§ 541.101StatuteReference only

Controller Duties; Transparency

Effective July 1, 2024Reviewed July 2026

Reference only: This requirement is not currently tested by the Privisy scanner. It is included for reference. Consult a qualified attorney to assess your compliance posture.

What it requires

Sets out controller duties: data minimization limited to what is adequate, relevant, and reasonably necessary for the disclosed purposes (subsection (a)(1)) and reasonable administrative, technical, and physical data security (subsection (a)(2)). Subsection (b) prohibits processing data for incompatible purposes without consent, unlawful discrimination against consumers, and processing a consumer's sensitive data without consent (or, for a known child, other than in accordance with COPPA). The privacy-notice content requirements are set out separately in § 541.102.

Legal text (excerpt)

(a) "A controller: (1) shall limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which that personal data is processed, as disclosed to the consumer; and (2) ... shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices ...." (b) "A controller shall not: ... (4) process the sensitive data of a consumer without obtaining the consumer's consent ...."

Texas Data Privacy and Security Act: § 541.101, Statute, effective 2024

Primary source

Texas Office of the Attorney General: § 541.101: Controller Duties; Transparency

Legal notice: This page is for informational purposes only and does not constitute legal advice. The legal text excerpt is reproduced from official public sources and is current as of the stated effective date. Laws change: verify against the authoritative source and consult a licensed attorney for compliance guidance.

Stop Guessing. Start Knowing.

Find out exactly where your website stands before a regulator does.

Get My Compliance Audit