Texas SB 378 + Florida HB 1429: the 2026 medspa website audit that doubles as a citation lift

The medspa industry got three regulatory shocks in eighteen months. Each one hit a different state, but together they redrew the citation map for every US medspa website that hopes to surface in ChatGPT, Claude, or Perplexity in 2026.

What the 2026 medspa enforcement triad means for AI citations

The reason this matters for AI visibility, and not just legal exposure, is structural. AI engines retrieve regulatory events as freshness signals on safety-of-procedure prompts — “is medspa X safe,” “what should I check before getting Botox,” “best medspa near me.” When a regulator publishes an inspection finding with named practices, dates, and violation categories, that finding becomes a primary source ChatGPT and Perplexity will cite back into the answer cycle for months. Practices on the violation list get cited as the negative example. Practices that audit themselves first stay off the list and become the compliant counter-example the engine reaches for instead.

This is the hub piece for the regulatory side of the medspa AI visibility playbook, which sits inside the broader vertical citation playbooks hub where seven other verticals get the same treatment. If your practice is on Squarespace 7.1, read the Squarespace canonical trap before fixing anything else; the platform constraint is upstream of every compliance and schema fix below.

Why state-board enforcement is a 2026 GEO content engine

The medspa market crossed $20 billion in revenue in 2025 and is projected to hit $45.5 billion by 2030 at a 14.6% CAGR (Metricus MedSpa AI Visibility 2026). There are roughly 8,000 to 10,000 medspas operating in the US, with 81% as single-location practices per AmSpa’s industry baseline. The buyer is now arriving through a different funnel: 40% of patient searches are projected to use AI by 2026 (Cornflower 2026), and “Botox near me” alone clears one million monthly searches (Metricus MedSpa 2026).

The citation hierarchy is brutal at the brand layer. Allergan and AbbVie hold 90%+ of medical-aesthetic AI citation share. RealSelf takes 75%. The average independent medspa lands below 1% (Metricus 2026). Haute MD and 5WPR’s April 25 2026 Medical Aesthetics AI Visibility Index — the first published audit of the category — found the top 15 brands capture 62% of total AI citation share across ChatGPT, Claude, Perplexity, and Google AI Overviews. A solo practice cannot beat Allergan on a branded query and never will.

State-board enforcement is the layer underneath the brand fight. Manufacturers do not own it. Marketplaces do not own it. Practices that publish their licensure posture, their medical-director relationship, and their scope-of-practice claims at the procedure-page level become the named entities AI engines retrieve when the prompt is regulatory. That is the open category in 2026 — and the three enforcement events of the past eighteen months made it citable.

Texas SB 378 — what changed and what content angles it opens

Texas SB 378 (2026) closes the long-standing Texas medspa loophole. The American Academy of Aesthetics TX has the cleanest 2026 explainer of the bill’s scope. Only qualifying medical license-holders — physician, physician assistant, advanced practice registered nurse, or registered nurse under appropriate physician delegation — can perform injections regardless of prior tenure or “we’ve always done it this way” defence. Every Texas medspa must reaudit its injector roster against the new statute.

The content angle is not “here is a compliance summary.” The content angle is the named-practitioner schema layer SB 378 forces every Texas medspa to publish honestly. The audit checklist for a Texas medspa website in 2026:

• Medical director disclosure. Name the physician medical director on a public page. Include their state license number, board certification, and the date of the supervising-physician agreement. The Person + hasCredential schema layer is the AI-citable surface.
• Injector roster with license verification. One Physician schema block per injector — physician, PA, APRN, or RN — with license number and a sameAs link to the Texas Medical Board or Texas Board of Nursing verification page. AI engines cross-check licensure for medical-procedure recommendations. A practice that surfaces verified credentials in schema gets favoured over one that does not.
• Scope-of-practice claims, written honestly. If the RN under delegation cannot perform a specific procedure post-SB 378, the website cannot list them as the provider for that service. The procedure page lists only practitioners legally authorised to perform it.
• Procedure pages that name the law. A MedicalProcedure schema block per service — Botox, Juvéderm, Sculptra, Morpheus8, CoolSculpting — with a short patient-safety FAQ that names SB 378 as the regulatory floor. This is the content the engine retrieves on “is Botox safe in Texas” prompts.
• Before-and-after photo posture. State-by-state rules on outcome claims. Texas does not require explicit “results may vary” disclaimers but the FTC Endorsement Guides do, and the engines reward practices that lead with the disclosure rather than bury it.

The Wednesday data-drop angle ConnectEra runs is “Texas SB 378 + 30 medspa websites that now violate state law” — a published audit list, citable by URL, dated to the SB 378 effective date. Practices that audit themselves first stay off the list. The same methodology runs in the Allergan citation monopoly breakdown for the brand side; this cluster handles the regulatory side.

NYC’s 100% violation rate as content-citation hook

The NYC Council and State joint investigation, December 11 2025: 100% of fifteen inspected medspas had violations. The press release names the practices and the violation categories. This is the kind of regulatory event AI engines retrieve as a freshness signal for years — dated, reproducible, citable by URL.

The content opportunity is the compliant counter-example. Most NYC medspas — and most medspas nationally — saw the press release, panicked, and did nothing public. The ones that responded fastest published a same-week patient-education page naming the inspection, the violation categories that did not apply to their practice (because of their medical-director relationship, their license posture, their scope-of-practice discipline), and the specific safeguards in place. Within thirty days, the engines were citing those pages on “is X medspa safe” prompts at meaningfully elevated rates compared to peers who stayed silent.

The pattern transfers outside New York. Every state medical board now has a December 2025 reference event to compare its own inspection cycle against. California, Illinois, Arizona, and Florida boards are running similar cycles. A practice in any of those states that publishes a patient-education page citing the NYC finding as the regulatory benchmark — and then names its own state’s licensure posture against that benchmark — earns citation share on every regulatory prompt the engine retrieves.

The mechanic is straightforward. The NYC Council press release is the primary source. Your patient-education page references it, names your medical director, names your state board’s posture, and provides the safety-implication framing for the patient. The engine retrieves your page because it cites the primary source the engine already trusts. The compounding effect is what makes the regulatory layer valuable: a single FAQPage block, written once and updated on the dates each new state inspection lands, earns recurring citation share through the entire 2026 enforcement cycle.

Florida HB 1429 + the FTC Endorsement Guides for medspa influencers

Florida HB 1429 added an expedited injunction route and immediate registration revocation power for refusing inspection (Florida Healthcare Law Firm 2026; AmSpa 2026 deep-dive). The Florida statute is structurally similar to Texas SB 378 but with sharper enforcement teeth — a Florida medspa that refuses an inspection can lose its registration the same week. The content posture for a Florida practice is essentially the same as the Texas posture: name the medical director, name the licensure layer, name the procedures and the practitioners authorised to perform them, and publish the compliance framing as patient-education content rather than as a footer disclaimer.

The FTC Endorsement Guides update from December 2025 (Arnold and Porter) added a separate citation surface: virtual and AI endorsers are held to the same standard as human ones. Influencer disclosure is required for cash, free product, discount, or affiliate compensation. For medspas this means three things in 2026:

• Influencer content needs explicit disclosure. If a local injector partners with a creator who posts before-and-after content, the practice’s website needs the parallel disclosure on its own gallery page. The engines now retrieve disclosure presence as a credibility signal.
• GenAI-generated patient testimonials are exposure. A peer-reviewed ScienceDirect study classified 64.3% of 9,000 RealSelf reviews as authentic and 35.7% as fake. Fake-review enforcement is on the table. A practice that runs synthetic testimonials faces FTC exposure and a citation drop-off as engines weight authentic-review density.
• Before-and-after photos need patient-context framing. Typical results disclaimers, individual-variation language, and the specific procedure protocol used — these are the citation-credible signals the engines reward over decontextualised marketing photography.

The FTC layer is the third leg of the compliance triad. State law (SB 378, HB 1429, NYC inspection cycle) governs who can perform what procedure. FTC guidance governs how the practice can describe outcomes and endorsements. Together, they define the citable surface a 2026 medspa website needs to populate before any other GEO work pays back.

This is also the layer where the medspa vertical converges with the analogous compliance-as-citation play in the financial-advisor vertical — the FINRA framing for RIAs is mechanically identical to the FTC framing for medspas. And it parallels the named-surgeon citation theft report, where state medical-board posture drives plastic-surgery citation share the same way it drives medspa citation share.

How compliance becomes citation lift via the entity graph

The technical mechanism is the entity graph. AI engines build a structured representation of every entity they encounter — the medspa as a MedicalBusiness, each provider as a Physician, each service as a MedicalProcedure, the medical director as a named Person with hasCredential linking to a verifiable license number. The richer that graph, the more retrievable the practice becomes on prompts where regulatory verification matters.

A compliant medspa publishes:

• MedicalBusiness with medicalSpecialty, address, telephone, and availableService.
• Physician blocks for each licensed practitioner with medicalSpecialty, availableService, hasCredential, and a sameAs link to the state-board verification page (Texas Medical Board, Texas Board of Nursing, Florida Department of Health, New York State Department of Education Office of the Professions).
• MedicalProcedure per service with procedureType, bodyLocation, preparation, and followup.
• FAQPage per procedure page that names the relevant state law, the practice’s licensure posture, and the safety implication for the patient.
• Review and AggregateRating nested inside the relevant MedicalBusiness or MedicalProcedure, with disclosure language compliant with the FTC December 2025 guidance.

That stack, populated honestly for a four-injector single-location medspa with twelve services, runs comfortably past 12,000 characters of JSON-LD. Wix Studio caps total on-page schema at 8,000 characters with a 7,000-character per-entry ceiling and natively supports only Article, Product, and Event presets — MedicalBusiness, Physician, Service, and FAQPage all require manual JSON-LD via Velo or the SEO panel. The cap forces a choice between the entity layers, and every choice loses citation share. The full breakdown lives in the Wix AI ceiling and in the platform-vs-AI citation guide for 2026.

Squarespace 7.1 is worse for medspas because Squarespace dominates the boutique medspa template market (per The MedSpa Society 2026 and Ambrose Marketing 2026). Schema is auto-injected for LocalBusiness and Person but not user-editable. There is no path to add MedicalBusiness or Physician cleanly. The canonical tag is locked. Median mobile LCP sits at 3.6 to 3.8 seconds. A boutique medspa that wants to publish its SB 378 or HB 1429 compliance posture in citable schema cannot do it on Squarespace 7.1 — see the Squarespace canonical trap for the full breakdown.

The migration target for a serious 2026 medspa is a static rebuild — Astro or Next.js — where the full schema stack ships server-rendered in the initial HTML response, every AI crawler sees the entire entity graph regardless of whether it executes JavaScript, and the regulatory FAQPage blocks update on the dates the laws take effect. ConnectEra’s standard medspa migration moves the practice from Squarespace 7.1 or Wix Studio to a static rebuild in seven to fourteen days. The citation graph compounds from there.

The 2026 medspa website audit, in seven steps

For a Texas, Florida, New York, or any other state-board-regulated medspa that takes both compliance and AI citation seriously, the audit order matters:

1. Audit the medical-director disclosure. Public page, named physician, state license number, supervising-physician agreement date. Schema: Person + hasCredential + sameAs (state-board URL).
2. Audit the injector roster. One Physician schema block per practitioner. License numbers verified. Roles mapped to scope-of-practice — what each practitioner is legally authorised to perform under SB 378 (Texas), HB 1429 (Florida), or the relevant statute in your state.
3. Audit procedure pages against scope-of-practice. Each procedure page lists only practitioners legally authorised to perform that procedure. RN-versus-LVN authority, physician-delegation requirements, and corporate-practice-of-medicine restrictions vary by state — every procedure page reflects the practice’s actual licensure posture.
4. Audit before-and-after photo content. Patient-context framing, typical-results disclaimers, individual-variation language, FTC-compliant disclosure for any influencer or paid-endorsement content. Synthetic testimonials removed.
5. Audit the regulatory FAQPage. One block on the relevant procedure pages naming the state statute (SB 378, HB 1429, your state’s equivalent), the NYC December 2025 inspection finding as the regulatory benchmark, and the practice’s compliance posture.
6. Audit the platform. Squarespace 7.1 and Wix Studio cannot ship the full schema stack. WordPress with a developer can. Webflow at the luxury tier handles it. Static rebuild on Astro or Next.js is the fix-once option for any practice that intends to publish weekly regulatory content.
7. Audit the freshness cadence. State laws change. Inspection findings publish quarterly in most states. The compliance content updates on the dates the laws take effect — not annually as a one-off compliance review.

The compounding case is the same as the brand-citation case in the medspa AI visibility playbook. Compliance-positioned content earns recurring citation share on safety-of-procedure prompts, which sit upstream of the brand-decision and metro-procedure prompts that drive consult bookings. A practice that publishes its SB 378 or HB 1429 compliance posture, names its medical director, surfaces verified credentials in schema, and updates the content on the dates the regulatory cycle hits is the practice the engine reaches for when the prompt is regulatory.

The 2026 medspa enforcement triad — Texas SB 378, Florida HB 1429, NYC December 11 2025 — is the regulatory cluster every US medspa website should now be writing into. Compliant practices win the entity-graph trust signals AI engines weight.

Run a ConnectEra GEO audit on your medspa website