These jurisdiction checklists are practical scoping aids for privacy, DPO, DSAR, transfer, incident, and vendor governance decisions. Confirm obligations against your facts before relying on any checklist as advice.
Texas Data Privacy and Security Act
Comprehensive compliance checklist for organizations operating under the Texas Data Privacy and Security Act
Key Compliance Questions
Section 541.005 - COPPA Compliance
Does your organization ensure compliance with verifiable parental consent requirements under the Children's Online Privacy Protection Act (COPPA) for all personal data collected online from children, and document these compliance measures appropriately?
Section 541.052 - Consumer Request Response
Does your organization respond to consumer requests to access, correct, delete, or opt out of personal data under Section 541.051 within the required timelines, provide clear instructions for appeals, and handle extensions, fees, or authentication issues appropriately?
Section 541.055 - Request Submission Methods
Has your organization established secure, reliable, and accessible methods for consumers (or their authorized agents) to submit requests to exercise their rights, taking into account consumer interaction preferences, authentication, and ease of use?
Section 541.101 - Data Collection & Security
Does your organization limit the collection of personal data to only what is necessary, ensure processing aligns with disclosed purposes, and implement administrative, technical, and physical security measures suitable to the volume and sensitivity of personal data? Additionally, are you preventing discrimination and ensuring consent for sensitive or child data?
Section 541.102 - Privacy Notice Requirements
Does your organization provide a clear and accessible privacy notice including: categories of personal data collected, purposes of processing, consumer rights and appeal processes, third-party sharing, and methods for submitting consumer requests? If sensitive or biometric data is sold, are the required notices clearly displayed?
Section 541.103 - Data Sales & Targeted Advertising
Does your organization clearly and conspicuously disclose when personal data is sold or used for targeted advertising, and provide an accessible method for consumers to opt out?
Section 541.104 - Processor Obligations
Does your organization, as a processor, adhere to controller instructions, assist with consumer rights requests, maintain security obligations, and provide information for data protection assessments? Are contracts with controllers comprehensive, and do they include confidentiality, deletion/return of data, audit rights, and subcontractor obligations?
Section 541.107 - Sensitive Data Consent
Does your small business obtain prior consent from consumers before selling any sensitive personal data?
Section 541.202 - Internal Operations Exceptions
Does your organization ensure that compliance obligations do not prevent the collection, use, or retention of personal data for: internal research, product improvement, repairs, recalls, or internal operations aligned with consumer expectations or contracts? Are you aware that compliance obligations do not override evidentiary privileges?
Section 541.203 - Third-Party Disclosures
Does your organization ensure that personal data disclosed to a third-party controller or processor complies with this chapter? Do you confirm that, at the time of disclosure, you do not have knowledge of any potential violations by the recipient? Are you aware that you are not responsible for the recipient's violations if you disclosed in good faith?
Section 541.204 - Purpose-Specific Processing
Does your organization ensure that personal data is processed only for purposes listed in this subchapter, in a manner that is reasonably necessary, proportionate, and limited to what is required for the purpose? Are administrative, technical, and physical safeguards in place to protect confidentiality, integrity, and accessibility? Can you demonstrate that any exempted processing meets these requirements?
Compliance Recommendations
Section 541.005 - COPPA Compliance
If "Yes":
- Maintain procedures to verify parental consent, document compliance, and periodically review processes to ensure ongoing alignment with COPPA and similar requirements.
If "No":
- Implement mechanisms to obtain verifiable parental consent, train staff on compliance obligations, and establish internal procedures to document and demonstrate adherence to parental consent requirements.
Section 541.052 - Consumer Request Response
If "Yes":
- Maintain clear internal procedures to respond within 45 days, with one allowable 45-day extension if necessary.
- Track requests, provide instructions for appeals, and document communications. Regularly review response practices to improve efficiency and transparency.
If "No":
- Develop processes to respond within statutory timelines, communicate extensions with justification, provide free information responses, and establish procedures to handle unfounded or excessive requests.
- Ensure authentication of requests and document compliance measures.
Section 541.055 - Request Submission Methods
If "Yes":
- Maintain two or more secure submission methods, such as online forms or e-mail. Ensure accessibility, authentication, and alignment with consumer interaction patterns.
- Periodically review the usability and security of submission channels to improve consumer experience.
If "No":
- Establish multiple secure submission methods, including online and e-mail channels.
- Implement verification processes, enable use of existing accounts, and provide mechanisms for authorized agents. Ensure technology is consumer-friendly, clear, and respects consumer choice.
Section 541.101 - Data Collection & Security
If "Yes":
- Maintain documented procedures to collect only necessary personal data, implement appropriate security measures, prevent discrimination, and obtain consent for sensitive or child data.
If "No":
- Establish clear internal processes to limit data collection, implement suitable security measures, ensure lawful processing, and obtain consent where required.
Section 541.102 - Privacy Notice Requirements
If "Yes":
- Publish and maintain privacy notices accessible to consumers. Include all mandatory disclosures and update notices to reflect changes in processing practices or data sales.
- Ensure consumers are informed of sensitive or biometric data sales.
If "No":
- Develop a comprehensive privacy notice including all required elements.
- Post notices prominently and maintain procedures to update them as processing activities or data sharing practices change.
Section 541.103 - Data Sales & Targeted Advertising
If "Yes":
- Maintain public disclosures of data sales and targeted advertising practices.
- Ensure opt-out processes are easy to use, effective, and communicated to consumers.
If "No":
- Implement clear and conspicuous disclosure for sales or targeted advertising.
Section 541.104 - Processor Obligations
If "Yes":
- Maintain contracts with controllers that clearly define processing obligations, confidentiality duties, audit procedures, and subcontractor requirements.
- Implement measures to assist controllers in responding to consumer rights requests and security compliance. Document all actions and assessments.
If "No":
- Review and update contracts with controllers to ensure all obligations are clearly defined.
- Implement procedures for assisting controllers, securing data, supporting assessments, and managing subcontractors in compliance with the chapter.
Section 541.107 - Sensitive Data Consent
If "Yes":
- Maintain a documented process for obtaining verifiable consent from consumers prior to selling sensitive personal data.
- Keep records of consent and regularly review compliance procedures to ensure ongoing adherence.
If "No":
- Implement a process to obtain explicit consent before selling sensitive personal data.
Section 541.202 - Internal Operations Exceptions
If "Yes":
- Document and justify collection, use, or retention of personal data under these exceptions.
- Maintain records of data usage aligned with product/service development and contractual obligations. Ensure legal privileges are respected.
If "No":
- Review internal policies to allow legitimate collection, use, or retention under these exemptions.
Section 541.203 - Third-Party Disclosures
If "Yes":
- Maintain due diligence procedures for third-party disclosures.
- Document all disclosures and verify that recipients are expected to comply with applicable data protection requirements.
- Keep records showing lack of knowledge of any intended violation.
If "No":
- Implement policies to assess third-party compliance prior to disclosure.
- Maintain documentation of all disclosures and train staff to understand their responsibility for verifying compliance without assuming liability for recipients' actions.
Section 541.204 - Purpose-Specific Processing
If "Yes":
- Maintain records justifying purpose-specific processing, implement risk-based safeguards, and document compliance.
- Conduct periodic reviews to ensure ongoing necessity and proportionality of data processing.
If "No":
- Establish procedures to ensure personal data is processed only for allowed purposes.
Checklist to implementation
Need a fact-specific view?
Data>Nuance can turn this checklist into a scoped action plan for your product, vendor stack, cross-border transfers, DSAR workflow, breach readiness, or DPO operating model.