Texas Attorney General Ken Paxton has launched what he describes as the first in a series of lawsuits targeting TP-Link Technologies Co. Ltd., the world’s largest seller of Wi-Fi routers, accusing the Chinese-owned company of facilitating access to Americans’ personal data by the Chinese Communist Party. The suit, filed under the Texas Data Privacy and Security Act (TDPSA), marks an escalation in the growing confrontation between U.S. authorities and Chinese technology firms over national security and consumer privacy concerns.
The lawsuit, announced on July 2, 2025, alleges that TP-Link collected vast quantities of sensitive personal data from Texas consumers—including biometric identifiers, precise geolocation data, and browsing history—and transferred that data to servers in China, where it is accessible to the Chinese government under Chinese law. According to the Texas Attorney General’s office, TP-Link’s privacy practices violated multiple provisions of the TDPSA by failing to obtain proper consent, misrepresenting data collection practices, and neglecting to conduct required data protection assessments.
A Router in Every Home—and a Pipeline to Beijing?
TP-Link commands a dominant position in the American consumer networking market. Its routers, range extenders, smart home devices, and mesh networking systems are among the best-selling products on Amazon and are stocked in virtually every major electronics retailer in the country. Industry estimates suggest the company controls roughly 65% of the U.S. home router market, a figure that has drawn increasing scrutiny from lawmakers and intelligence officials alike.
Attorney General Paxton did not mince words in his announcement. “TP-Link is a CCP-controlled company that has deliberately put Texans’ sensitive data within reach of the Chinese Communist Party,” Paxton said in the official press release. “This is the first of several lawsuits my office will bring against companies that sell out their American customers to hostile foreign governments.” The statement signals that Texas intends to use its state privacy law aggressively against companies with ties to adversarial nations, potentially setting a template for other states with similar statutes.
The Legal Architecture: What Texas Is Alleging
The complaint lays out several specific allegations. First, it claims that TP-Link’s devices and associated mobile applications collect categories of data that qualify as “sensitive” under the TDPSA—including biometric data, precise geolocation, and information about children—without obtaining the opt-in consent that Texas law requires. Second, the suit alleges that TP-Link’s privacy policy was deceptive, failing to accurately disclose the scope of data collection or the fact that data was being routed to servers under Chinese jurisdiction.
Perhaps most significantly, the lawsuit invokes China’s 2017 National Intelligence Law, which compels Chinese organizations and citizens to “support, assist, and cooperate with national intelligence work.” Under this statute, Chinese authorities can demand access to data held by Chinese companies without the type of judicial oversight that would be required in the United States. The Texas AG’s office argues that by storing or transferring Texans’ data to China, TP-Link effectively subjected that data to Chinese government access, regardless of TP-Link’s stated intentions or privacy commitments.
Federal Pressure Has Been Building for Months
The Texas lawsuit does not exist in a vacuum. It arrives amid a broader federal effort to restrict or ban TP-Link products from the American market. In late 2024, the U.S. Department of Commerce opened an investigation into TP-Link, and by early 2025, multiple congressional committees had called for action. A bipartisan group of lawmakers, including Representatives Raja Krishnamoorthi and John Moolenaar, had urged the Commerce Department to examine TP-Link’s ties to the Chinese state and the security vulnerabilities in its products.
The concerns are not purely theoretical. In October 2024, Microsoft’s threat intelligence team published research identifying a botnet comprising thousands of compromised TP-Link routers that was being used by a Chinese state-sponsored hacking group known as Storm-0940 to conduct password-spray attacks against Western targets, including think tanks, government organizations, and defense contractors. The botnet, which Microsoft tracked under the name CovertNetwork-1658, highlighted how consumer-grade networking equipment could be weaponized at scale for espionage purposes. The findings added urgency to calls for regulatory action and gave ammunition to officials like Paxton who argue that TP-Link’s products pose a systemic risk.
TP-Link’s Corporate Restructuring and Defense
TP-Link has not been passive in the face of these pressures. In 2024, the company undertook a corporate restructuring, establishing a new U.S.-based headquarters in Irvine, California, and creating a separate entity—TP-Link Systems Inc.—that it says operates independently of its Chinese parent. The company has publicly stated that it does not sell products in China and that its operations are distinct from TP-Link Technologies, which remains based in Shenzhen.
In public statements, TP-Link has denied that it provides data to the Chinese government and has emphasized its commitment to complying with U.S. laws. The company has also pointed to third-party security audits and its participation in industry standards bodies as evidence of its good-faith efforts. However, critics—including Paxton’s office—argue that corporate restructuring cannot override the obligations imposed by Chinese law on entities with Chinese ownership or personnel. The Texas lawsuit specifically names TP-Link Technologies Co. Ltd., the Shenzhen-based parent, suggesting that Paxton’s team views the corporate separation as insufficient to address the underlying concerns.
State Privacy Laws as National Security Tools
One of the most consequential aspects of the Texas case is its use of a state consumer privacy statute to address what is fundamentally a national security issue. The TDPSA, which took effect in July 2024, is one of a growing number of comprehensive state privacy laws modeled in part on the European Union’s General Data Protection Regulation. It grants the Texas Attorney General exclusive enforcement authority and provides for civil penalties of up to $7,500 per violation—a figure that, when multiplied across potentially millions of affected consumers and devices, could translate into enormous financial exposure for TP-Link.
By framing the case as a consumer privacy action rather than a national security matter, Paxton sidesteps the traditional federal prerogative over foreign policy and intelligence issues. This approach could prove influential. At least 15 other states have enacted comprehensive privacy laws, and attorneys general in several of those states have been watching the TP-Link situation closely. If the Texas lawsuit survives early legal challenges and produces meaningful results—whether through settlement, injunction, or judgment—it could encourage a wave of similar state-level enforcement actions against companies with ties to China, Russia, or other adversarial nations.
The Broader Implications for the Consumer Electronics Market
The ramifications extend well beyond TP-Link. The consumer electronics market is deeply intertwined with Chinese manufacturing and engineering. Companies like Huawei and ZTE have already been effectively barred from U.S. telecommunications infrastructure, but the consumer router and smart home device market has remained comparatively open. TP-Link’s dominance in that space means that any significant restriction on its products would create a massive gap in the market—one that competitors like Netgear, Asus, and Linksys (owned by Foxconn) would race to fill.
For consumers, the immediate practical impact may be limited. TP-Link products remain widely available for purchase, and the lawsuit does not include a request for an immediate sales ban. However, the case could accelerate a trend toward “country of origin” scrutiny for networking equipment, much as the Huawei controversy reshaped the telecommunications infrastructure market a half-decade ago. Retailers may begin to face pressure—from regulators, from consumers, or from their own risk management teams—to reconsider their relationships with TP-Link and similar vendors.
What Comes Next: Paxton Promises More Lawsuits
Paxton’s characterization of the TP-Link case as “the first of several lawsuits” raises immediate questions about who might be targeted next. The Texas AG’s office has not publicly identified additional defendants, but the language of the announcement suggests a broader campaign against companies that collect sensitive data and store or process it in jurisdictions where adversarial governments can compel access. Potential targets could include other Chinese-owned technology firms, app developers with data flows to China, or even U.S. companies that use Chinese cloud infrastructure or data processing services.
The legal and political dynamics are also worth watching at the federal level. The Trump administration has signaled a hawkish posture toward Chinese technology companies, and Commerce Department action on TP-Link—potentially including an outright ban on the sale of its products in the United States—remains a possibility. If federal action materializes, it could either complement or complicate the Texas lawsuit, depending on the scope and timing of any federal order.
For now, the Texas case stands as a significant marker in the evolving confrontation between American regulators and Chinese technology firms. It demonstrates that state attorneys general are willing and able to use consumer privacy laws as instruments of national security policy, and it puts companies on notice that data flows to China will face aggressive legal challenge. Whether TP-Link can successfully defend itself—or whether it will be forced to fundamentally restructure its data practices, its corporate ownership, or both—will be one of the most closely watched legal battles in the technology sector for the remainder of 2025.