Tex. Bus. & Com. Code Section 541.052
Controller Response to Consumer Request


(a)

Except as otherwise provided by this chapter, a controller shall comply with a request submitted by a consumer to exercise the consumer’s rights pursuant to Section 541.051 (Consumer’s Personal Data Rights; Request to Exercise Rights) as provided by this section.

(b)

A controller shall respond to the consumer request without undue delay, which may not be later than the 45th day after the date of receipt of the request. The controller may extend the response period once by an additional 45 days when reasonably necessary, taking into account the complexity and number of the consumer’s requests, so long as the controller informs the consumer of the extension within the initial 45-day response period, together with the reason for the extension.

(c)

If a controller declines to take action regarding the consumer’s request, the controller shall inform the consumer without undue delay, which may not be later than the 45th day after the date of receipt of the request, of the justification for declining to take action and provide instructions on how to appeal the decision in accordance with Section 541.053 (Appeal).

(d)

A controller shall provide information in response to a consumer request free of charge, at least twice annually per consumer. If a request from a consumer is manifestly unfounded, excessive, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or may decline to act on the request. The controller bears the burden of demonstrating for purposes of this subsection that a request is manifestly unfounded, excessive, or repetitive.

(e)

If a controller is unable to authenticate the request using commercially reasonable efforts, the controller is not required to comply with a consumer request submitted under Section 541.051 (Consumer’s Personal Data Rights; Request to Exercise Rights) and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer’s request.

(f)

A controller that has obtained personal data about a consumer from a source other than the consumer is considered in compliance with a consumer’s request to delete that personal data pursuant to Section 541.051 (Consumer’s Personal Data Rights; Request to Exercise Rights)(b)(3) by:

(1)

retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remains deleted from the business’s records and not using the retained data for any other purpose under this chapter; or

(2)

opting the consumer out of the processing of that personal data for any purpose other than a purpose that is exempt under the provisions of this chapter.
Added by Acts 2023, 88th Leg., R.S., Ch. 995 (H.B. 4), Sec. 2, eff. July 1, 2024.

Source: Section 541.052 — Controller Response to Consumer Request, https://statutes.­capitol.­texas.­gov/Docs/BC/htm/BC.­541.­htm#541.­052 (accessed Jun. 5, 2024).

Accessed:
Jun. 5, 2024

§ 541.052’s source at texas​.gov