Texas Attorney General Ken Paxton filed suit on May 21, 2026 in a Harrison County district court against Meta Platforms Inc. and WhatsApp LLC, alleging that the companies misled millions of Texas users about the privacy of their messages. The complaint, filed under the Texas Deceptive Trade Practices Act, centers on a single core claim: that WhatsApp’s public representations about end-to-end encryption are false, because Meta has maintained a system that allows company personnel to read user message content on demand.
The Internal “Task” System Allegations
The lawsuit alleges that Meta operates an internal “task” system through which Meta employees and contractors can submit requests to obtain access to the content of WhatsApp messages. According to the complaint, these requests were sometimes processed without meaningful scrutiny, directly contradicting WhatsApp’s public assurances that end-to-end encryption prevents anyone other than the sender and recipient from reading messages.
Meta spokesperson Rachel Holland denied the allegations in a statement: “WhatsApp cannot access people’s encrypted communications and any suggestion to the contrary is false.” The company has not released technical documentation specifically addressing the internal task mechanism described in the complaint.
The Texas DTPA Legal Framework and Per-Violation Stakes
Paxton’s office brought the case under the Texas Deceptive Trade Practices Act, which permits statutory damages of $10,000 per violation. With millions of Texas residents using WhatsApp, even a fraction of the user base treated as individual violations would expose Meta to billions of dollars in statutory liability. The relief sought includes a permanent injunction prohibiting Meta from accessing user message content without explicit user consent, in addition to the statutory damages.
The DTPA basis is significant because it focuses on the commercial relationship between WhatsApp and its users: by marketing the platform as offering end-to-end encryption as a key privacy protection, Meta made what the state characterizes as a material representation to consumers in the course of trade. If the alleged internal access mechanism undermined that representation, the misrepresentation formed part of the basis of the transaction.
Whistleblowers and the January 2026 Federal Class Action
The Texas filing does not stand alone. In January 2026, a federal class action was filed in the U.S. District Court for the Northern District of California making substantially the same allegations, relying on accounts from unnamed whistleblowers who described the same internal task system for accessing WhatsApp message content. The concurrent existence of the state enforcement action in Texas and the federal class action in California, both citing insider accounts of the same mechanism, suggests a coordinated investigative effort with corroborating insider testimony at its foundation.
The California class action frame differs from Paxton’s enforcement posture: the federal suit seeks class-wide damages on behalf of WhatsApp users, while the Texas AG action invokes state consumer protection authority to seek injunctive relief and per-violation statutory penalties. Together, the two suits bracket Meta with legal pressure from both federal civil litigation and state enforcement.
What the Allegations Mean for End-to-End Encryption as a Legal Promise
End-to-end encryption has been a central feature of WhatsApp’s identity since Meta acquired the platform. The company has repeatedly cited it in public communications, policy documents, and marketing materials as the mechanism that ensures private messages cannot be read by WhatsApp, Meta, governments, or any third party. If the whistleblower accounts in both suits are accurate, the gap between that public claim and internal operational practice creates a consumer protection exposure that extends far beyond Texas.
Every U.S. state maintains its own unfair and deceptive trade practices statute, most of which carry per-violation damages provisions similar to the DTPA. If the Texas action advances and the factual record — including the internal task system — is established through discovery, the template for parallel enforcement actions in other states is already in place.
The legal question at the heart of both suits is whether “end-to-end encryption” constitutes an enforceable consumer promise or a technical description subject to internal exceptions. WhatsApp’s encryption architecture is built on the Signal Protocol, which in its standard implementation does provide mathematical guarantees against interception in transit. What neither suit disputes is the cryptographic protocol; what both allege is that Meta has built a separate operational capability layered on top of or around that protocol that allows internal access to message content after decryption on the company’s infrastructure.
That distinction — between encryption in transit and access to decrypted content — is where the legal and technical arguments will collide. If discovery confirms the task system’s existence and scope, the outcome of these proceedings could redefine what technology companies are legally permitted to promise users about the privacy of communications marketed as end-to-end encrypted.
