362 | Texas Data Privacy and Security Act
opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent under
this subsection if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and
the authorized agent ’s authority to act on the consumer’s behalf. A controller is not required to comply with an opt-out
request received from an authorized agent under this subsection if:
(1) the authorized agent does not communicate the request to the controller in a clear and unambiguous manner;
(2)  the controller is not able to verify, with commercially reasonable effort, that the consumer is a resident of this state;
(3) the controller does not possess the ability to process the request; or
(4)  the controller does not process similar or identical requests the controller receives from consumers for the purpose of
complying with similar or identical laws or regulations of another state.
(f) A technology described by Subsection (e):
(1) may not unfairly disadvantage another controller;
(2)  may not make use of a default setting, but must require the consumer to make an affirmative, freely given, and
unambiguous choice to indicate the consumer ’s intent to opt out of any processing of a consumer ’s personal data; and
(3) must be consumer-friendly and easy to use by the average consumer.
SUBCHAPTER C. CONTROLLER AND PROCESSOR DATA-RELATED
DUTIES AND PROHIBITIONS
Sec. 541.101. CONTROLLER DUTIES; TRANSPARENCY.
(a) A controller:
(1)  shall limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the
purposes for which that personal data is processed, as disclosed to the consumer; and
(2)  for purposes of protecting the confidentiality, integrity, and accessibility of personal data, shall establish, implement, and
maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume
and nature of the personal data at issue.
(b) A controller may not:
(1)  except as otherwise provided by this chapter, process personal data for a purpose that is neither reasonably necessary
to nor compatible with the disclosed purpose for which the personal data is processed, as disclosed to the consumer,
unless the controller obtains the consumer ’s consent;
(2) process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers;
(3)  discriminate against a consumer for exercising any of the consumer rights contained in this chapter, including by denying
goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods
or services to the consumer; or
(4)  process the sensitive data of a consumer without obtaining the consumer ’s consent, or, in the case of processing the
sensitive data of a known child, without processing that data in accordance with the Children’s Online Privacy Protection
Act of 1998 (15 U.S.C. Section 6501 et seq.).
(c)  Subsection (b)(3) may not be construed to require a controller to provide a product or service that requires the personal
data of a consumer that the controller does not collect or maintain or to prohibit a controller from offering a different price,
rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the
consumer has exercised the consumer ’s right to opt out under Section 541.051 or the offer is related to a consumer ’s
voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.