Text of section effective on July 01, 2024
Sec. 541.055. METHODS FOR SUBMITTING CONSUMER REQUESTS. (a) A controller shall establish two or more secure and reliable methods to enable consumers to submit a request to exercise their consumer rights under this chapter. The methods must take into account:
(1) the ways in which consumers normally interact with the controller;
(2) the necessity for secure and reliable communications of those requests; and
(3) the ability of the controller to authenticate the identity of the consumer making the request.
(b) A controller may not require a consumer to create a new account to exercise the consumer's rights under this subchapter but may require a consumer to use an existing account.
(c) Except as provided by Subsection (d), if the controller maintains an Internet website, the controller must provide a mechanism on the website for consumers to submit requests for information required to be disclosed under this chapter.
(d) A controller that operates exclusively online and has a direct relationship with a consumer from whom the controller collects personal information is only required to provide an e-mail address for the submission of requests described by Subsection (c).
Text of subsection effective on January 01, 2025
(e) A consumer may designate another person to serve as the consumer's authorized agent and act on the consumer's behalf to opt out of the processing of the consumer's personal data under Sections 541.051(b)(5)(A) and (B). A consumer may designate an authorized agent using a technology, including a link to an Internet website, an Internet browser setting or extension, or a global setting on an electronic device, that allows the consumer to indicate the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent under this subsection if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. A controller is not required to comply with an opt-out request received from an authorized agent under this subsection if:
(1) the authorized agent does not communicate the request to the controller in a clear and unambiguous manner;
(2) the controller is not able to verify, with commercially reasonable effort, that the consumer is a resident of this state;
(3) the controller does not possess the ability to process the request; or
(4) the controller does not process similar or identical requests the controller receives from consumers for the purpose of complying with similar or identical laws or regulations of another state.
(f) A technology described by Subsection (e):
(1) may not unfairly disadvantage another controller;
(2) may not make use of a default setting, but must require the consumer to make an affirmative, freely given, and unambiguous choice to indicate the consumer's intent to opt out of any processing of a consumer's personal data; and
(3) must be consumer-friendly and easy to use by the average consumer.
Added by Acts 2023, 88th Leg., R.S., Ch. 995 (H.B. 4), Sec. 2, eff. July 1, 2024.