The Texas Data Privacy and Security Act (TDPSA) grants Texas residents a comprehensive set of privacy rights over their personal data, including rights to access, correct, delete, and obtain a copy of their data, as well as to opt out of targeted advertising, the sale of personal data, and certain types of profiling. These rights are enforceable against businesses that determine the purposes and means of processing personal data, with additional protections for children and requirements for clear consumer-facing mechanisms to exercise these rights.
Need some legal advice?
Having trouble finding answers to your legal questions? Amy can help!
Texas residents, under the TDPSA, are empowered to control their personal data held by covered businesses (controllers) through a suite of rights: they can confirm and access their data, correct inaccuracies, request deletion, obtain a portable copy, and opt out of data processing for targeted advertising, sale, or profiling that has significant effects. The law also mandates that businesses provide clear methods for consumers to exercise these rights, prohibits discrimination against consumers for doing so, and imposes transparency and data security obligations on businesses.
Controllers must respond to consumer requests within specified timeframes, authenticate requests, and provide at least two secure methods for submission. Parents or guardians may exercise these rights on behalf of known children, and businesses must obtain consent before processing sensitive data. The TDPSA also requires businesses to recognize universal opt-out mechanisms and to provide clear disclosures regarding data sales and targeted advertising, ensuring robust privacy protections for Texas residents.
Core Consumer Rights
Section 541.051 of the TDPSA is the primary legislative provision enumerating the privacy rights of Texas residents. Under this section, consumers may, at any time, submit a request to a controller to exercise the following rights:
Right to Confirm and Access: Consumers can request confirmation of whether a controller is processing their personal data and access to that data.
Right to Correct: Consumers may request correction of inaccuracies in their personal data, considering the nature and purposes of the processing.
Right to Delete: Consumers can request deletion of personal data provided by or obtained about them.
Right to Data Portability: If the data is available in digital format, consumers can obtain a copy of their personal data in a portable, readily usable format, enabling transfer to another controller.
Right to Opt Out: Consumers may opt out of the processing of their personal data for (1) targeted advertising, (2) the sale of personal data, and (3) profiling in furtherance of decisions that produce legal or similarly significant effects.
For known children, parents or legal guardians may exercise these rights on the child’s behalf, ensuring additional protections for minors, as specified in Section 541.051(a).
Controller Obligations and Procedures
The Act applies to entities that determine the purposes and means of processing personal data—referred to as “controllers”—and sets forth both consumer rights and controller obligations.
Controllers are required to comply with authenticated consumer requests to exercise these rights, as detailed in Section 541.052. They must respond without undue delay, and no later than 45 days after receiving the request, with a possible one-time extension of an additional 45 days if reasonably necessary. If a controller declines to act on a request, it must inform the consumer and provide instructions for appeal, as per Section 541.053.
Controllers must provide information in response to consumer requests free of charge at least twice annually per consumer. They are permitted to charge a reasonable fee or decline to act if requests are manifestly unfounded, excessive, or repetitive. Authentication of requests is required, and if authentication is not possible, the controller is not obligated to comply.
Section 541.055 mandates that controllers establish at least two secure and reliable methods for consumers to submit requests, such as online forms or email addresses, and prohibits requiring consumers to create new accounts solely to exercise their rights. Controllers must also recognize opt-out requests submitted by authorized agents and, starting January 1, 2025, must honor universal opt-out mechanisms (such as browser settings or designated electronic agents).
Conclusion
The Texas Data Privacy and Security Act grants Texas residents a comprehensive set of privacy rights over their personal data, including the ability to access, correct, delete, and obtain a copy of their data, and to opt out of targeted advertising, the sale of personal data, and certain profiling. These rights are supported by robust procedural requirements for businesses, protections for children and sensitive data, and clear mechanisms for consumers to exercise their rights. The TDPSA positions Texas as a leader in consumer data privacy, providing residents with meaningful control and transparency regarding their personal information.
Every situation is unique, if you have specific legal questions about your situation, obtain legal counsel.
Do you have questions about a your claim or dispute?
Amy can help! Schedule your free initial consultation with The Gustafson Firm now!