On June 20, 2025, the Texas governor signed two bills amending the Texas Data Broker Act (also the “Act”) into law (SB 2121 and SB 1343). Both bills went into effect on September 1, 2025.
Most notably, SB 2121 expands the definition of “data broker” to a business entity that “collects, processes, or transfers personal data that the business entity did not collect directly from the individual linked or linkable to the data.” Under the previous version of the statute, “data broker” was defined as an entity whose “principal source of revenue” is derived from data broker activities. This qualifying language excluded from the scope of Texas’s data broker registration law a number of entities that may have been required to register under the data broker registration laws in other states. SB 1343, meanwhile, requires data brokers to include information on their websites and in their registration statements about how consumers can exercise their privacy rights under the Texas Data Privacy and Security Act (TDPSA).
Companies should evaluate their data collection practices under the amended version of the statute to assess whether they now fall within the statute’s scope. Entities that had previously concluded they were not required to register in Texas (based on the “principal source of revenue” language) may now fall under the scope of the law and be subject to Texas’s heightened requirements, including Texas’s specific security and disclosure obligations. It is important for entities to proactively conduct this assessment, given that the Texas AG’s office in the past has actively reached out to companies (registered in other states) for failing to register in Texas.
This evaluation is also important because the Texas AG’s office continues to be one of the top data privacy regulators in the country with a recent focus on data broker activities. Indeed, one of the supplemental claims raised in the Texas AG’s first ever lawsuit under the TDPSA was that the company also failed to register as a data broker with the Secretary of State. The cost of noncompliance under the Texas Data Broker Act is $100 per day for each day the data broker is violating the law, not to exceed $10,000 in a 12-month period. However, failure to register and other forms of delayed compliance may also invite heightened scrutiny of a company’s overall operations and, ultimately, an enforcement action as a result of the company’s overall data practices.
In this post, we summarize the key provisions of SB 2121 and SB 1343 and recap current obligations under Texas’s data broker law. To stay up to date on the latest developments in the data broker legal landscape, please subscribe to the WilmerHale Privacy and Cybersecurity Law Blog.
Current Obligations On Data Brokers Under Texas Law
Data security is a core element of the Texas Data Broker Act. As we’ve noted before, the Act imposes a duty on data brokers to “protect personal data” and outlines certain protocols to assist them in doing so, including establishing “administrative, technical, and physical safeguards” proportional to the organization’s makeup and data collection practices (a requirement that is extended to third-party service providers), designating employees to maintain the security program and oversee its annual review, conducting risk assessments, reasonably restricting physical access to records, and implementing ongoing security training for employees and contractors.
In addition to security requirements, the Act requires data brokers to post a conspicuous public notice on their websites or mobile apps identifying themselves as data brokers. This is a notable difference from other data broker registration laws (which only require posting a public entry on the state regulator’s website identifying the company as a registered data broker).
Key Provisions of SB 2121
Definition of “Data Broker”
- SB 2121 defines “data broker” as “a business entity that collects, processes, or transfers personal data that the business entity did not collect directly from the individual linked or linkable to the data.” Business and Commerce Code § 509.001(4).
- Exclusions: Service providers, government entities, nonprofits, consumer reporting agency, financial institutions.
Applicability
- SB 2121 makes the Texas Data Broker Act applicable only to a data broker that, in a 12-month period, derives:
(1) more than 50 percent of the data broker’s revenue directly from processing or transferring personal data not collected by the data broker directly from the individuals to whom the data pertains; or
(2) revenue directly from processing or transferring the personal data of more than 50,000 individuals not collected by the data broker directly from the individuals to whom the data pertains. Business and Commerce Code § 509.003(a).
Key Provisions of SB 1343
Notice on Website or Mobile Application
- A data broker that maintains an Internet website or mobile application shall post a conspicuous notice on the website or application that:
(1) states that the entity maintaining the website or, application is a data broker;
(2) is clear, not misleading, and readily accessible, by the general public, including individuals with a disability;
(3) contains language provided by rule of the, secretary of state for inclusion in the notice; and
(4) informs a consumer how to exercise any consumer, rights the consumer may have under Chapter 541. Business and Commerce Code § 509.004.
Data Broker Registration Statement
- In addition to other requirements listed under this provision, the registration statement must also include:
(2-a) a link to a page on the data broker’s Internet, website that provides consumers with specific instructions, which, must be prominently displayed, on how to exercise their consumer, rights under Section 541.051, and any other applicable data privacy, rights under Chapter 541. Business and Commerce Code § 509.005(b).