broader framework with high-risk AI systems, impact assessments, human oversight, and broader developer and deployer duties. That document was a policy draft\u2014not the law now in force.

Stage 2: Official introduced HB 149

The official introduced bill moved away from risk-classification. It did not use “high-risk,” “impact assessment,” or “small business.” It contained consumer appeal rights, political-viewpoint restrictions, and a deceptive-trade-practices provision that were later removed.

Stage 3: Final enacted law

The enrolled law narrowed the framework around targeted intent-based prohibitions, government and healthcare disclosure, biometric amendments, AG enforcement, a 60-day cure process, a regulatory sandbox, a Texas AI Council, and conditional non-liability provisions.

Final-law comparison matrix

IssueCirculated pre-filing proposalOfficial introduced HB 149Final enacted TRAIGA
High-risk AI classificationIncludedNot includedNot included
General impact assessmentsIncludedNot includedNot included
Express small-business exemptionDiscussedNot includedNot included
General private chatbot noticeBroad summaries created confusionGovernment disclosure; healthcare less developedGovernment disclosure plus healthcare-service/treatment disclosure
Consumer appeal and explanation rightPart of broader discussionsIncluded for certain adverse AI decisionsRemoved
Political-viewpoint discriminationPresent in early approachesIncludedRemoved; replaced by narrower federal constitutional-rights provision
Deceptive-practices manipulationIncluded in broader proposalIncludedRemoved as standalone TRAIGA provision
Unlawful discriminationBroader governance frameworkIntent-based; disparate impact alone insufficientIntent-based prohibition retained
Cure periodEarlier summaries described 30 days60 days60 days
AI risk-framework defenseBroader compliance languageNIST, ISO 42001, or recognized framework tied to discovery and cureRevised non-liability language referencing feedback, testing, guidance, or internal review with substantial NIST or other framework compliance
Consumer private lawsuitProposed materials variedNo broad private enforcement mechanismExpressly no private right of action

Do not use an article about the 2024 pre-filing proposal as evidence of what Texas businesses must do under the 2026 law.

What Documentation Can the Attorney General Request?

TRAIGA does not require every company to file an annual AI impact assessment. However, after receiving a complaint, the Attorney General may issue a civil investigative demand and request extensive system documentation.

The requested information can include:

  1. A high-level description of the system’s purpose
  2. Intended uses
  3. Deployment context
  4. Associated benefits
  5. Types of data used to program or train the system
  6. Categories of input data
  7. Categories of outputs
  8. Performance metrics
  9. Known limitations
  10. Post-deployment monitoring
  11. User safeguards
  12. For deployers, oversight, use, and learning processes
  13. Other relevant documents reasonably necessary for the investigation

TRAIGA may not mandate a formal impact assessment for every business, but it authorizes the Attorney General to request much of the information that a responsible AI assessment would normally contain. A business should therefore maintain a concise AI System Record.

Minimum AI System Record

FieldWhat to document
System nameProduct and internal name
Business ownerPerson accountable for the use case
Technical ownerPerson responsible for implementation
RoleDeveloper, deployer, or both
PurposeBusiness problem the AI addresses
UsersEmployees, consumers, patients, customers, or public
Decisions influencedRecommendations, approvals, rankings, actions
Data usedInput, training, customer, personal, biometric, or health data
OutputsContent, scores, decisions, predictions, or actions
Vendor/modelProvider, model, version, and hosting
Known limitationsAccuracy, bias, hallucination, latency, or coverage
Human oversightReviewer, approval point, and escalation
TestingSafety, discrimination, security, and performance tests
MonitoringIncidents, complaints, drift, failures, and user feedback
SafeguardsAccess, filters, moderation, logging, and tool restrictions
DisclosuresWhether notice is required or voluntarily provided
RetentionHow long prompts, outputs, and evidence are retained
Incident ownerWho handles complaints and suspected violations

This is the strongest practical foundation for a Texas small-business AI compliance program.

Enforcement, Cure Period, and Penalties

The Texas Attorney General has exclusive authority to enforce TRAIGA, except for limited additional licensing-agency sanctions after the required findings and recommendation. TRAIGA expressly states that it does not create a private right of action.

Enforcement process

TRAIGA Enforcement Flow

TRAIGA Enforcement ProcessCure failedConsumer ComplaintFiled with AGAG InvestigationReview and triageCivil Investigative DemandSystem documentation requestedWritten NoticeAlleged violation identified60-Day Cure PeriodBusiness may remedyCure DocumentationWritten statement + evidenceClosureNo enforcement actionEnforcement ActionPenalties, injunction, feesThe AG must generally give written notice and wait 60 days before bringing an enforcement action.

Figure 1 \u2014 The AG must generally give written notice and wait 60 days before bringing an enforcement action.

Before bringing an action, the Attorney General generally must give written notice identifying the alleged violation and wait 60 days. An action may be avoided when the business cures the violation within the period, provides a written statement confirming the cure, supplies supporting documentation, and makes necessary policy changes reasonably designed to prevent recurrence.

Civil penalties

Curable violation or breach of cure statement

$10,000\u2013$12,000 per violation

Uncurable violation

$80,000\u2013$200,000 per violation

Continuing violation

$2,000\u2013$40,000 for each day it continues

The Attorney General may also seek injunctive relief, attorney\u2019s fees, court costs, and investigative expenses. Certain licensed or regulated persons may also face agency sanctions\u2014including license suspension or revocation and monetary penalties of up to $100,000\u2014after a TRAIGA violation is found and the Attorney General recommends additional enforcement.

Is NIST Compliance a TRAIGA Safe Harbor?

Calling it a blanket safe harbor is too broad.

The final law provides circumstances in which a defendant may not be found liable, including when another person misuses the affiliated AI system or when the defendant discovers a violation through feedback, adversarial or red-team testing, state-agency guidance, or an internal review process while substantially complying with the NIST Generative AI Profile or another nationally or internationally recognized AI risk-management framework.

The provision is not written as automatic immunity for every company that says it follows NIST.

Substantial alignment with a recognized AI risk framework, combined with effective testing, feedback, review, and remediation processes, can strengthen a TRAIGA defense. It does not replace compliance with the statute.

NIST\u2019s AI Risk Management Framework organizes AI risk activities through four functions: Govern, Map, Measure, and Manage. Its Generative AI Profile adapts those activities to risks associated with generative systems.

NIST-Lite Framework for Small Businesses

NIST-Lite Framework for Small BusinessesNIST AI RMFSmall-Business LiteGovernAssign an AI ownerApprove acceptable usesDefine prohibited data and actionsMaintain vendor and system recordsMapIdentify users and affected peopleUnderstand the business contextClassify dataIdentify possible harm and legal overlapMeasureTest accuracyTest harmful promptsReview discriminationTest security and accessRecord known limitationsManageAdd controlsRequire approval where neededMonitor incidentsCorrect failuresRetire unsafe or obsolete systemsA small company does not need to imitate a Fortune 100 governance office — it needs deliberate ownership and reasonable controls.

Figure 2 \u2014 A practical four-function approach adapted for small organizations.

A small company does not need to imitate a Fortune 100 governance office. It does need to demonstrate deliberate ownership and reasonable controls.

Practical Business Scenarios

AI receptionist for a local service company

Likely TRAIGA position: The company may be a deployer. No general private-chatbot disclosure requirement exists under TRAIGA. The system must not intentionally encourage harm, crime, or unlawful discrimination.

Recommended controls:

  • Identify the business clearly
  • Consider voluntarily identifying the system as AI
  • Restrict emergency, legal, financial, or medical advice
  • Define escalation to a human
  • Control appointment, payment, and transfer tools
  • Retain call and action evidence appropriately

Medical or dental office using AI

Likely TRAIGA position: Healthcare disclosure may apply when AI is used in relation to healthcare service or treatment. Diagnostic AI can trigger additional requirements under SB 1188. Medical-record and privacy rules also apply.

Recommended controls:

  • Patient disclosure
  • Practitioner review
  • PHI and vendor controls
  • Role-based access
  • Output verification
  • Clinical escalation
  • Audit evidence

Staffing company using resume-ranking AI

Likely TRAIGA position: The employment context is excluded from the definition of “consumer.” The intent-based unlawful-discrimination prohibition can still apply. TRAIGA does not impose a general bias audit or applicant notice.

Recommended controls:

  • Human review
  • Outcome testing
  • Documented job criteria
  • Proxy-variable review
  • Vendor transparency
  • Existing employment-law analysis

Retailer using facial recognition

Likely TRAIGA position: Texas biometric law and TRAIGA’s biometric provision may apply. Public images alone do not necessarily establish consent. Unique identification creates greater risk than ordinary image analysis.

Recommended controls:

  • Written consent analysis
  • Narrow purpose
  • Retention and destruction schedule
  • Vendor restrictions
  • Access controls
  • Alternative process for customers who decline

SaaS company selling an AI assistant

Likely TRAIGA position: The company may be a developer if the system is provided in Texas. Customers may separately be deployers. There is no universal registration or impact-assessment requirement.

Recommended controls:

  • System documentation
  • Clear intended-use boundaries
  • Customer configuration guidance
  • Prohibited-use controls
  • Safety testing
  • Monitoring
  • Contract allocation of responsibilities

Marketing agency using generative AI

Likely TRAIGA position: Ordinary drafting and content generation do not automatically create a special TRAIGA filing or disclosure obligation. Risk increases when the agency generates deceptive impersonations, illegal sexual deepfakes, discriminatory targeting, harmful or criminal instructions, or unauthorized biometric identification.

Recommended controls:

  • Human review
  • Rights and consent checks
  • Deepfake and impersonation policy
  • Approved data use
  • Client disclosure where contractually required
  • Records of high-risk campaigns

Ten-Step TRAIGA Readiness Plan for Small Businesses

A structured version of this process can be delivered through the HAIEC Texas AI Readiness Assessment, including applicability analysis, system inventory, disclosure review, prohibited-use testing, evidence gaps, and a cure-response package.

1

Inventory the AI

  • Public AI tools
  • Employee AI tools
  • Embedded vendor AI
  • Automated decision systems
  • AI voice and chat
  • Biometric systems
  • Agents and tool-calling workflows
2

Assign an owner

  • Business owner
  • Technical owner
  • Vendor owner
  • Incident contact
3

Determine your role

  • Developer
  • Deployer
  • Both
  • Customer of a third-party system
4

Classify the use case

  • Healthcare
  • Employment
  • Biometrics
  • Children
  • Protected classes
  • Public services
  • Financial or insurance decisions
  • Safety
  • Constitutional rights
5

Map the data

  • Inputs
  • Outputs
  • Personal information
  • Health information
  • Biometric information
  • Sensitive business data
  • Retention and sharing
6

Review disclosures

  • Required by TRAIGA
  • Required by another law
  • Required by contract
  • Recommended for trust
  • Not relevant
7

Test prohibited behavior

  • Self-harm and violence
  • Criminal assistance
  • Discrimination
  • Deepfake and sexual content
  • Child-safety failures
  • Constitutional-rights concerns
  • Unauthorized tool actions
8

Document limitations and oversight

  • Known failure modes
  • Human review
  • Escalation
  • Approval points
  • Monitoring
  • Corrective action
9

Prepare for complaints

  • Complaint intake
  • Investigation owner
  • Evidence-preservation procedure
  • Vendor-notification process
  • Remediation workflow
  • Executive escalation
10

Prepare a 60-day cure-response package

  • Alleged issue
  • Root cause
  • Affected users
  • Immediate containment
  • Corrective action
  • Supporting test evidence
  • Policy changes
  • Recurrence-prevention controls
  • Responsible owner and due date

Frequently Asked Questions

Does the Texas AI law apply to small businesses?

Yes, potentially. The final TRAIGA text does not contain an express small-business exemption. Applicability depends on the company’s Texas connection and the AI system’s use—not only company size.

Is there a revenue threshold under TRAIGA?

No general revenue threshold appears in the final enacted TRAIGA applicability provision. Other Texas privacy laws may have their own scope and exemptions, but those should not be confused with TRAIGA.

Does using ChatGPT make my company subject to TRAIGA?

Using ChatGPT or another AI product may make the business a deployer of an AI system in Texas, depending on how it is put into use. However, use alone does not trigger a general registration, impact-assessment, or disclosure requirement. The use case and conduct determine which substantive provisions matter.

Do I have to register my AI system with Texas?

TRAIGA does not establish a general registration requirement for private-business AI systems. The regulatory sandbox has a separate application process for organizations seeking to participate in that program.

Does Texas require an AI impact assessment?

TRAIGA does not impose a general mandatory impact assessment on every private developer or deployer. Maintaining similar information is still prudent because the Attorney General may request purpose, data, output, performance, limitation, monitoring, and safeguard documentation during an investigation.

Does my private website chatbot need an AI disclosure?

Not under TRAIGA as a universal rule. The statute expressly requires consumer-interaction disclosure for government agencies and disclosure when AI is used in relation to healthcare services or treatment.

Should a private business disclose its AI chatbot voluntarily?

Often, yes. Voluntary disclosure may improve customer trust, reduce confusion, support recording or privacy notices, and make escalation expectations clearer. That is a business and governance recommendation—not a universal TRAIGA requirement.

Does an AI phone receptionist need disclosure in Texas?

TRAIGA does not create a general disclosure rule for every private AI phone receptionist. Healthcare use, government use, call-recording rules, consumer-protection law, and other sector requirements may change the answer.

Does TRAIGA apply to employee hiring tools?

Potentially. Employees and applicants acting in an employment context are excluded from TRAIGA’s “consumer” definition, but the law’s intent-based unlawful-discrimination prohibition applies more broadly to developers and deployers.

Does TRAIGA require a bias audit?

No general bias-audit requirement appears in the final law. Testing remains a strong risk-control measure, particularly for hiring, lending, insurance, healthcare, and other consequential uses.

Is disparate impact a TRAIGA violation?

Disparate impact alone is not sufficient to prove discriminatory intent under TRAIGA’s unlawful-discrimination provision. Other civil-rights laws may apply different standards.

Does TRAIGA apply to healthcare AI?

Yes, in relevant circumstances. AI used in relation to healthcare services or treatment triggers a disclosure requirement. Diagnostic AI may also be regulated under Texas SB 1188.

Does HIPAA replace TRAIGA?

No. HIPAA governs protected health information and covered healthcare relationships. TRAIGA regulates specified AI conduct and disclosure. A healthcare AI system may need to satisfy both, along with other medical and professional requirements.

Does TRAIGA regulate facial recognition?

Yes, through restrictions on certain government biometric identification and through its connection to Texas’s existing commercial biometric-identifier law.

Is an ordinary photograph considered biometric data?

Not necessarily. TRAIGA’s biometric-data definition excludes ordinary photographs, video, audio, and data generated from them unless the relevant data constitutes a unique biological pattern used to identify a specific individual.

Can consumers sue my business directly under TRAIGA?

No. TRAIGA expressly states that it does not create a private right of action. The Texas Attorney General is the primary enforcement authority. Other laws may still permit private lawsuits based on the same underlying conduct.

What happens if someone files a TRAIGA complaint?

The Attorney General may investigate and issue a civil investigative demand requesting system documentation. If a violation is alleged, the business generally receives notice and a 60-day opportunity to cure before an enforcement action.

What are the penalties?

Potential penalties range from $10,000–$12,000 for specified uncured curable violations, $80,000–$200,000 for uncurable violations, and $2,000–$40,000 per day for continuing violations.

Does NIST compliance guarantee immunity?

No. Substantial NIST alignment may support the statute’s non-liability provisions in specified circumstances, but it is not automatic immunity.

What is the minimum documentation a small business should maintain?

At minimum: system name and owner, purpose, users, data inputs, outputs, vendor and model, known limitations, testing, human oversight, monitoring, safeguards, disclosures, and incident contact. These fields substantially overlap with information the Attorney General may request.

How often should TRAIGA compliance be reviewed?

Review whenever the business changes AI model, vendor, data source, intended use, user group, decision authority, tool access, disclosure, safety controls, or applicable law. A periodic annual review is also prudent even though TRAIGA does not generally mandate one.

Official Source Hierarchy

For future updates, use this order:

1

Current Texas Business & Commerce Code

The enacted statutory text
2

Enrolled HB 149 text

The bill as passed by the legislature
3

Texas Attorney General TRAIGA guidance

AG enforcement guidance and complaint procedures
4

Texas Department of Information Resources guidance

Sandbox and implementation guidance
5

Enrolled related statutes, including SB 1188

Healthcare diagnostic AI and other related laws
6

NIST AI Risk Management Framework

Voluntary framework for AI risk management
7

Secondary legal commentary

Analysis and interpretation by qualified practitioners

Do not rely on an article about a pre-filing proposal without checking whether the discussed provision survived into the final law.

Final Takeaway

Texas did not enact a Colorado-style comprehensive high-risk AI governance regime. It enacted a more targeted law.

TRAIGA can reach small and midsize businesses, but it does not require every company using AI to register, complete an annual impact assessment, or identify every private chatbot.

The real compliance work is more practical:

  • Know which AI systems you use.
  • Understand what they do.
  • Identify sensitive and regulated use cases.
  • Prevent prohibited conduct.
  • Disclose healthcare AI where required.
  • Control biometric information.
  • Test consequential systems.
  • Maintain enough evidence to respond to a complaint.
  • Correct problems quickly.

The best first step is not a 100-page policy. It is an accurate AI inventory and a clear answer to five questions:

  1. What is the system intended to do?
  2. What data does it use?
  3. Who can be affected?
  4. What decisions or actions can it influence?
  5. What evidence proves it is being used responsibly?

That is the foundation of TRAIGA readiness\u2014and responsible AI governance more broadly.

AI Governance & Compliance Framework Guide

Get a structured framework for AI governance, risk management, and compliance \u2014 aligned with NIST AI RMF, EU AI Act, and TRAIGA. Includes templates for AI system records, disclosure reviews, and cure-response packages.

No spam. Unsubscribe anytime.

Prepare for TRAIGA Compliance

Get a TRAIGA applicability assessment or compliance roadmap from Subodh KC \u2014 co-founder of the HAIEC TRAIGA compliance engine. Based in Dallas, Texas.

This guide is for informational purposes and does not constitute legal advice. Applicability can depend on facts, contracts, industry rules, and other federal or state laws. For jurisdiction-specific compliance guidance, contact Subodh KC for advisory services. Last legally reviewed: July 15, 2026. Law reviewed: Texas Business & Commerce Code Chapters 551\u2013554, enacted through HB 149.

Let's Talk →