Texas Data Privacy and Security Act (TDPSA)

Overview

Texas was the eleventh state to enact a comprehensive consumer data privacy law. The Texas Data Privacy and Security Act (TDPSA) grants Texas residents several key rights over their personal data. It also establishes privacy protection safeguards that apply to companies that “conduct business in Texas or produce a product or service consumed by residents of Texas” and that collect, use, store, sell, share, analyze, or process consumers’ personal data. Small businesses (as defined by the federal Small Business Administration) are generally exempt from the Act, except that if a small business sells the sensitive data of a consumer, it must first obtain the consumer’s consent.

Key Dates

• Signed into law: June 18, 2023
• Effective date: July 1, 2024

Thresholds

The TDPSA applies to persons that:

1. conduct business in Texas or produce products or services consumed by Texas residents;
2. process or engage in the sale of personal data; and
3. are not "small businesses" as defined by the SBA.

Consumer Rights

• The right to know whether a company is processing the consumer’s personal data and to obtain the personal data in a readable format.
• The right to correct inaccuracies in the consumer’s personal data, taking into account the nature of the data and the purposes for processing the data.
• The right to delete personal data provided by or obtained about the consumer.
• The right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision made by the company concerning the consumer that results in the provision or denial by the company of the following:
  • financial and lending services;
  • housing, insurance, or health care services;
  • education enrollment;
  • employment opportunities;
  • criminal justice; or
  • access to basic necessities, such as food and water.
• The right to not face retaliation or discrimination for exercising these rights.

Sensitive Data

• Any data revealing racial or ethnic origins, religious beliefs, mental or physical health conditions or diagnoses, sexuality, citizenship, or immigration status;
• Genetic or biometric data processed to uniquely identify an individual;
• Personal data of a child under the age of 13; and
• Precise geolocation data (information that identifies an individual’s specific location with a defined degree of precision and accuracy).

Penalties

Up to $7,500 per violation.

Configure Your Consent Banner for TDPSA

Regions are used to customize the behavior and experience based on an individual user’s location. As an example, this allows you to provide different experiences to users based on regional differences (like GDPR in the EU vs. TDPSA in Texas). When a user visits your site, we will automatically determine their location and will match them to the most granular region rule that you have setup in Concord. This can go down to the state/province level, which allows for different experiences for different laws (like TDPSA in Texas).

Recommended Consent Settings

Based on the current laws, we recommend the following regional settings:

• Consent Mode: Implied
• Blocking Mode: Strict
• Google Consent Mode V2: Basic
• Consent Duration: 12 months
• Enable Limit Sensitive Information: Enabled
• Enable Do Not Sell Consent: Enabled
• Enable Global Privacy Control: Enabled

For step-by-step instruction on how to configure your consent banner for different geographical regions within the Concord app, see our help document https://www.concord.tech/docs/configure-consent-banner-difference-regions.

Important Note: While you can get as granular as you want, we typically recommend a single global policy that meets the strictest guidelines across regions, or higher splits (like separate GDPR and United States regions). If you have any questions on how and why to configure your regions in certain ways, please reach out to our support team.