Texas

💡 Last Updated October 2025. Written with contributions from both human authors and LLMs. If you find incorrect or outdated information let us know at support@optery.com.

Passed Date	June 18, 2023
Effective Date	July 1, 2024
Law Text URL	View law
Right to Know in Texas	Yes
Right to Delete in Texas	Yes
Right to Opt Out of Sales in Texas	Yes
Right to Correct in Texas	Yes
Right to Non-Discrimination in Texas	Yes
Authorized Agent in Texas	Yes

The following is an explanation of consumer personal rights and business requirements established by Chapter 541 of the Texas Business and Commerce Code (Consumer Data Protection), which takes effect July 1, 2024.

Note: This content was created with a combination of human authors and LLMs, Perplexity AI and NotebookLM. LLMs can make mistakes. Please double-check the information. Do you want to chat with Texas law full text? You can access Optery’s NotebookLM for Texas here (Requires Google account).

The only type of request submitted by authorized agents that controllers are required to grant under the TDPSA is an opt-out request. Controllers can choose to honor deletion requests or other privacy requests from an authorized agent on behalf of a consumer, but the TDPSA does not require the controller to honor those requests.

Podcast Overview

Personal Rights (Consumer Rights)

A consumer, defined as an individual who is a resident of Texas acting only in an individual or household context, is entitled to exercise the rights below by submitting an authenticated request to a controller.

Right	Explanation
Right to know what data is collected about me?	Yes. A consumer has the right to confirm whether a controller is processing the consumer’s personal data and to access that personal data. Furthermore, if the data is available in a digital format, the consumer has the right to obtain a copy of the personal data that the consumer previously provided to the controller in a portable and, if technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance.
Right to delete my personal information?	Yes. A consumer has the right to delete personal data provided by or obtained about the consumer. If a controller obtained the data from a source other than the consumer, the controller is considered compliant with the deletion request if they either: 1) retain a record of the deletion request and the minimum data necessary to ensure the personal data remains deleted from business records, without using the retained data for any other purpose; or 2) opt the consumer out of the processing of that personal data for any purpose other than an exempt purpose under the chapter.
Right to opt out of data sales?	Yes. A consumer has the right to opt out of the processing of personal data for purposes of the sale of personal data. A consumer may designate another person as an authorized agent to opt out on their behalf, potentially using technology like an Internet browser setting, link, or global setting on an electronic device, provided the controller can verify the identity and the agent’s authority.
Right to correct inaccurate data about me?	Yes. A consumer has the right to correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes for which it is processed.
Right to non-discrimination?	Yes. A controller may not discriminate against a consumer for exercising any of the consumer rights outlined in the chapter. This prohibition includes denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer. However, this non-discrimination rule does not prevent a controller from offering a different price, rate, level, quality, or selection of goods or services if the offer is related to a consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program, especially if the consumer has exercised their right to opt out.

Business Requirements (Controller Duties)

In Texas, Which companies must comply with the law?

Chapter 541 applies only to a person that:

Conducts business in this state or produces a product or service consumed by residents of this state.
Processes or engages in the sale of personal data.
Is not a small business as defined by the United States Small Business Administration, except for specific requirements outlined in Section 541.107 regarding the sale of sensitive data.

The chapter does not apply to several types of entities, including:

A state agency or a political subdivision of this state.
A financial institution or data subject to Title V of the Gramm-Leach-Bliley Act.
A covered entity or business associate governed by HIPAA privacy, security, and breach notification rules.
A nonprofit organization.
An institution of higher education.
An electric utility, power generation company, or retail electric provider.

In Texas, what are the Notice and transparency requirements for companies?

Controllers are required to establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data involved. Controllers also must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed processing purposes.

A controller must provide consumers with a reasonably accessible and clear privacy notice that must include:

The categories of personal data processed, including any sensitive data processed (if applicable).
The purpose for processing personal data.
How consumers may exercise their consumer rights, including the process for appealing a controller’s decision.
The categories of personal data that the controller shares with third parties (if applicable).
The categories of third parties with whom the controller shares personal data (if applicable).
A description of the methods required for consumers to submit requests to exercise their rights.

Specific Disclosure Requirements:

If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose that process and the manner in which a consumer may exercise the right to opt out.
If a controller sells sensitive data, the privacy notice must include the statement: “NOTICE: We may sell your sensitive personal data.”.
If a controller sells biometric data, the privacy notice must include the statement: “NOTICE: We may sell your biometric personal data.”.

In Texas, what are the Consumer request response procedures?

Methods of Submission: A controller must establish two or more secure and reliable methods for consumers to submit requests to exercise their rights. If the controller maintains an Internet website, they must provide a mechanism on the website for consumers to submit requests, unless the controller operates exclusively online and has a direct relationship with the consumer, in which case an e-mail address may be sufficient.

Response Timeline and Fees:

A controller must respond to an authenticated consumer request without undue delay, and no later than the 45th day after receiving the request.
The controller may extend the response period once by an additional 45 days if reasonably necessary, provided the controller informs the consumer of the extension and the reason within the initial 45-day period.
The information provided in response to a request must be free of charge, at least twice annually per consumer.
If a request is manifestly unfounded, excessive, or repetitive, the controller may charge a reasonable administrative fee or decline the request, though the controller bears the burden of demonstrating this characterization.

Handling Denials and Appeals:

If a controller declines to take action on a request, they must inform the consumer within 45 days of receipt of the request, providing the justification for the denial and instructions on how to appeal the decision.
A controller must establish a process for a consumer to appeal the refusal within a reasonable period.
The controller must inform the consumer in writing of the appeal decision, including a written explanation of the reason(s), no later than the 60th day after receipt of the appeal.
If the appeal is denied, the controller must provide the consumer with the online mechanism (maintained by the attorney general) through which the consumer may submit a complaint.

In Texas, what are the Security and breach notification rules?

Controller Duties: A controller must establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue, for the purpose of protecting the confidentiality, integrity, and accessibility of personal data.

Processor Duties: A processor must adhere to the controller’s instructions and assist the controller in meeting their duties, including:

Assisting the controller with regard to complying with requirements relating to the security of processing personal data.
Assisting the controller with requirements relating to the notification of a breach of security of the processor’s system under Chapter 521.

Contract Requirements: Contracts between a controller and a processor must include certain requirements, such as requiring the processor to ensure that individuals processing personal data are subject to a duty of confidentiality, and requiring the processor to assist the controller in making information available to demonstrate the processor’s compliance.

Sources and Citations

[1] www.cliffordchance.com/insights/resources/blogs/talking-tech/en/articles/2023/12/the-texas-data-privacy-law-an-overview.html

[2] www.iubenda.com/en/help/142386-hb-4-texas-new-data-privacy-law-everything-you-need-to-know

[3] natlawreview.com/article/lone-star-state-enacts-consumer-privacy-law

[4] www.brookspierce.com/publication-everything-is-bigger-in-texas-including-the-reach-of-its-new-consumer-data-privacy-law

[5] www.sll.texas.gov/spotlight/2024/07/texas-data-privacy-and-security-act/

[6] www.duanemorris.com/alerts/texas_data_privacy_security_act_coming_july1_2024_what_you_need_to_know_0624.html

[7] dir.texas.gov/technology-legislation/texas-data-privacy-and-security-act

[8] www.texasattorneygeneral.gov/consumer-protection/file-consumer-complaint/consumer-privacy-rights/texas-data-privacy-and-security-act

[9] dir.texas.gov/sites/default/files/2024-12/DIR%20Report%20on%20the%20Texas%20Data%20Privacy%20and%20Security%20Act.pdf

[10] termly.io/resources/articles/texas-data-privacy-and-security-act/

[11] www.akingump.com/en/insights/alerts/texas-data-privacy-act-what-businesses-need-to-know

[12] trustarc.com/resource/texas-privacy-law-enforcement/

[13] www.texasattorneygeneral.gov/news/releases/attorney-general-ken-paxton-leads-nation-protecting-americans-data-privacy-and-security-big-tech

[14] blog.lucidprivacy.io/blazing-privacy-saddles/

[15] dir.texas.gov/news/know-your-rights-under-texas-data-privacy-and-security-act

[16] lrl.texas.gov/genInfo/contactleg.cfm

Last Updated August 2025. Written with contributions from both human authors and Perplexity AI. If you find incorrect or outdated information let us know at support@optery.com.