TDPSA Consumer Rights: Your Texas Data Privacy Rights

If a Texas company holds data about you, the Texas Data Privacy and Security Act gives you six enforceable rights over that data. Here is exactly how to use each one, what timelines apply, and what to do when a company refuses.

The TDPSA (Tex. Bus. & Com. Code ch. 541) took effect July 1, 2024, enacted as H.B. 4 during the 88th Texas Legislature. It applies to for-profit controllers that process personal data of Texas residents and exceed certain size thresholds. For a broader overview of how the law works, see the Texas Data Privacy Laws hub. For a plain-language explanation of the law's scope and who it covers, see What Is the TDPSA.

Your Six TDPSA Rights at a Glance

Texas Business and Commerce Code Chapter 541 grants you six distinct rights over personal data held by covered controllers. Under § 541.051(b), those rights are:

1. Access and confirm. You can ask whether a company is processing your personal data and request a copy of it.
2. Correct. You can require a company to fix inaccuracies in your personal data, taking into account the nature of the data and the purpose of processing.
3. Delete. You can require a company to delete personal data it obtained from you or about you.
4. Portability. You can request your data in a portable, machine-readable format that allows you to transfer it to another controller.
5. Opt out. You can stop a company from using your data for targeted advertising, selling your data to third parties, or running automated profiling that produces significant decisions about you.
6. Appeal. You can appeal any denial, and if the appeal is denied, you can escalate to the Texas Attorney General.

These rights apply to personal data you provided directly and to data the company obtained about you from other sources. The law was enacted as Acts 2023, 88th Leg., R.S., Ch. 995 (H.B. 4), with core provisions effective July 1, 2024 and the universal opt-out mandate effective January 1, 2025.

How to Submit a TDPSA Rights Request

Under § 541.055(b), a company cannot require you to create a new account as a condition for submitting a request. You may use an existing account if you have one. Companies must offer at least one secure, reliable submission method, and most link to their privacy rights portal in the footer of their website or inside their privacy policy.

Step-by-step process:

1. Go to the company's website and look in the footer or privacy policy for a link labeled "Texas Privacy Rights," "Your Privacy Rights," "Consumer Privacy Request," or "Do Not Sell My Personal Information."
2. Select the right you want to exercise (access, correction, deletion, portability, or opt-out).
3. Provide identifying information so the company can authenticate you. This typically means your name, the email address associated with your account, and possibly account details or answers to security questions.
4. Submit the request and save a copy: a screenshot or confirmation email is enough.
5. The 45-day response clock starts from the date of authenticated receipt under § 541.052.

Under § 541.052, companies must provide responses free of charge at least twice annually per consumer. If your requests become manifestly unfounded, excessive, or repetitive, the company may charge a reasonable fee or decline to act, but the burden of proving that standard is met falls on the company, not on you.

Timelines: 45 Days, One Extension, Then an Answer

Section 541.052 sets the response clock. A company must respond without undue delay, and no later than the 45th day after receiving your authenticated request. If a company needs more time, it may extend the window by a single additional 45 days, but it must notify you of the extension before the initial period closes and explain why the extension is reasonably necessary.

That means in the worst case you should hear something within 90 days total. If the company decides to decline your request rather than simply needing extra processing time, it must tell you its reasons and explain how to appeal. A company that goes silent past 45 days without notifying you of an extension has violated § 541.052, which gives you grounds to proceed directly to an appeal or a complaint.

Keep records of when you submitted your request. The 45-day period runs from the date of "authenticated receipt," so if a company asks for additional verification and you provide it, the clock arguably restarts at that point. Confirm the company's receipt date in writing when possible.

Your Right to Access and Correct Your Data

Access (§ 541.051(b)(1)): You can ask any covered company to confirm whether it is processing personal data about you and to give you a copy of that data. The right has two parts: confirmation (does the company hold your data?) and access (show me what you have). This is the natural starting point before you exercise any other right.

How to exercise it: Submit an access request through the company's designated privacy channel. You may need to specify the categories of data you are interested in or ask for all personal data the company holds. The company must respond within 45 days with confirmation and, if it is processing your data, a readable copy.

Correction (§ 541.051(b)(2)): Once you have seen your data, you can require correction of any inaccuracies "taking into account the nature of the personal data and the purposes of the processing." This matters most for data used to make decisions about you: credit profiles, health-related information, contact records, or behavioral classifications.

How to exercise it: Submit a correction request identifying the specific inaccuracy and, where possible, providing documentation of the correct information. The company has 45 days to respond and must tell you what it changed or why it declined. A refusal triggers your appeal right.

Your Right to Delete Personal Data

Under § 541.051(b)(3), you can request deletion of personal data "provided by or obtained about" you. The right covers both data you supplied directly (account information, purchase history, form submissions) and data the company acquired about you from other sources (behavioral profiles, data-broker records, inferred attributes).

How to exercise it: Submit a deletion request through the company's privacy portal or designated contact method. Be specific about what you want deleted: categories of data, specific records, or all personal data the company holds about you. The 45-day clock applies.

Deletion has statutory limits. A company may keep data that is necessary to complete a transaction, to detect security incidents, to exercise or defend legal claims, to comply with a legal obligation, or to carry out certain research or public-interest functions. When a company declines to delete, it must explain which exception applies. Vague or unsupported refusals are not sufficient under § 541.052.

Your Right to Data Portability

Section 541.051(b)(4) lets you obtain a copy of personal data you previously provided to the company in a portable format. The statute requires the format to be "readily usable" and to allow you to "transmit the data to another controller without hindrance" to the extent technically feasible.

How to exercise it: Request a data export through the company's privacy rights channel. Common formats include CSV, JSON, or structured spreadsheets. The "technically feasible" qualifier means the company can use standard formats rather than building a custom export; it does not allow the company to provide an unusable dump or refuse entirely on grounds of complexity.

Portability applies to data you provided to the controller. It does not necessarily require the company to export data it derived or inferred internally from your activity. Like access requests, portability responses are free up to twice per year and must arrive within 45 days.

The Opt-Out Rights: Targeted Ads, Data Sales, and Profiling

Section 541.051(b)(5) gives you the right to opt out of three distinct uses of your personal data:

1. Targeted advertising. Ads selected for you based on your behavior across different websites, apps, or services that are not under common ownership or control. If a company is sharing your browsing history or purchase data with an ad network to serve you behavioral ads, you can stop that.
2. Sale of personal data. Transferring your personal data to a third party in exchange for monetary or other valuable consideration. Under the TDPSA, this includes exchanges for non-monetary value, which is broader than Virginia's definition but narrower than California's CPRA on the "sharing" side.
3. Profiling in furtherance of significant decisions. Automated processing that produces decisions with legal or similarly significant effects on you, covering decisions about credit, insurance, employment, housing, education, or access to essential goods and services.

How to exercise it: Look in the company's footer or privacy policy for a link labeled "Do Not Sell My Personal Data," "Opt Out of Targeted Advertising," or "Privacy Choices." Submit the request through the designated channel. Under § 541.052, the company must honor your opt-out within the standard 45-day response window.

Note the distinction between the opt-out rights (targeted ads, sale, profiling) and the opt-IN requirement for sensitive data addressed below. Ordinary personal data defaults to opt-out. Sensitive data requires consent before processing begins.

For a comparison of how these opt-out rules compare to other state laws, see the TDPSA compliance checklist for businesses, which covers the controller-side obligations in detail.

Global Privacy Control: The Browser-Level Opt-Out

Texas is one of the first states to mandate recognition of universal opt-out signals. Section 541.055(e), effective January 1, 2025, requires covered controllers to recognize and honor Global Privacy Control (GPC) signals as valid opt-out requests for the sale of personal data and targeted advertising, automatically, without requiring any additional steps from you.

What GPC is: The Global Privacy Control is a browser-level signal you enable once. Every website you visit that is subject to a participating state's privacy law must then treat that signal as a formal opt-out. You do not need to find the company's privacy portal, fill out a form, or confirm your identity. The signal does the work.

How to enable GPC:

• Firefox: Settings > Privacy and Security > Enable "Tell websites not to sell or share my data."
• Brave: Settings > Privacy and Security > "Send a 'Do Not Sell My Personal Information' signal."
• DuckDuckGo browser: GPC is enabled by default.
• Chrome or Edge (via extension): Install the Global Privacy Control extension from the Chrome Web Store or Edge Add-ons.

Once enabled, any Texas-covered business must honor that signal as a valid opt-out from data sales and targeted advertising under § 541.055(e). The company cannot require you to also complete a manual form. This is the most frictionless way to exercise your Texas opt-out rights at scale, across dozens or hundreds of sites simultaneously.

Sensitive Data: Companies Need Your Permission First

For certain categories of personal data, the TDPSA flips the default entirely. Under § 541.101(b), a controller cannot process your sensitive data at all without first obtaining your affirmative, informed consent. This is an opt-IN requirement: the company must ask permission before processing begins, not after.

Under § 541.001(29), sensitive data includes:

• Racial or ethnic origin
• Religious beliefs
• Health diagnoses or mental health conditions
• Sexual orientation or gender identity
• Citizenship or immigration status
• Genetic data
• Biometric data processed to uniquely identify you (fingerprints, facial geometry, retina scans)
• Precise geolocation data (typically within a radius defined by GPS or similar technology)
• Personal data of known children

The January 2025 enforcement action illustrates how seriously Texas takes this category. The Texas AG sued Allstate and its subsidiary Arity on January 13, 2025, in the first enforcement action under any state comprehensive privacy law in the United States, for allegedly collecting precise geolocation data from over 45 million people without notice or consent in violation of § 541.101(b). The case signals that sensitive-data violations are a top enforcement priority.

If a company is processing any of these categories about you without having obtained your consent, that is a violation of § 541.101(b) and a strong basis for a Texas AG complaint.

Non-Discrimination: Companies Cannot Punish You for Exercising Your Rights

Section 541.101(b)(3) prohibits controllers from discriminating against you for exercising any TDPSA right. A company cannot:

• Deny you goods or services because you submitted a privacy request
• Charge you a higher price because you opted out of data sales
• Provide you a lower quality of service because you asked for your data or requested deletion
• Retaliate against you in any other way for using these rights

Section 541.054 goes further: any contract provision that tries to waive or limit your rights under §§ 541.051 through 541.053 is "contrary to public policy and is void and unenforceable." You cannot sign away your TDPSA rights, and no company can make doing so a condition of service.

If you believe a company has penalized you for exercising your rights, document the treatment carefully: the denial of service, the price difference, or the quality gap. Include that documentation when you file a complaint with the Texas AG.

How to Appeal a Denied Request

If a company refuses your request on any of the six rights (access, correction, deletion, portability, opt-out, or appeal of a prior decision), it must tell you why and explain how to appeal. Under § 541.053(a)-(c), every covered controller must establish an appeal process that is conspicuously available and functions similarly to the original request process.

Step 1: Internal appeal to the controller. Submit your appeal through whatever channel the company designates, typically the same privacy portal used for initial requests or a separate appeal email. There is no prescribed form. Clearly state that you are appealing the denial, identify the original request by date and type, and explain why you believe the denial was improper. Save a copy of your appeal submission and the date you sent it.

The company must respond to your appeal within 60 days of receiving it and must provide a written explanation of its decision. Note the different timelines: 45 days for initial requests, 60 days for appeals. If the company approves your appeal, it must take the corrective action promptly.

Step 2: Escalation to the Texas Attorney General. Under § 541.053(d), if the company denies your appeal, it must provide you with the Texas AG's online complaint mechanism described in § 541.152. The company is legally required to hand you that link; you should not need to search for it independently.

If the company simply ignores your request for 45 days without notifying you of an extension, you do not need to go through a formal appeal. A non-response is itself a violation, and you can file a complaint with the AG directly.

How to File a Complaint with the Texas Attorney General

Under § 541.152, the Texas Attorney General is required by law to maintain on its official website: (1) information about consumer rights under TDPSA Subchapter B, and (2) an online mechanism through which consumers can file TDPSA complaints. After an appeal denial, the company must point you directly to that mechanism.

Where to file:

• Texas AG TDPSA complaint page: https://www.texasattorneygeneral.gov/consumer-protection/file-consumer-complaint/consumer-privacy-rights/texas-data-privacy-and-security-act
• AG Consumer Complaint Portal: https://consumerprotection.texasattorneygeneral.gov/consumercomplaintportal/s/

What to include in your complaint:

• The name of the company and its website
• The date you submitted your original request
• The type of request (access, deletion, opt-out, etc.)
• The date and content of the company's denial
• The date you submitted your appeal
• The date and content of the appeal denial
• Copies of all written correspondence

The more documentation you provide, the stronger your complaint. The AG's enforcement office looks for documented patterns of non-compliance as triggers for investigations, but individual complaints that are well-documented can also lead to action against specific violators.

Under § 541.154, the AG must provide a controller with 30 days' written notice identifying the alleged violation before filing suit, during which the controller may cure. If the violation is not cured, the AG can seek civil penalties of up to $7,500 per violation under § 541.155. The AG has exclusive enforcement authority under § 541.151; there is no private right of action. You cannot sue the company yourself. But filing a complaint creates a formal record and can contribute to AG enforcement priority decisions.

Related guides

• What Is the TDPSA? Texas Data Privacy and Security Act
• TDPSA Compliance Checklist for Businesses (2026)
• Texas Data Privacy Laws: TDPSA & Consumer Rights Guide (2026)
• Texas Biometric Privacy Laws: Collection, Consent & Penalties (2026)
• US State Privacy Laws Comparison Chart (2026)

Sources