Texas
💡 Last Updated October 2025. Written with contributions from both human authors and LLMs. If you find incorrect or outdated information let us know at support@optery.com.
The following is an explanation of consumer personal rights and business requirements established by Chapter 541 of the Texas Business and Commerce Code (Consumer Data Protection), which takes effect July 1, 2024.
Note: This content was created with a combination of human authors and LLMs, Perplexity AI and NotebookLM. LLMs can make mistakes. Please double-check the information. Do you want to chat with Texas law full text? You can access Optery’s NotebookLM for Texas here (Requires Google account).
Podcast Overview
Personal Rights (Consumer Rights)
A consumer, defined as an individual who is a resident of Texas acting only in an individual or household context, is entitled to exercise the rights below by submitting an authenticated request to a controller.
| Right | Explanation |
|---|---|
| Right to know what data is collected about me? | Yes. A consumer has the right to confirm whether a controller is processing the consumer’s personal data and to access that personal data. Furthermore, if the data is available in a digital format, the consumer has the right to obtain a copy of the personal data that the consumer previously provided to the controller in a portable and, if technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance. |
| Right to delete my personal information? | Yes. A consumer has the right to delete personal data provided by or obtained about the consumer. If a controller obtained the data from a source other than the consumer, the controller is considered compliant with the deletion request if they either: 1) retain a record of the deletion request and the minimum data necessary to ensure the personal data remains deleted from business records, without using the retained data for any other purpose; or 2) opt the consumer out of the processing of that personal data for any purpose other than an exempt purpose under the chapter. |
| Right to opt out of data sales? | Yes. A consumer has the right to opt out of the processing of personal data for purposes of the sale of personal data. A consumer may designate another person as an authorized agent to opt out on their behalf, potentially using technology like an Internet browser setting, link, or global setting on an electronic device, provided the controller can verify the identity and the agent’s authority. |
| Right to correct inaccurate data about me? | Yes. A consumer has the right to correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes for which it is processed. |
| Right to non-discrimination? | Yes. A controller may not discriminate against a consumer for exercising any of the consumer rights outlined in the chapter. This prohibition includes denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer. However, this non-discrimination rule does not prevent a controller from offering a different price, rate, level, quality, or selection of goods or services if the offer is related to a consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program, especially if the consumer has exercised their right to opt out. |
Business Requirements (Controller Duties)
In Texas, Which companies must comply with the law?
Chapter 541 applies only to a person that:
- Conducts business in this state or produces a product or service consumed by residents of this state.
- Processes or engages in the sale of personal data.
- Is not a small business as defined by the United States Small Business Administration, except for specific requirements outlined in Section 541.107 regarding the sale of sensitive data.
The chapter does not apply to several types of entities, including:
- A state agency or a political subdivision of this state.
- A financial institution or data subject to Title V of the Gramm-Leach-Bliley Act.
- A covered entity or business associate governed by HIPAA privacy, security, and breach notification rules.
- A nonprofit organization.
- An institution of higher education.
- An electric utility, power generation company, or retail electric provider.
In Texas, what are the Notice and transparency requirements for companies?
Controllers are required to establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data involved. Controllers also must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed processing purposes.
A controller must provide consumers with a reasonably accessible and clear privacy notice that must include:
- The categories of personal data processed, including any sensitive data processed (if applicable).
- The purpose for processing personal data.
- How consumers may exercise their consumer rights, including the process for appealing a controller’s decision.
- The categories of personal data that the controller shares with third parties (if applicable).
- The categories of third parties with whom the controller shares personal data (if applicable).
- A description of the methods required for consumers to submit requests to exercise their rights.
Specific Disclosure Requirements:
- If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose that process and the manner in which a consumer may exercise the right to opt out.
- If a controller sells sensitive data, the privacy notice must include the statement: “NOTICE: We may sell your sensitive personal data.”.
- If a controller sells biometric data, the privacy notice must include the statement: “NOTICE: We may sell your biometric personal data.”.
In Texas, what are the Consumer request response procedures?
Methods of Submission: A controller must establish two or more secure and reliable methods for consumers to submit requests to exercise their rights. If the controller maintains an Internet website, they must provide a mechanism on the website for consumers to submit requests, unless the controller operates exclusively online and has a direct relationship with the consumer, in which case an e-mail address may be sufficient.
Response Timeline and Fees:
- A controller must respond to an authenticated consumer request without undue delay, and no later than the 45th day after receiving the request.
- The controller may extend the response period once by an additional 45 days if reasonably necessary, provided the controller informs the consumer of the extension and the reason within the initial 45-day period.
- The information provided in response to a request must be free of charge, at least twice annually per consumer.
- If a request is manifestly unfounded, excessive, or repetitive, the controller may charge a reasonable administrative fee or decline the request, though the controller bears the burden of demonstrating this characterization.
Handling Denials and Appeals:
- If a controller declines to take action on a request, they must inform the consumer within 45 days of receipt of the request, providing the justification for the denial and instructions on how to appeal the decision.
- A controller must establish a process for a consumer to appeal the refusal within a reasonable period.
- The controller must inform the consumer in writing of the appeal decision, including a written explanation of the reason(s), no later than the 60th day after receipt of the appeal.
- If the appeal is denied, the controller must provide the consumer with the online mechanism (maintained by the attorney general) through which the consumer may submit a complaint.
In Texas, what are the Security and breach notification rules?
Controller Duties: A controller must establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue, for the purpose of protecting the confidentiality, integrity, and accessibility of personal data.
Processor Duties: A processor must adhere to the controller’s instructions and assist the controller in meeting their duties, including:
- Assisting the controller with regard to complying with requirements relating to the security of processing personal data.
- Assisting the controller with requirements relating to the notification of a breach of security of the processor’s system under Chapter 521.
Contract Requirements: Contracts between a controller and a processor must include certain requirements, such as requiring the processor to ensure that individuals processing personal data are subject to a duty of confidentiality, and requiring the processor to assist the controller in making information available to demonstrate the processor’s compliance.
Sources and Citations
Last Updated August 2025. Written with contributions from both human authors and Perplexity AI. If you find incorrect or outdated information let us know at support@optery.com.
Texas Privacy Law Mindmap
Texas Privacy Law Mindmap JSON
{
"name": "Texas Consumer Data Protection (BC 541)",
"children": [
{
"name": "Applicability and Exemptions",
"children": [
{
"name": "Applies To Persons That:",
"children": [
{
"name": "Conduct business in Texas or produce service for Texas residents",
"children": []
},
{
"name": "Process or sell personal data",
"children": []
},
{
"name": "Are NOT small businesses (except for 541.107)",
"children": [
{
"name": "Targeted advertising",
"children": []
},
{
"name": "Sale of personal data",
"children": []
},
{
"name": "Profiling (producing legal/significant effect)",
"children": []
},
{
"name": "Cures violation within 30 days",
"children": []
},
{
"name": "Provides written statement detailing cure and policy changes",
"children": []
}
]
}
]
},
{
"name": "Entities NOT Subject to Chapter",
"children": [
{
"name": "State agency or political subdivision",
"children": []
},
{
"name": "Financial institutions (GLBA data)",
"children": []
},
{
"name": "HIPAA covered entities/business associates",
"children": []
},
{
"name": "Nonprofit organizations",
"children": []
},
{
"name": "Institutions of higher education",
"children": []
},
{
"name": "Electric utilities/power generation companies",
"children": []
},
{
"name": "Purely personal or household activity",
"children": []
},
{
"name": "Protected health information (HIPAA)",
"children": []
},
{
"name": "Health records",
"children": [
{
"name": "Targeted advertising",
"children": []
},
{
"name": "Sale of personal data",
"children": []
},
{
"name": "Profiling (producing legal/significant effect)",
"children": []
},
{
"name": "Cures violation within 30 days",
"children": []
},
{
"name": "Provides written statement detailing cure and policy changes",
"children": []
}
]
}
]
},
{
"name": "Information Exempt from Chapter",
"children": [
{
"name": "Patient identifying information (42 U.S.C. 290dd-2)",
"children": []
},
{
"name": "Identifiable private information (Human Subjects Research)",
"children": []
},
{
"name": "Information for Health Care Quality Improvement Act",
"children": []
},
{
"name": "Patient safety work product",
"children": []
},
{
"name": "Deidentified health care information",
"children": []
},
{
"name": "Information intermingled with exempt data",
"children": []
},
{
"name": "Limited data set (45 C.F.R. 164.514(e))",
"children": []
},
{
"name": "Public health activities data",
"children": []
},
{
"name": "Data regulated by Fair Credit Reporting Act (FCRA)",
"children": []
},
{
"name": "Data regulated by Driver's Privacy Protection Act (DPPA)",
"children": []
},
{
"name": "Data regulated by Family Educational Rights and Privacy Act (FERPA)",
"children": []
},
{
"name": "Data regulated by Farm Credit Act",
"children": []
},
{
"name": "Employment/agent/contractor data (context of role)",
"children": []
},
{
"name": "Emergency contact information",
"children": []
},
{
"name": "Data necessary to administer benefits for others",
"children": []
},
{
"name": "Information linked to an identified or identifiable individual",
"children": []
},
{
"name": "Includes sensitive data",
"children": []
},
{
"name": "Includes pseudonymous data (if linkable with additional info)",
"children": []
},
{
"name": "Excludes: Deidentified data, Publicly available information",
"children": []
},
{
"name": "Racial or ethnic origin",
"children": []
},
{
"name": "Religious beliefs",
"children": []
},
{
"name": "Mental or physical health diagnosis",
"children": []
},
{
"name": "Sexuality, citizenship, or immigration status",
"children": []
},
{
"name": "Genetic or biometric data (for unique ID)",
"children": []
},
{
"name": "Personal data collected from a known child",
"children": []
},
{
"name": "Precise geolocation data (within 1,750 feet)",
"children": []
},
{
"name": "Individual resident of Texas",
"children": []
},
{
"name": "Acting only in individual or household context",
"children": []
},
{
"name": "Excludes: Individual acting in commercial or employment context",
"children": []
},
{
"name": "Controller: Determines purpose/means of processing personal data",
"children": []
},
{
"name": "Processor: Processes data on behalf of a controller",
"children": []
},
{
"name": "Freely given, specific, informed, unambiguous agreement",
"children": []
},
{
"name": "Excludes: Acceptance of broad terms of use",
"children": []
},
{
"name": "Excludes: Hovering, muting, pausing, or closing content",
"children": []
},
{
"name": "Excludes: Agreement obtained through dark patterns",
"children": []
},
{
"name": "Ads based on activities across nonaffiliated websites/apps",
"children": []
},
{
"name": "Used to predict consumer preferences/interests",
"children": []
},
{
"name": "Excludes: Activities within controller's own sites",
"children": []
},
{
"name": "Excludes: Based on current search context",
"children": []
},
{
"name": "Sharing, disclosing, or transferring for monetary or valuable consideration",
"children": []
},
{
"name": "Exclusions: Disclosure to a processor",
"children": []
},
{
"name": "Exclusions: Disclosure for product/service requested by consumer",
"children": []
},
{
"name": "Exclusions: Disclosure to an affiliate",
"children": []
},
{
"name": "Exclusions: Data intentionally made public by consumer",
"children": []
},
{
"name": "Exclusions: Data transferred as part of merger/acquisition",
"children": []
},
{
"name": "Secure and reliable methods (e.g., website mechanism, email)",
"children": []
},
{
"name": "Cannot require new account creation",
"children": []
},
{
"name": "Authorized agent allowed to opt out (must be verifiable)",
"children": []
},
{
"name": "Confirm processing and access personal data",
"children": []
},
{
"name": "Correct inaccuracies",
"children": []
},
{
"name": "Delete personal data",
"children": []
},
{
"name": "Obtain portable, readily usable copy (digital format)",
"children": [
{
"name": "Targeted advertising",
"children": []
}
]
},
{
"name": "Opt Out of Processing for:",
"children": [
{
"name": "Sale of personal data",
"children": []
}
]
},
{
"name": "Respond within 45 days (extendable by 45 days with notice)",
"children": [
{
"name": "Profiling (producing legal/significant effect)",
"children": []
}
]
},
{
"name": "Provide information free of charge (at least twice annually)",
"children": []
},
{
"name": "Can deny/charge fee if request is unfounded, excessive, or repetitive",
"children": []
},
{
"name": "Must justify declining action and provide appeal instructions",
"children": []
},
{
"name": "If unauthenticated, controller is not required to comply",
"children": []
},
{
"name": "Controller must establish appeal process (conspicuously available)",
"children": []
},
{
"name": "Controller must respond to appeal within 60 days (in writing)",
"children": []
},
{
"name": "If appeal denied, provide mechanism to contact Attorney General",
"children": []
},
{
"name": "Limit collection to adequate, relevant, and necessary data",
"children": []
},
{
"name": "Maintain reasonable administrative, technical, and physical security practices",
"children": []
},
{
"name": "Do not process sensitive data without consumer consent (or COPPA compliance for children)",
"children": []
},
{
"name": "Do not process for incompatible purposes without consent",
"children": []
},
{
"name": "Do not discriminate against consumers for exercising rights",
"children": []
},
{
"name": "Must be reasonably accessible and clear",
"children": []
},
{
"name": "Include categories of personal data processed (and sensitive data)",
"children": []
},
{
"name": "Include purpose for processing",
"children": []
},
{
"name": "Describe how to exercise consumer rights and appeal process",
"children": []
},
{
"name": "If applicable, categories of data shared/categories of third parties",
"children": []
},
{
"name": "Conspicuous notice required for sale of sensitive data",
"children": []
},
{
"name": "Conspicuous notice required for sale of biometric data",
"children": []
},
{
"name": "Required for: Targeted advertising, Data sale, High-risk profiling, Sensitive data processing",
"children": []
},
{
"name": "Must weigh benefits vs. potential risks (mitigated by safeguards)",
"children": []
},
{
"name": "Confidential and exempt from public inspection",
"children": []
},
{
"name": "Single DPA may cover comparable operations",
"children": []
},
{
"name": "Compliance with other laws may suffice if scope is comparable",
"children": []
},
{
"name": "Adhere to controller instructions",
"children": []
},
{
"name": "Assist controller with consumer requests, security, and breach notification",
"children": []
},
{
"name": "Provide info for controller's DPAs",
"children": []
},
{
"name": "Contract requirements: Clear instructions, confidentiality, data return/deletion (at end of service), cooperation with assessments",
"children": []
},
{
"name": "Controller must take reasonable measures against reidentification",
"children": []
},
{
"name": "Publicly commit to not reidentifying",
"children": []
},
{
"name": "Contractually obligate recipients to comply with provisions",
"children": []
},
{
"name": "Controller not required to reidentify data to comply with requests",
"children": []
},
{
"name": "Maintain website with consumer rights/controller duties info",
"children": []
},
{
"name": "Provide online complaint mechanism",
"children": []
},
{
"name": "Issue civil investigative demand (CID)",
"children": []
},
{
"name": "May request Data Protection Assessment via CID",
"children": []
},
{
"name": "AG must notify person of alleged violation (30 days prior to action)",
"children": []
},
{
"name": "AG cannot bring action if person:",
"children": [
{
"name": "Cures violation within 30 days",
"children": []
},
{
"name": "Provides written statement detailing cure and policy changes",
"children": []
}
]
},
{
"name": "Civil penalty: Up to $7,500 per violation (if cure period breached)",
"children": []
},
{
"name": "AG may recover penalty, seek injunction, and recover attorney's fees",
"children": []
}
]
}
]
},
{
"name": "Key Definitions",
"children": [
{
"name": "Personal Data",
"children": [
{
"name": "Conduct business in Texas or produce service for Texas residents",
"children": []
},
{
"name": "Process or sell personal data",
"children": []
},
{
"name": "Are NOT small businesses (except for 541.107)",
"children": []
},
{
"name": "State agency or political subdivision",
"children": []
},
{
"name": "Financial institutions (GLBA data)",
"children": []
},
{
"name": "HIPAA covered entities/business associates",
"children": []
},
{
"name": "Nonprofit organizations",
"children": []
},
{
"name": "Institutions of higher education",
"children": []
},
{
"name": "Electric utilities/power generation companies",
"children": []
},
{
"name": "Purely personal or household activity",
"children": []
},
{
"name": "Protected health information (HIPAA)",
"children": []
},
{
"name": "Health records",
"children": []
},
{
"name": "Patient identifying information (42 U.S.C. 290dd-2)",
"children": []
},
{
"name": "Identifiable private information (Human Subjects Research)",
"children": []
},
{
"name": "Information for Health Care Quality Improvement Act",
"children": []
},
{
"name": "Patient safety work product",
"children": []
},
{
"name": "Deidentified health care information",
"children": []
},
{
"name": "Information intermingled with exempt data",
"children": []
},
{
"name": "Limited data set (45 C.F.R. 164.514(e))",
"children": []
},
{
"name": "Public health activities data",
"children": []
},
{
"name": "Data regulated by Fair Credit Reporting Act (FCRA)",
"children": []
},
{
"name": "Data regulated by Driver's Privacy Protection Act (DPPA)",
"children": []
},
{
"name": "Data regulated by Family Educational Rights and Privacy Act (FERPA)",
"children": []
},
{
"name": "Data regulated by Farm Credit Act",
"children": []
},
{
"name": "Employment/agent/contractor data (context of role)",
"children": []
},
{
"name": "Emergency contact information",
"children": []
},
{
"name": "Data necessary to administer benefits for others",
"children": []
},
{
"name": "Information linked to an identified or identifiable individual",
"children": []
},
{
"name": "Includes sensitive data",
"children": []
},
{
"name": "Includes pseudonymous data (if linkable with additional info)",
"children": []
},
{
"name": "Excludes: Deidentified data, Publicly available information",
"children": [
{
"name": "Targeted advertising",
"children": []
},
{
"name": "Sale of personal data",
"children": []
},
{
"name": "Profiling (producing legal/significant effect)",
"children": []
},
{
"name": "Cures violation within 30 days",
"children": []
},
{
"name": "Provides written statement detailing cure and policy changes",
"children": []
}
]
}
]
},
{
"name": "Sensitive Data",
"children": [
{
"name": "Racial or ethnic origin",
"children": []
},
{
"name": "Religious beliefs",
"children": []
},
{
"name": "Mental or physical health diagnosis",
"children": []
},
{
"name": "Sexuality, citizenship, or immigration status",
"children": []
},
{
"name": "Genetic or biometric data (for unique ID)",
"children": []
},
{
"name": "Personal data collected from a known child",
"children": [
{
"name": "Targeted advertising",
"children": []
},
{
"name": "Sale of personal data",
"children": []
},
{
"name": "Profiling (producing legal/significant effect)",
"children": []
},
{
"name": "Cures violation within 30 days",
"children": []
},
{
"name": "Provides written statement detailing cure and policy changes",
"children": []
}
]
}
]
},
{
"name": "Consumer",
"children": [
{
"name": "Precise geolocation data (within 1,750 feet)",
"children": []
},
{
"name": "Individual resident of Texas",
"children": []
},
{
"name": "Acting only in individual or household context",
"children": []
},
{
"name": "Excludes: Individual acting in commercial or employment context",
"children": [
{
"name": "Targeted advertising",
"children": []
},
{
"name": "Sale of personal data",
"children": []
},
{
"name": "Profiling (producing legal/significant effect)",
"children": []
},
{
"name": "Cures violation within 30 days",
"children": []
},
{
"name": "Provides written statement detailing cure and policy changes",
"children": []
}
]
}
]
},
{
"name": "Controller/Processor",
"children": [
{
"name": "Controller: Determines purpose/means of processing personal data",
"children": []
},
{
"name": "Processor: Processes data on behalf of a controller",
"children": [
{
"name": "Targeted advertising",
"children": []
},
{
"name": "Sale of personal data",
"children": []
},
{
"name": "Profiling (producing legal/significant effect)",
"children": []
},
{
"name": "Cures violation within 30 days",
"children": []
},
{
"name": "Provides written statement detailing cure and policy changes",
"children": []
}
]
}
]
},
{
"name": "Consent (Clear Affirmative Act)",
"children": [
{
"name": "Freely given, specific, informed, unambiguous agreement",
"children": []
},
{
"name": "Excludes: Acceptance of broad terms of use",
"children": []
},
{
"name": "Excludes: Hovering, muting, pausing, or closing content",
"children": []
},
{
"name": "Excludes: Agreement obtained through dark patterns",
"children": [
{
"name": "Targeted advertising",
"children": []
},
{
"name": "Sale of personal data",
"children": []
},
{
"name": "Profiling (producing legal/significant effect)",
"children": []
},
{
"name": "Cures violation within 30 days",
"children": []
},
{
"name": "Provides written statement detailing cure and policy changes",
"children": []
}
]
}
]
},
{
"name": "Targeted Advertising",
"children": [
{
"name": "Ads based on activities across nonaffiliated websites/apps",
"children": []
},
{
"name": "Used to predict consumer preferences/interests",
"children": []
},
{
"name": "Excludes: Activities within controller's own sites",
"children": []
},
{
"name": "Excludes: Based on current search context",
"children": []
},
{
"name": "Sharing, disclosing, or transferring for monetary or valuable consideration",
"children": []
},
{
"name": "Exclusions: Disclosure to a processor",
"children": []
},
{
"name": "Exclusions: Disclosure for product/service requested by consumer",
"children": []
},
{
"name": "Exclusions: Disclosure to an affiliate",
"children": []
},
{
"name": "Exclusions: Data intentionally made public by consumer",
"children": []
},
{
"name": "Exclusions: Data transferred as part of merger/acquisition",
"children": []
},
{
"name": "Secure and reliable methods (e.g., website mechanism, email)",
"children": []
},
{
"name": "Cannot require new account creation",
"children": []
},
{
"name": "Authorized agent allowed to opt out (must be verifiable)",
"children": []
},
{
"name": "Confirm processing and access personal data",
"children": []
},
{
"name": "Correct inaccuracies",
"children": []
},
{
"name": "Delete personal data",
"children": []
},
{
"name": "Obtain portable, readily usable copy (digital format)",
"children": [
{
"name": "Targeted advertising",
"children": []
}
]
},
{
"name": "Opt Out of Processing for:",
"children": [
{
"name": "Sale of personal data",
"children": []
}
]
},
{
"name": "Respond within 45 days (extendable by 45 days with notice)",
"children": [
{
"name": "Profiling (producing legal/significant effect)",
"children": []
}
]
},
{
"name": "Provide information free of charge (at least twice annually)",
"children": []
},
{
"name": "Can deny/charge fee if request is unfounded, excessive, or repetitive",
"children": []
},
{
"name": "Must justify declining action and provide appeal instructions",
"children": []
},
{
"name": "If unauthenticated, controller is not required to comply",
"children": []
},
{
"name": "Controller must establish appeal process (conspicuously available)",
"children": []
},
{
"name": "Controller must respond to appeal within 60 days (in writing)",
"children": []
},
{
"name": "If appeal denied, provide mechanism to contact Attorney General",
"children": []
},
{
"name": "Limit collection to adequate, relevant, and necessary data",
"children": []
},
{
"name": "Maintain reasonable administrative, technical, and physical security practices",
"children": []
},
{
"name": "Do not process sensitive data without consumer consent (or COPPA compliance for children)",
"children": []
},
{
"name": "Do not process for incompatible purposes without consent",
"children": []
},
{
"name": "Do not discriminate against consumers for exercising rights",
"children": []
},
{
"name": "Must be reasonably accessible and clear",
"children": []
},
{
"name": "Include categories of personal data processed (and sensitive data)",
"children": []
},
{
"name": "Include purpose for processing",
"children": []
},
{
"name": "Describe how to exercise consumer rights and appeal process",
"children": []
},
{
"name": "If applicable, categories of data shared/categories of third parties",
"children": []
},
{
"name": "Conspicuous notice required for sale of sensitive data",
"children": []
},
{
"name": "Conspicuous notice required for sale of biometric data",
"children": []
},
{
"name": "Required for: Targeted advertising, Data sale, High-risk profiling, Sensitive data processing",
"children": []
},
{
"name": "Must weigh benefits vs. potential risks (mitigated by safeguards)",
"children": []
},
{
"name": "Confidential and exempt from public inspection",
"children": []
},
{
"name": "Single DPA may cover comparable operations",
"children": []
},
{
"name": "Compliance with other laws may suffice if scope is comparable",
"children": []
},
{
"name": "Adhere to controller instructions",
"children": []
},
{
"name": "Assist controller with consumer requests, security, and breach notification",
"children": []
},
{
"name": "Provide info for controller's DPAs",
"children": []
},
{
"name": "Contract requirements: Clear instructions, confidentiality, data return/deletion (at end of service), cooperation with assessments",
"children": []
},
{
"name": "Controller must take reasonable measures against reidentification",
"children": []
},
{
"name": "Publicly commit to not reidentifying",
"children": []
},
{
"name": "Contractually obligate recipients to comply with provisions",
"children": []
},
{
"name": "Controller not required to reidentify data to comply with requests",
"children": []
},
{
"name": "Maintain website with consumer rights/controller duties info",
"children": []
},
{
"name": "Provide online complaint mechanism",
"children": []
},
{
"name": "Issue civil investigative demand (CID)",
"children": []
},
{
"name": "May request Data Protection Assessment via CID",
"children": []
},
{
"name": "AG must notify person of alleged violation (30 days prior to action)",
"children": []
},
{
"name": "AG cannot bring action if person:",
"children": [
{
"name": "Cures violation within 30 days",
"children": []
},
{
"name": "Provides written statement detailing cure and policy changes",
"children": []
}
]
},
{
"name": "Civil penalty: Up to $7,500 per violation (if cure period breached)",
"children": []
},
{
"name": "AG may recover penalty, seek injunction, and recover attorney's fees",
"children": []
}
]
}
]
},
{
"name": "Consumer Rights (Subchapter B)",
"children": [
{
"name": "Sale of Personal Data",
"children": [
{
"name": "Conduct business in Texas or produce service for Texas residents",
"children": []
},
{
"name": "Process or sell personal data",
"children": []
},
{
"name": "Are NOT small businesses (except for 541.107)",
"children": []
},
{
"name": "State agency or political subdivision",
"children": []
},
{
"name": "Financial institutions (GLBA data)",
"children": []
},
{
"name": "HIPAA covered entities/business associates",
"children": []
},
{
"name": "Nonprofit organizations",
"children": []
},
{
"name": "Institutions of higher education",
"children": []
},
{
"name": "Electric utilities/power generation companies",
"children": []
},
{
"name": "Purely personal or household activity",
"children": []
},
{
"name": "Protected health information (HIPAA)",
"children": []
},
{
"name": "Health records",
"children": []
},
{
"name": "Patient identifying information (42 U.S.C. 290dd-2)",
"children": []
},
{
"name": "Identifiable private information (Human Subjects Research)",
"children": []
},
{
"name": "Information for Health Care Quality Improvement Act",
"children": []
},
{
"name": "Patient safety work product",
"children": []
},
{
"name": "Deidentified health care information",
"children": []
},
{
"name": "Information intermingled with exempt data",
"children": []
},
{
"name": "Limited data set (45 C.F.R. 164.514(e))",
"children": []
},
{
"name": "Public health activities data",
"children": []
},
{
"name": "Data regulated by Fair Credit Reporting Act (FCRA)",
"children": []
},
{
"name": "Data regulated by Driver's Privacy Protection Act (DPPA)",
"children": []
},
{
"name": "Data regulated by Family Educational Rights and Privacy Act (FERPA)",
"children": []
},
{
"name": "Data regulated by Farm Credit Act",
"children": []
},
{
"name": "Employment/agent/contractor data (context of role)",
"children": []
},
{
"name": "Emergency contact information",
"children": []
},
{
"name": "Data necessary to administer benefits for others",
"children": []
},
{
"name": "Information linked to an identified or identifiable individual",
"children": []
},
{
"name": "Includes sensitive data",
"children": []
},
{
"name": "Includes pseudonymous data (if linkable with additional info)",
"children": []
},
{
"name": "Excludes: Deidentified data, Publicly available information",
"children": []
},
{
"name": "Racial or ethnic origin",
"children": []
},
{
"name": "Religious beliefs",
"children": []
},
{
"name": "Mental or physical health diagnosis",
"children": []
},
{
"name": "Sexuality, citizenship, or immigration status",
"children": []
},
{
"name": "Genetic or biometric data (for unique ID)",
"children": []
},
{
"name": "Personal data collected from a known child",
"children": []
},
{
"name": "Precise geolocation data (within 1,750 feet)",
"children": []
},
{
"name": "Individual resident of Texas",
"children": []
},
{
"name": "Acting only in individual or household context",
"children": []
},
{
"name": "Excludes: Individual acting in commercial or employment context",
"children": []
},
{
"name": "Controller: Determines purpose/means of processing personal data",
"children": []
},
{
"name": "Processor: Processes data on behalf of a controller",
"children": []
},
{
"name": "Freely given, specific, informed, unambiguous agreement",
"children": []
},
{
"name": "Excludes: Acceptance of broad terms of use",
"children": []
},
{
"name": "Excludes: Hovering, muting, pausing, or closing content",
"children": []
},
{
"name": "Excludes: Agreement obtained through dark patterns",
"children": []
},
{
"name": "Ads based on activities across nonaffiliated websites/apps",
"children": []
},
{
"name": "Used to predict consumer preferences/interests",
"children": []
},
{
"name": "Excludes: Activities within controller's own sites",
"children": []
},
{
"name": "Excludes: Based on current search context",
"children": []
},
{
"name": "Sharing, disclosing, or transferring for monetary or valuable consideration",
"children": []
},
{
"name": "Exclusions: Disclosure to a processor",
"children": []
},
{
"name": "Exclusions: Disclosure for product/service requested by consumer",
"children": []
},
{
"name": "Exclusions: Disclosure to an affiliate",
"children": []
},
{
"name": "Exclusions: Data intentionally made public by consumer",
"children": []
},
{
"name": "Exclusions: Data transferred as part of merger/acquisition",
"children": [
{
"name": "Targeted advertising",
"children": []
},
{
"name": "Sale of personal data",
"children": []
},
{
"name": "Profiling (producing legal/significant effect)",
"children": []
},
{
"name": "Cures violation within 30 days",
"children": []
},
{
"name": "Provides written statement detailing cure and policy changes",
"children": []
}
]
}
]
},
{
"name": "Methods for Submission (Two or More)",
"children": [
{
"name": "Secure and reliable methods (e.g., website mechanism, email)",
"children": []
},
{
"name": "Cannot require new account creation",
"children": []
},
{
"name": "Authorized agent allowed to opt out (must be verifiable)",
"children": [
{
"name": "Targeted advertising",
"children": []
},
{
"name": "Sale of personal data",
"children": []
},
{
"name": "Profiling (producing legal/significant effect)",
"children": []
},
{
"name": "Cures violation within 30 days",
"children": []
},
{
"name": "Provides written statement detailing cure and policy changes",
"children": []
}
]
}
]
},
{
"name": "Authenticated Rights",
"children": [
{
"name": "Confirm processing and access personal data",
"children": []
},
{
"name": "Correct inaccuracies",
"children": []
},
{
"name": "Delete personal data",
"children": []
},
{
"name": "Obtain portable, readily usable copy (digital format)",
"children": [
{
"name": "Targeted advertising",
"children": []
}
]
},
{
"name": "Opt Out of Processing for:",
"children": [
{
"name": "Sale of personal data",
"children": []
},
{
"name": "Profiling (producing legal/significant effect)",
"children": []
},
{
"name": "Cures violation within 30 days",
"children": []
},
{
"name": "Provides written statement detailing cure and policy changes",
"children": []
}
]
}
]
},
{
"name": "Controller Response Duties",
"children": [
{
"name": "Respond within 45 days (extendable by 45 days with notice)",
"children": [
{
"name": "Targeted advertising",
"children": []
},
{
"name": "Sale of personal data",
"children": []
},
{
"name": "Profiling (producing legal/significant effect)",
"children": []
}
]
},
{
"name": "Provide information free of charge (at least twice annually)",
"children": []
},
{
"name": "Can deny/charge fee if request is unfounded, excessive, or repetitive",
"children": []
},
{
"name": "Must justify declining action and provide appeal instructions",
"children": []
},
{
"name": "If unauthenticated, controller is not required to comply",
"children": [
{
"name": "Cures violation within 30 days",
"children": []
},
{
"name": "Provides written statement detailing cure and policy changes",
"children": []
}
]
}
]
},
{
"name": "Appeal Process",
"children": [
{
"name": "Controller must establish appeal process (conspicuously available)",
"children": [
{
"name": "Targeted advertising",
"children": []
},
{
"name": "Sale of personal data",
"children": []
},
{
"name": "Profiling (producing legal/significant effect)",
"children": []
}
]
},
{
"name": "Controller must respond to appeal within 60 days (in writing)",
"children": [
{
"name": "Cures violation within 30 days",
"children": []
},
{
"name": "Provides written statement detailing cure and policy changes",
"children": []
}
]
}
]
},
{
"name": "Waiver/Limitation of Rights is Void and Unenforceable",
"children": [
{
"name": "If appeal denied, provide mechanism to contact Attorney General",
"children": [
{
"name": "Targeted advertising",
"children": []
},
{
"name": "Sale of personal data",
"children": []
},
{
"name": "Profiling (producing legal/significant effect)",
"children": []
},
{
"name": "Cures violation within 30 days",
"children": []
},
{
"name": "Provides written statement detailing cure and policy changes",
"children": []
}
]
}
]
},
{
"name": "Controller Transparency and Security",
"children": [
{
"name": "Limit collection to adequate, relevant, and necessary data",
"children": [
{
"name": "Targeted advertising",
"children": []
},
{
"name": "Sale of personal data",
"children": []
},
{
"name": "Profiling (producing legal/significant effect)",
"children": []
}
]
},
{
"name": "Maintain reasonable administrative, technical, and physical security practices",
"children": []
},
{
"name": "Do not process sensitive data without consumer consent (or COPPA compliance for children)",
"children": []
},
{
"name": "Do not process for incompatible purposes without consent",
"children": []
},
{
"name": "Do not discriminate against consumers for exercising rights",
"children": []
},
{
"name": "Must be reasonably accessible and clear",
"children": []
},
{
"name": "Include categories of personal data processed (and sensitive data)",
"children": []
},
{
"name": "Include purpose for processing",
"children": []
},
{
"name": "Describe how to exercise consumer rights and appeal process",
"children": []
},
{
"name": "If applicable, categories of data shared/categories of third parties",
"children": []
},
{
"name": "Conspicuous notice required for sale of sensitive data",
"children": []
},
{
"name": "Conspicuous notice required for sale of biometric data",
"children": []
},
{
"name": "Required for: Targeted advertising, Data sale, High-risk profiling, Sensitive data processing",
"children": []
},
{
"name": "Must weigh benefits vs. potential risks (mitigated by safeguards)",
"children": []
},
{
"name": "Confidential and exempt from public inspection",
"children": []
},
{
"name": "Single DPA may cover comparable operations",
"children": []
},
{
"name": "Compliance with other laws may suffice if scope is comparable",
"children": []
},
{
"name": "Adhere to controller instructions",
"children": []
},
{
"name": "Assist controller with consumer requests, security, and breach notification",
"children": []
},
{
"name": "Provide info for controller's DPAs",
"children": []
},
{
"name": "Contract requirements: Clear instructions, confidentiality, data return/deletion (at end of service), cooperation with assessments",
"children": []
},
{
"name": "Controller must take reasonable measures against reidentification",
"children": []
},
{
"name": "Publicly commit to not reidentifying",
"children": []
},
{
"name": "Contractually obligate recipients to comply with provisions",
"children": []
},
{
"name": "Controller not required to reidentify data to comply with requests",
"children": []
},
{
"name": "Maintain website with consumer rights/controller duties info",
"children": []
},
{
"name": "Provide online complaint mechanism",
"children": []
},
{
"name": "Issue civil investigative demand (CID)",
"children": []
},
{
"name": "May request Data Protection Assessment via CID",
"children": []
},
{
"name": "AG must notify person of alleged violation (30 days prior to action)",
"children": []
},
{
"name": "AG cannot bring action if person:",
"children": [
{
"name": "Cures violation within 30 days",
"children": []
},
{
"name": "Provides written statement detailing cure and policy changes",
"children": []
}
]
},
{
"name": "Civil penalty: Up to $7,500 per violation (if cure period breached)",
"children": []
},
{
"name": "AG may recover penalty, seek injunction, and recover attorney's fees",
"children": []
}
]
}
]
},
{
"name": "Controller and Processor Duties (Subchapter C)",
"children": [
{
"name": "Privacy Notice Requirements",
"children": [
{
"name": "Conduct business in Texas or produce service for Texas residents",
"children": []
},
{
"name": "Process or sell personal data",
"children": []
},
{
"name": "Are NOT small businesses (except for 541.107)",
"children": []
},
{
"name": "State agency or political subdivision",
"children": []
},
{
"name": "Financial institutions (GLBA data)",
"children": []
},
{
"name": "HIPAA covered entities/business associates",
"children": []
},
{
"name": "Nonprofit organizations",
"children": []
},
{
"name": "Institutions of higher education",
"children": []
},
{
"name": "Electric utilities/power generation companies",
"children": []
},
{
"name": "Purely personal or household activity",
"children": []
},
{
"name": "Protected health information (HIPAA)",
"children": []
},
{
"name": "Health records",
"children": []
},
{
"name": "Patient identifying information (42 U.S.C. 290dd-2)",
"children": []
},
{
"name": "Identifiable private information (Human Subjects Research)",
"children": []
},
{
"name": "Information for Health Care Quality Improvement Act",
"children": []
},
{
"name": "Patient safety work product",
"children": []
},
{
"name": "Deidentified health care information",
"children": []
},
{
"name": "Information intermingled with exempt data",
"children": []
},
{
"name": "Limited data set (45 C.F.R. 164.514(e))",
"children": []
},
{
"name": "Public health activities data",
"children": []
},
{
"name": "Data regulated by Fair Credit Reporting Act (FCRA)",
"children": []
},
{
"name": "Data regulated by Driver's Privacy Protection Act (DPPA)",
"children": []
},
{
"name": "Data regulated by Family Educational Rights and Privacy Act (FERPA)",
"children": []
},
{
"name": "Data regulated by Farm Credit Act",
"children": []
},
{
"name": "Employment/agent/contractor data (context of role)",
"children": []
},
{
"name": "Emergency contact information",
"children": []
},
{
"name": "Data necessary to administer benefits for others",
"children": []
},
{
"name": "Information linked to an identified or identifiable individual",
"children": []
},
{
"name": "Includes sensitive data",
"children": []
},
{
"name": "Includes pseudonymous data (if linkable with additional info)",
"children": []
},
{
"name": "Excludes: Deidentified data, Publicly available information",
"children": []
},
{
"name": "Racial or ethnic origin",
"children": []
},
{
"name": "Religious beliefs",
"children": []
},
{
"name": "Mental or physical health diagnosis",
"children": []
},
{
"name": "Sexuality, citizenship, or immigration status",
"children": []
},
{
"name": "Genetic or biometric data (for unique ID)",
"children": []
},
{
"name": "Personal data collected from a known child",
"children": []
},
{
"name": "Precise geolocation data (within 1,750 feet)",
"children": []
},
{
"name": "Individual resident of Texas",
"children": []
},
{
"name": "Acting only in individual or household context",
"children": []
},
{
"name": "Excludes: Individual acting in commercial or employment context",
"children": []
},
{
"name": "Controller: Determines purpose/means of processing personal data",
"children": []
},
{
"name": "Processor: Processes data on behalf of a controller",
"children": []
},
{
"name": "Freely given, specific, informed, unambiguous agreement",
"children": []
},
{
"name": "Excludes: Acceptance of broad terms of use",
"children": []
},
{
"name": "Excludes: Hovering, muting, pausing, or closing content",
"children": []
},
{
"name": "Excludes: Agreement obtained through dark patterns",
"children": []
},
{
"name": "Ads based on activities across nonaffiliated websites/apps",
"children": []
},
{
"name": "Used to predict consumer preferences/interests",
"children": []
},
{
"name": "Excludes: Activities within controller's own sites",
"children": []
},
{
"name": "Excludes: Based on current search context",
"children": []
},
{
"name": "Sharing, disclosing, or transferring for monetary or valuable consideration",
"children": []
},
{
"name": "Exclusions: Disclosure to a processor",
"children": []
},
{
"name": "Exclusions: Disclosure for product/service requested by consumer",
"children": []
},
{
"name": "Exclusions: Disclosure to an affiliate",
"children": []
},
{
"name": "Exclusions: Data intentionally made public by consumer",
"children": []
},
{
"name": "Exclusions: Data transferred as part of merger/acquisition",
"children": []
},
{
"name": "Secure and reliable methods (e.g., website mechanism, email)",
"children": []
},
{
"name": "Cannot require new account creation",
"children": []
},
{
"name": "Authorized agent allowed to opt out (must be verifiable)",
"children": []
},
{
"name": "Confirm processing and access personal data",
"children": []
},
{
"name": "Correct inaccuracies",
"children": []
},
{
"name": "Delete personal data",
"children": []
},
{
"name": "Obtain portable, readily usable copy (digital format)",
"children": [
{
"name": "Targeted advertising",
"children": []
}
]
},
{
"name": "Opt Out of Processing for:",
"children": [
{
"name": "Sale of personal data",
"children": []
}
]
},
{
"name": "Respond within 45 days (extendable by 45 days with notice)",
"children": [
{
"name": "Profiling (producing legal/significant effect)",
"children": []
}
]
},
{
"name": "Provide information free of charge (at least twice annually)",
"children": []
},
{
"name": "Can deny/charge fee if request is unfounded, excessive, or repetitive",
"children": []
},
{
"name": "Must justify declining action and provide appeal instructions",
"children": []
},
{
"name": "If unauthenticated, controller is not required to comply",
"children": []
},
{
"name": "Controller must establish appeal process (conspicuously available)",
"children": []
},
{
"name": "Controller must respond to appeal within 60 days (in writing)",
"children": []
},
{
"name": "If appeal denied, provide mechanism to contact Attorney General",
"children": []
},
{
"name": "Limit collection to adequate, relevant, and necessary data",
"children": []
},
{
"name": "Maintain reasonable administrative, technical, and physical security practices",
"children": []
},
{
"name": "Do not process sensitive data without consumer consent (or COPPA compliance for children)",
"children": []
},
{
"name": "Do not process for incompatible purposes without consent",
"children": []
},
{
"name": "Do not discriminate against consumers for exercising rights",
"children": []
},
{
"name": "Must be reasonably accessible and clear",
"children": []
},
{
"name": "Include categories of personal data processed (and sensitive data)",
"children": []
},
{
"name": "Include purpose for processing",
"children": []
},
{
"name": "Describe how to exercise consumer rights and appeal process",
"children": []
},
{
"name": "If applicable, categories of data shared/categories of third parties",
"children": []
},
{
"name": "Conspicuous notice required for sale of sensitive data",
"children": []
},
{
"name": "Conspicuous notice required for sale of biometric data",
"children": [
{
"name": "Cures violation within 30 days",
"children": []
},
{
"name": "Provides written statement detailing cure and policy changes",
"children": []
}
]
}
]
},
{
"name": "Data Protection Assessments (DPAs)",
"children": [
{
"name": "Required for: Targeted advertising, Data sale, High-risk profiling, Sensitive data processing",
"children": [
{
"name": "Targeted advertising",
"children": []
},
{
"name": "Sale of personal data",
"children": []
},
{
"name": "Profiling (producing legal/significant effect)",
"children": []
}
]
},
{
"name": "Must weigh benefits vs. potential risks (mitigated by safeguards)",
"children": []
},
{
"name": "Confidential and exempt from public inspection",
"children": []
},
{
"name": "Single DPA may cover comparable operations",
"children": []
},
{
"name": "Compliance with other laws may suffice if scope is comparable",
"children": [
{
"name": "Cures violation within 30 days",
"children": []
},
{
"name": "Provides written statement detailing cure and policy changes",
"children": []
}
]
}
]
},
{
"name": "Processor Duties (Contract Required)",
"children": [
{
"name": "Adhere to controller instructions",
"children": [
{
"name": "Targeted advertising",
"children": []
},
{
"name": "Sale of personal data",
"children": []
},
{
"name": "Profiling (producing legal/significant effect)",
"children": []
}
]
},
{
"name": "Assist controller with consumer requests, security, and breach notification",
"children": []
},
{
"name": "Provide info for controller's DPAs",
"children": []
},
{
"name": "Contract requirements: Clear instructions, confidentiality, data return/deletion (at end of service), cooperation with assessments",
"children": []
},
{
"name": "Controller must take reasonable measures against reidentification",
"children": []
},
{
"name": "Publicly commit to not reidentifying",
"children": []
},
{
"name": "Contractually obligate recipients to comply with provisions",
"children": []
},
{
"name": "Controller not required to reidentify data to comply with requests",
"children": []
},
{
"name": "Maintain website with consumer rights/controller duties info",
"children": []
},
{
"name": "Provide online complaint mechanism",
"children": []
},
{
"name": "Issue civil investigative demand (CID)",
"children": []
},
{
"name": "May request Data Protection Assessment via CID",
"children": []
},
{
"name": "AG must notify person of alleged violation (30 days prior to action)",
"children": []
},
{
"name": "AG cannot bring action if person:",
"children": [
{
"name": "Cures violation within 30 days",
"children": []
},
{
"name": "Provides written statement detailing cure and policy changes",
"children": []
}
]
},
{
"name": "Civil penalty: Up to $7,500 per violation (if cure period breached)",
"children": []
},
{
"name": "AG may recover penalty, seek injunction, and recover attorney's fees",
"children": []
}
]
}
]
},
{
"name": "Enforcement (Subchapter D)",
"children": [
{
"name": "Deidentified/Pseudonymous Data",
"children": [
{
"name": "Conduct business in Texas or produce service for Texas residents",
"children": []
},
{
"name": "Process or sell personal data",
"children": []
},
{
"name": "Are NOT small businesses (except for 541.107)",
"children": []
},
{
"name": "State agency or political subdivision",
"children": []
},
{
"name": "Financial institutions (GLBA data)",
"children": []
},
{
"name": "HIPAA covered entities/business associates",
"children": []
},
{
"name": "Nonprofit organizations",
"children": []
},
{
"name": "Institutions of higher education",
"children": []
},
{
"name": "Electric utilities/power generation companies",
"children": []
},
{
"name": "Purely personal or household activity",
"children": []
},
{
"name": "Protected health information (HIPAA)",
"children": []
},
{
"name": "Health records",
"children": []
},
{
"name": "Patient identifying information (42 U.S.C. 290dd-2)",
"children": []
},
{
"name": "Identifiable private information (Human Subjects Research)",
"children": []
},
{
"name": "Information for Health Care Quality Improvement Act",
"children": []
},
{
"name": "Patient safety work product",
"children": []
},
{
"name": "Deidentified health care information",
"children": []
},
{
"name": "Information intermingled with exempt data",
"children": []
},
{
"name": "Limited data set (45 C.F.R. 164.514(e))",
"children": []
},
{
"name": "Public health activities data",
"children": []
},
{
"name": "Data regulated by Fair Credit Reporting Act (FCRA)",
"children": []
},
{
"name": "Data regulated by Driver's Privacy Protection Act (DPPA)",
"children": []
},
{
"name": "Data regulated by Family Educational Rights and Privacy Act (FERPA)",
"children": []
},
{
"name": "Data regulated by Farm Credit Act",
"children": []
},
{
"name": "Employment/agent/contractor data (context of role)",
"children": []
},
{
"name": "Emergency contact information",
"children": []
},
{
"name": "Data necessary to administer benefits for others",
"children": []
},
{
"name": "Information linked to an identified or identifiable individual",
"children": []
},
{
"name": "Includes sensitive data",
"children": []
},
{
"name": "Includes pseudonymous data (if linkable with additional info)",
"children": []
},
{
"name": "Excludes: Deidentified data, Publicly available information",
"children": []
},
{
"name": "Racial or ethnic origin",
"children": []
},
{
"name": "Religious beliefs",
"children": []
},
{
"name": "Mental or physical health diagnosis",
"children": []
},
{
"name": "Sexuality, citizenship, or immigration status",
"children": []
},
{
"name": "Genetic or biometric data (for unique ID)",
"children": []
},
{
"name": "Personal data collected from a known child",
"children": []
},
{
"name": "Precise geolocation data (within 1,750 feet)",
"children": []
},
{
"name": "Individual resident of Texas",
"children": []
},
{
"name": "Acting only in individual or household context",
"children": []
},
{
"name": "Excludes: Individual acting in commercial or employment context",
"children": []
},
{
"name": "Controller: Determines purpose/means of processing personal data",
"children": []
},
{
"name": "Processor: Processes data on behalf of a controller",
"children": []
},
{
"name": "Freely given, specific, informed, unambiguous agreement",
"children": []
},
{
"name": "Excludes: Acceptance of broad terms of use",
"children": []
},
{
"name": "Excludes: Hovering, muting, pausing, or closing content",
"children": []
},
{
"name": "Excludes: Agreement obtained through dark patterns",
"children": []
},
{
"name": "Ads based on activities across nonaffiliated websites/apps",
"children": []
},
{
"name": "Used to predict consumer preferences/interests",
"children": []
},
{
"name": "Excludes: Activities within controller's own sites",
"children": []
},
{
"name": "Excludes: Based on current search context",
"children": []
},
{
"name": "Sharing, disclosing, or transferring for monetary or valuable consideration",
"children": []
},
{
"name": "Exclusions: Disclosure to a processor",
"children": []
},
{
"name": "Exclusions: Disclosure for product/service requested by consumer",
"children": []
},
{
"name": "Exclusions: Disclosure to an affiliate",
"children": []
},
{
"name": "Exclusions: Data intentionally made public by consumer",
"children": []
},
{
"name": "Exclusions: Data transferred as part of merger/acquisition",
"children": []
},
{
"name": "Secure and reliable methods (e.g., website mechanism, email)",
"children": []
},
{
"name": "Cannot require new account creation",
"children": []
},
{
"name": "Authorized agent allowed to opt out (must be verifiable)",
"children": []
},
{
"name": "Confirm processing and access personal data",
"children": []
},
{
"name": "Correct inaccuracies",
"children": []
},
{
"name": "Delete personal data",
"children": []
},
{
"name": "Obtain portable, readily usable copy (digital format)",
"children": [
{
"name": "Targeted advertising",
"children": []
}
]
},
{
"name": "Opt Out of Processing for:",
"children": [
{
"name": "Sale of personal data",
"children": []
}
]
},
{
"name": "Respond within 45 days (extendable by 45 days with notice)",
"children": [
{
"name": "Profiling (producing legal/significant effect)",
"children": []
}
]
},
{
"name": "Provide information free of charge (at least twice annually)",
"children": []
},
{
"name": "Can deny/charge fee if request is unfounded, excessive, or repetitive",
"children": []
},
{
"name": "Must justify declining action and provide appeal instructions",
"children": []
},
{
"name": "If unauthenticated, controller is not required to comply",
"children": []
},
{
"name": "Controller must establish appeal process (conspicuously available)",
"children": []
},
{
"name": "Controller must respond to appeal within 60 days (in writing)",
"children": []
},
{
"name": "If appeal denied, provide mechanism to contact Attorney General",
"children": []
},
{
"name": "Limit collection to adequate, relevant, and necessary data",
"children": []
},
{
"name": "Maintain reasonable administrative, technical, and physical security practices",
"children": []
},
{
"name": "Do not process sensitive data without consumer consent (or COPPA compliance for children)",
"children": []
},
{
"name": "Do not process for incompatible purposes without consent",
"children": []
},
{
"name": "Do not discriminate against consumers for exercising rights",
"children": []
},
{
"name": "Must be reasonably accessible and clear",
"children": []
},
{
"name": "Include categories of personal data processed (and sensitive data)",
"children": []
},
{
"name": "Include purpose for processing",
"children": []
},
{
"name": "Describe how to exercise consumer rights and appeal process",
"children": []
},
{
"name": "If applicable, categories of data shared/categories of third parties",
"children": []
},
{
"name": "Conspicuous notice required for sale of sensitive data",
"children": []
},
{
"name": "Conspicuous notice required for sale of biometric data",
"children": []
},
{
"name": "Required for: Targeted advertising, Data sale, High-risk profiling, Sensitive data processing",
"children": []
},
{
"name": "Must weigh benefits vs. potential risks (mitigated by safeguards)",
"children": []
},
{
"name": "Confidential and exempt from public inspection",
"children": []
},
{
"name": "Single DPA may cover comparable operations",
"children": []
},
{
"name": "Compliance with other laws may suffice if scope is comparable",
"children": []
},
{
"name": "Adhere to controller instructions",
"children": []
},
{
"name": "Assist controller with consumer requests, security, and breach notification",
"children": []
},
{
"name": "Provide info for controller's DPAs",
"children": []
},
{
"name": "Contract requirements: Clear instructions, confidentiality, data return/deletion (at end of service), cooperation with assessments",
"children": []
},
{
"name": "Controller must take reasonable measures against reidentification",
"children": []
},
{
"name": "Publicly commit to not reidentifying",
"children": [
{
"name": "Cures violation within 30 days",
"children": []
},
{
"name": "Provides written statement detailing cure and policy changes",
"children": []
}
]
}
]
},
{
"name": "Small Business Requirement: Prior consent required for sale of sensitive data",
"children": [
{
"name": "Contractually obligate recipients to comply with provisions",
"children": [
{
"name": "Targeted advertising",
"children": []
},
{
"name": "Sale of personal data",
"children": []
},
{
"name": "Profiling (producing legal/significant effect)",
"children": []
}
]
},
{
"name": "Controller not required to reidentify data to comply with requests",
"children": [
{
"name": "Cures violation within 30 days",
"children": []
},
{
"name": "Provides written statement detailing cure and policy changes",
"children": []
}
]
}
]
},
{
"name": "Exclusive Enforcement Authority: Attorney General (AG)",
"children": [
{
"name": "Maintain website with consumer rights/controller duties info",
"children": [
{
"name": "Targeted advertising",
"children": []
},
{
"name": "Sale of personal data",
"children": []
},
{
"name": "Profiling (producing legal/significant effect)",
"children": []
},
{
"name": "Cures violation within 30 days",
"children": []
},
{
"name": "Provides written statement detailing cure and policy changes",
"children": []
}
]
}
]
},
{
"name": "AG Duties/Powers",
"children": [
{
"name": "Provide online complaint mechanism",
"children": [
{
"name": "Targeted advertising",
"children": []
},
{
"name": "Sale of personal data",
"children": []
},
{
"name": "Profiling (producing legal/significant effect)",
"children": []
}
]
},
{
"name": "Issue civil investigative demand (CID)",
"children": []
},
{
"name": "May request Data Protection Assessment via CID",
"children": [
{
"name": "Cures violation within 30 days",
"children": []
},
{
"name": "Provides written statement detailing cure and policy changes",
"children": []
}
]
}
]
},
{
"name": "Notice and Opportunity to Cure",
"children": [
{
"name": "AG must notify person of alleged violation (30 days prior to action)",
"children": [
{
"name": "Targeted advertising",
"children": []
},
{
"name": "Sale of personal data",
"children": []
},
{
"name": "Profiling (producing legal/significant effect)",
"children": []
}
]
},
{
"name": "AG cannot bring action if person:",
"children": [
{
"name": "Cures violation within 30 days",
"children": []
},
{
"name": "Provides written statement detailing cure and policy changes",
"children": []
}
]
}
]
},
{
"name": "Penalties and Actions",
"children": [
{
"name": "Civil penalty: Up to $7,500 per violation (if cure period breached)",
"children": [
{
"name": "Targeted advertising",
"children": []
},
{
"name": "Sale of personal data",
"children": []
},
{
"name": "Profiling (producing legal/significant effect)",
"children": []
},
{
"name": "Cures violation within 30 days",
"children": []
},
{
"name": "Provides written statement detailing cure and policy changes",
"children": []
}
]
},
{
"name": "AG may recover penalty, seek injunction, and recover attorney's fees",
"children": []
}
]
},
{
"name": "No Private Right of Action",
"children": []
}
]
}
]
}