Yeehaw!!! Texas is on fire when it comes to bringing enforcement actions. I recently reported that Texas is investigating Meta Glasses; now a new suit has been filed against Meta Platforms, Inc. and WhatsApp LLC.
Texas Attorney General Ken Paxton filed suit against Meta Platforms, Inc. and WhatsApp LLC, alleging that the companies misled consumers about the security of their popular messaging app. The case, brought under the Texas Deceptive Trade Practices‘Consumer Protection Act (the “DTPA”), takes direct aim at one of WhatsApp’s most prominent marketing claims: that messages are protected by end-to-end encryption so strong that not even WhatsApp itself can read them.
This article explains what the lawsuit alleges, what end-to-end encryption is supposed to mean, why Texas is involved, and what it could mean for the millions of Texans and roughly three billion people worldwide who use the app every day.
What WhatsApp Has Promised
For nearly a decade, WhatsApp has built its brand on a single core message: your conversations are private. Beneath the chat window, users see the assurance that messages are “end-to-end encrypted.” On its website, in marketing materials, and in sworn testimony to Congress, Meta has insisted that only the sender and recipient can read the contents of messages, and that “not even WhatsApp” can access them.
End-to-end encryption (“E2EE”) is a real and meaningful technology. When properly implemented, a message is scrambled on the sender’s device using a cryptographic key and can only be unscrambled by the recipient’s device. The service provider, in theory, holds only encrypted gibberish. WhatsApp has long relied on the well-regarded Signal Protocol to power its encryption.
What the Attorney General Alleges
According to the Attorney General’s press release, “investigations and insider accounts” suggest that WhatsApp’s privacy promises do not match the reality of its operations. The Office alleges that:
- WhatsApp employees have been able to access user communications.
- Message content can be retrieved and viewed after a message has been sent; and
- These capabilities directly contradict the company’s public representations.
The State frames these alleged practices as deceptive under the DTPA, which prohibits false, misleading, or deceptive acts or practices in trade or commerce. The DTPA empowers the Attorney General to seek injunctive relief, civil penalties of up to $10,000 per violation (and up to $250,000 for violations involving consumers 65 or older), consumer restitution, and attorney’s fees. With millions of Texan users, the potential exposure is substantial.
The Broader Context
Texas’s suit does not arise in a vacuum. In January 2026, a class action was filed in the U.S. District Court for the Northern District of California raising similar allegations: that unnamed whistleblowers had described an internal “task” system by which Meta personnel could obtain access to WhatsApp message content through a simple internal request, sometimes without meaningful scrutiny. Separately, Bloomberg has reported that a federal agent within the U.S. Commerce Department’s Bureau of Industry and Security spent roughly ten months examining these claims before the inquiry was abruptly closed. The agent reportedly concluded that Meta “can and does” view and store WhatsApp message content. The Bureau publicly disavowed the investigation, characterizing the agent’s findings as outside his authority.
Meta has strongly denied the substance of these allegations. A company spokesperson has called claims that WhatsApp can access encrypted communications “patently false,” “categorically false and absurd,” and has described the federal class action as a “frivolous work of fiction.” Meta emphasizes that WhatsApp has used the open-source Signal Protocol for nearly a decade and that independent cryptographers have not produced technical evidence of a backdoor.
Independent experts have urged caution. Johns Hopkins cryptographer Matthew Green, among others, has suggested that some of what is being described may relate to messages that users themselves flag or report for abuse, which are sent to Meta in cleartext as part of the reporting workflow, rather than to a cryptographic compromise of the protocol itself. At this stage, the underlying technical questions remain genuinely contested.
Why the DTPA Matters Here
A DTPA claim does not require the State to prove that WhatsApp’s encryption has been mathematically broken. It requires proof that the company’s public representations to consumers were materially false, misleading, or deceptive. That is a different, and for the Attorney General potentially more accessible, legal question. If marketing said “no one, not even WhatsApp” could read messages but employees in fact could, the gap between promise and practice is itself the claim. Texas does not need to prove a backdoor; it needs to prove a broken promise.
Paxton’s Big Tech Track Record
The lawsuit is the latest entry in a years-long enforcement campaign by Attorney General Paxton against major technology companies. His office secured a record $1.4 billion settlement with Meta in 2024 over biometric facial-recognition practices on Facebook, a $1.375 billion settlement with Google over geolocation and incognito-mode tracking, and is currently pursuing claims against Netflix, Snapchat, TikTok, and others. He recently opened an investigation into Meta’s smart glasses. The WhatsApp filing fits squarely within that pattern.
What This Means for Texans
For ordinary users, three points are worth keeping in mind. First, end-to-end encryption is a strong privacy tool, but it does not protect against every risk: device-level malware, account takeovers, cloud backups, and metadata collection can all expose information regardless of the protocol. Second, allegations are not findings; the technical claims at the heart of both this case and the federal class action remain unproven. Third, when a company markets privacy as a feature, it makes a promise to consumers, and Texas law, like many other states, treats that promise as enforceable.
The case will likely take years to resolve. In the meantime, it is a useful reminder that “private” is a word with both technical and legal meaning, and the gap between the two is exactly where the next decade of privacy enforcement will play out.
