As of this post, four states have enacted laws requiring data brokers to register with the state: California, Oregon, Texas, and Vermont. Although most companies have focused their compliance efforts on California, companies should be careful not to overlook the other three states, in particular Texas. We've heard that Texas may have already sent out notice letters to companies for alleged failure to register with the state by March 1, 2024. This post sets out some of the key obligations in the Texas Data Broker law. If you need any help registering as a data broker or evaluating your obligations, please reach out to our team.

Effective Date: The Texas Data Broker law took effect on September 1, 2023. The initial date for companies to register as data brokers was March 1, 2024.

What is a Data Broker: A data broker is defined as “a business entity whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly from the individual linked or linkable to the data.”

Registration Requirement: Data brokers must file a registration statement with the Secretary of State and pay a registration fee of $300, renewable annually. The registration statement must include:

  • The legal name, contact person, primary address, and other details of the data broker;
  • A statement of whether or not the data broker implements a purchaser credentialing process;
  • A description of data categories processed and transferred; 
  • The number of security breaches experienced during the preceding year and, if known, the total number of consumers affected by the breach; and
  •  Any additional information regarding the data broker’s data collection practices.

Note that data brokers must comply with additional requirements if they have actual knowledge that they process the personal data of children under 13.

Notice Requirement: Data brokers must provide conspicuous notice on their service that: 

  • States that the company is a data broker;
  • Is clear, not misleading, and readily accessibly by the general public; and 
  • Contains the following language provided by the Secretary of State: THE ENTITY MAINTAINING THIS WEBSITE/MOBILE APPLICATION IS A DATA BROKER UNDER TEXAS LAW. TO CONDUCT BUSINESS IN TEXAS, A DATA BROKER MUST REGISTER WITH THE TEXAS SECRETARY OF STATE (TEXAS SOS). INFORMATION ABOUT DATA BROKER REGISTRANTS IS AVAILABLE ON THE TEXAS SOS WEBSITE. 

Security Requirement: Data brokers are required to develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards tailored to the company size, scope, and type of business. The listed requirements are highly detailed and specific.