Texas
💡 Last Updated October 2025. Written with contributions from both human authors and LLMs. If you find incorrect or outdated information let us know at support@optery.com.
Texas's TDPSA gives you the right to opt out of data brokers.
What the TDPSA does for you
As a Texas resident, the TDPSA gives you the right to know what personal data businesses collect about you, correct inaccuracies, delete your data, and opt out of its sale or use for targeted advertising. You can also request a portable copy of your data and opt out of automated profiling that affects major life decisions. These rights apply to most businesses — but not small businesses, nonprofits, or government agencies.
Your rights under the TDPSA
Right to Know
You have the right to confirm whether a business is processing your personal data and to access that data. You can submit a request to any covered business at any time to find out what they have about you.
Exceptions: Does not apply to deidentified data; Does not apply to publicly available information; Does not apply to data processed solely in a personal or household context; Business may decline if request is manifestly unfounded, excessive, or repetitive; Business may charge a fee for requests beyond two per year.
Source: Tex. Bus. & Com. Code § 541.051(b)(1)
Right to Delete
You have the right to request that a business delete personal data it has collected about you or obtained from other sources. The business must honor your request or, for data obtained from third parties, may instead stop processing that data for non-exempt purposes.
Exceptions: Does not apply to data needed to complete a transaction you requested; Does not apply to data needed for security incident response or fraud prevention; Does not apply to data required to be retained by law; Does not apply to pseudonymous data where identifying info is kept separately; Business may decline if request is manifestly unfounded, excessive, or repetitive.
Source: Tex. Bus. & Com. Code § 541.051(b)(3)
Right to Correct
You have the right to ask a business to correct inaccurate personal data it holds about you. The business will take into account the nature of the data and the purposes for which it is processed when deciding how to make corrections.
Exceptions: Business may consider nature and purpose of data when determining how to correct; Does not apply to pseudonymous data where identifying info is kept separately.
Source: Tex. Bus. & Com. Code § 541.051(b)(2)
Right to Opt Out of Sales
You have the right to opt out of a business selling your personal data — meaning sharing or transferring it to third parties for money or other valuable consideration. If a business sells your data, it must clearly disclose this and provide a way for you to opt out.
Exceptions: Does not apply to disclosures to processors acting on the controller's behalf; Does not apply to disclosures needed to provide a product or service you requested; Does not apply to transfers to affiliates; Does not apply to transfers as part of a merger or acquisition; Does not apply to information you intentionally made public.
Source: Tex. Bus. & Com. Code § 541.051(b)(5)(B)
Right to Opt Out of Processing
You have the right to opt out of your personal data being used for targeted advertising — ads selected based on your activity across different websites and apps over time.
Exceptions: Does not apply to ads based solely on activity within a controller's own websites or apps; Does not apply to ads based on the context of a current search query or website visit; Does not apply to processing solely for measuring advertising performance.
Source: Tex. Bus. & Com. Code § 541.051(b)(5)(A)
Right to Opt Out of Automated Decisions
You have the right to opt out of your personal data being used for solely automated profiling that produces decisions with legal or similarly significant effects — such as decisions about loans, housing, insurance, employment, education enrollment, or access to basic necessities.
Exceptions: Applies only to profiling in furtherance of decisions with legal or similarly significant effects; Does not apply to profiling that involves human review as part of the decision.
Source: Tex. Bus. & Com. Code § 541.051(b)(5)(C)
Right to Data Portability
If a business holds your personal data in digital format, you can request a copy in a portable, easy-to-use format so you can transfer it to another business. The business must provide this at least twice a year free of charge.
Exceptions: Only applies to data available in a digital format; Only covers data you previously provided to the controller; Portability is limited to what is technically feasible; Business may charge a fee for requests beyond two per year if manifestly excessive.
Source: Tex. Bus. & Com. Code § 541.051(b)(4)
Right to Non-Discrimination
A business cannot discriminate against you for exercising your privacy rights. This means it cannot deny you goods or services, charge you different prices, or give you a lower quality of service because you exercised your rights under this law.
Exceptions: A business may offer different prices or benefits if you voluntarily participate in a loyalty, rewards, or club card program; A business is not required to offer a product or service that requires data you chose not to provide.
Source: Tex. Bus. & Com. Code § 541.101(b)(3)
Right to Limit Sensitive Data
Businesses must obtain your consent before processing your sensitive personal data — including information about your race, religion, health, sexual orientation, immigration status, biometrics, precise location, or data about children. You have the right to withhold this consent.
Exceptions: Small businesses must also obtain consent before selling sensitive data, even if other provisions do not apply to them; Processing of sensitive data of known children must comply with COPPA requirements.
Source: Tex. Bus. & Com. Code § 541.101(b)(4)
How to exercise your rights
- See which data brokers have your information. Optery scans 200+ brokers to show you what’s exposed. Start a free scan →
- Submit a TDPSA deletion or opt-out request. Covered businesses have 45 days to respond (Tex. Bus. & Com. Code § 541.052), with up to 45 additional days if they invoke the extension provision.
- Let Optery automate the whole process. We submit opt-out and deletion requests on your behalf, track compliance, and resubmit whenever brokers re-add your data. Sign up free →
Authorized agents
The TDPSA mentions authorized agents only in the context of opt-out requests (Tex. Bus. & Com. Code Ann. § 541.001 et seq.). Data brokers may choose to — but are not required to — honor deletion requests submitted by an authorized agent. In practice, many brokers do accept agent-submitted deletion requests. Optery handles both types on your behalf where permitted.
Enforcement and penalties
The TDPSA is enforced by Texas Attorney General. If a business violates this law and doesn't fix the problem within the 30-day cure period, the Texas Attorney General can sue and collect a civil penalty of up to $7,500 per violation. The AG can also seek injunctions to stop ongoing violations and recover attorney's fees and investigation costs. There is no private right of action — individual consumers cannot sue directly.
Who does the TDPSA apply to?
This law applies to businesses that conduct business in Texas or offer products and services to Texas residents, process or sell personal data, and are NOT classified as a small business under U.S. Small Business Administration definitions. Exempt from coverage are state and local government agencies, financial institutions under the Gramm-Leach-Bliley Act, HIPAA-covered health entities, nonprofit organizations, institutions of higher education, and electric utilities. Small businesses are still prohibited from selling sensitive personal data without consumer consent.
Frequently asked questions
Does this Texas privacy law apply to every business that has my data?
No — it only applies to businesses that conduct operations in Texas or target Texas residents, and that are not classified as a small business under U.S. Small Business Administration definitions (Tex. Bus. & Com. Code § 541.002). Nonprofit organizations, government agencies, HIPAA-covered health entities, financial institutions subject to the Gramm-Leach-Bliley Act, colleges and universities, and electric utilities are all exempt from most of the law's requirements.
How long does a business have to respond to my request?
A covered business must respond to your privacy request within 45 days of receiving it (Tex. Bus. & Com. Code § 541.052(b)). If your request is complex or you've submitted multiple requests, the business may extend this deadline by an additional 45 days, but it must notify you of the extension and the reason within the initial 45-day window.
What happens if a business refuses my request or denies my appeal?
If a business declines your request, it must tell you why within 45 days and explain how to appeal (Tex. Bus. & Com. Code § 541.052(c)). If you appeal and the business still denies it, the business must provide you with a link or information to contact the Texas Attorney General and submit a complaint (Tex. Bus. & Com. Code § 541.053(d)).
Can I sue a business myself if it violates my privacy rights?
No. Texas law explicitly states there is no private right of action under this chapter — meaning you cannot file a lawsuit directly against a business for violating your privacy rights (Tex. Bus. & Com. Code § 541.156). Only the Texas Attorney General can bring enforcement actions, with penalties of up to $7,500 per violation (Tex. Bus. & Com. Code § 541.155(a)).
Can I use an authorized agent to submit an opt-out request on my behalf?
Yes, but only for opt-out requests — specifically to opt out of the sale of your personal data or targeted advertising (Tex. Bus. & Com. Code § 541.055(e)). You can designate an authorized agent using a technology such as a browser setting, browser extension, or a global device setting. The business must be able to verify both your identity and the agent's authority to act for you before honoring the request.