Earlier this year, Texas and Oregon each passed a data broker registration law, joining California and Vermont to double the number of states that have enacted such legislation. Texas Governor Greg Abbott signed SB 2105 into law on June 18, 2023 and the Office of the Secretary of State adopted on December 1, 2023 a set of rules to operationalize the state’s data broker registry. Oregon Governor Tina Kotek signed HB 2052 on July 27, 2023 and the Rulemaking Advisory Committee adopted the Temporary Rules for Data Brokers Registry to be effective from December 1, 2023 through May 28, 2024.
From California’s recently enacted Delete Act, which empowers consumers with stronger data deletion rights and increases penalties for noncompliance, to the Consumer Financial Protection Bureau’s March 2023 request for information about data brokers, state and federal regulators are shining a spotlight on these actors in the data marketplace. The most common way that states are regulating data brokers is through the establishment of data broker registries, like those in Vermont, California, Texas, and Oregon. Although the registries form the driving component of these laws, the laws can also include mandates on security protocols, public disclosures, and consumer rights to delete or opt out. These laws do not include a private right of action, but the enforcing entity for each of these laws (including California’s recently formed California Privacy Protection Agency) has the authority to administer fines for noncompliance. Companies that do business in these states or have consumers living in these states should keep a close eye on how these laws define “data broker” and the types of personal data covered under these laws.
In this post, we summarize the key features of the Texas and Oregon data broker laws, as well as the recent rulemaking in these two states. We also note, where applicable, how the Texas and Oregon data broker laws compare to those in Vermont and California. We will keep you updated as the data broker legal landscape continues to evolve. If you would like to subscribe to the WilmerHale Privacy and Cybersecurity Law Blog, you may do so here.
Key Provisions of the Texas Data Broker Law & Rules
1. Definition of “data broker” and scope of applicability: SB 2105 defines a data broker as “a business entity whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly from the individual linked or linkable to the data.”
- Exclusions: Service providers, government entities, nonprofits, consumer reporting agency, financial institutions.
Although this definition’s focus on “collecting, processing, or transferring” personal data is broader than the terms used in other data broker laws (e.g., Oregon’s law focuses on entities that “collect” and “sell” personal data), the law only applies to data brokers who, in a 12-month period, derive more than 50% of their revenue from processing or transferring personal data that the data broker did not collect directly from the relevant individuals OR who derive revenue from processing or transferring the personal data of more than 50,000 individuals that the data broker did not directly collect.
2. Definition of “personal data”: SB 2105 defines personal data as “any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual.” It clarifies that pseudonymous data (i.e., data that replaced identifiable information with an artificial identifier, but which can still be re-identified with additional information) is still considered personal data if additional information could “reasonably” re-identify individuals.
- Exclusions: Deidentified data, employee data, publicly available information, and data subject to the Gramm-Leach-Bliley Act.
3. Definitions of potential data broker activities: In contrast to the other data broker laws that remain silent on the terms, SB 2105 establishes broad definitions for “collect,” “process,” and “transfer” as they relate to data activities.
4. Requirements for the registry: A data broker must register with the Texas Secretary of State by filing a registration statement (that includes legal name, contact person, physical address, email, telephone number, website URL, and “a description of the categories of data the data broker processes and transfers”) and paying a $300 fee. There are also additional disclosure requirements for any data broker that has “actual knowledge” that they may store the personal data of a child, defined as an individual younger than 13 years old.
5. Conspicuous public notice: Any data broker that maintains an internet website or mobile app must post a conspicuous notice stating that they are a data broker and that more information is available at the Texas Secretary of State website. Of the four states with data broker laws, California is the only other state to require public disclosures.
6. Security protocols: The law declares that “a data broker conducting business in this state has a duty to protect personal data.” Specifically, data brokers must, among other things:
a. Establish “administrative, technical, and physical safeguards” that are proportional to the entity’s size, amount of data it collects and stores, and the need of security for the personal data it stores;
b. Designate one or more employees to maintain the security program;
c. Conduct risk assessments;
d. Implement ongoing data security education and training for employees and contractors;
e. Require third-party service providers to implement similar security measures for personal data;
f. Reasonably restrict physical access to records; and
g. Conduct reviews of the security program annually and whenever there is a material change in the data broker’s business practices.
These requirements apply to all personal data. Only one other state, Vermont, included security standards in its data broker law, and the mandate in Vermont only applies to a narrower category of “personally identifiable information.”
7. Enforcement: The Texas Attorney General may impose a civil penalty of $100 per day that the data broker is in violation of the law in addition to any unpaid registration fees. However, the total amount of penalties cannot exceed $10,000 in a 12-month period.
8. Effective date: September 1, 2023 (the registration date is March 1, 2024).
Key Provisions of the Oregon Data Broker Law & Rules
1. Definition of “data broker”: HB 2052 aligns with the definitions featured in Vermont and California, describing a data broker as “a business entity or part of a business entity that collects and sells or licenses brokered personal data to another person.”
- Exclusions: Government entities; consumer reporting agencies; financial institutions; or a business entity that collects data directly from its customers, donors, and/or investors.
2. Definition of “brokered personal data”: The term is broadly defined and includes a list of computerized data elements (e.g., resident’s name, including maiden name; address; any government-issued identification number; etc.) if the data is “categorized or organized for sale or licensing to another person.” The definition also features a catch-all clause that covers “other information that, alone or in combination with other information that is sold or licensed, can reasonably be associated with the resident individual.”
3. Requirements for the registry: First, a data broker must register with the Department of Consumer and Business Services before collecting, selling, or licensing brokered personal data within Oregon. In addition to paying a $600 application or renewal fee, a data broker must submit a short Department form that covers information such as the data broker’s legal name, street address, telephone number, primary website, and e-mail address. Finally, similar to a requirement in Vermont’s data broker law, they must submit a declaration that states:
a. "Whether resident individuals may opt out of all or a portion of the data broker’s collection, sale, or licensing of [their] data.”
b. If so, which of the data broker’s activities or what of the information collected can be opted out and what is the process.
c. If a resident can authorize an agent to opt out on their behalf, and if so, how they may appoint the person.
Registration is valid through the end of the calendar year.
4. Additional disclosures to the Department: A data broker must notify the Department of any breach of security within 45 days of the breach. It must also notify the Department of any material changes to the information the data broker provided in their application form.
5. Enforcement: The Department of Consumer and Business Services may impose a civil penalty of $500 per day for violations of this law. However, the total amount of penalties cannot exceed $10,000 in a calendar year.
6. Effective date: January 1, 2024.
By January 1, 2024, both Texas and Oregon will have active data broker laws and implementing regulations. This development comes just in time for their comprehensive data privacy laws, which are effective on July 1, 2024. After July 1, residents in both states will have the right to opt-out of the sale of their personal data, which is a right that is more easily exercised with state resources like a data broker registry. Although each law contained a different focus—Texas’s data broker law focused more on data security while Oregon’s emphasized transparency—both will continue to grow and evolve with the changing data landscape through potential future agency rulemaking, as dictated in both laws.