The Bottom Line
- The number of data broker laws in the U.S. has now doubled to four, and more could be on the way.
- The laws vary in terms of registration requirements and opt-out rights.
- The laws allow for the state to impose fines, but do not allow for a private right of action.
Four states now have laws that create rules and registration requirements for data brokers.
While initially limited to Vermont's 2018 Data Broker Act and California's 2019 law, amended by the Delete Act on October 10, 2023, Texas and Oregon recently passed their own laws. Texas Gov. Greg Abbott signed SB 2105 into law on June 18, 2023, then Oregon Gov. Tina Kotek's signed HB 2052 on July 27, 2023. The Texas Act went into effect on September 1, 2023, while the Oregon Act becomes effective on January 1, 2024.
Although the Texas Act and Oregon Act have features in common with their counterparts in Vermont and California, there are some key differences.
Who is a "Data Broker"
The Oregon Act largely follows Vermont's and California's definitions of "data broker" as a business that collects and sells or licenses to a third party the personal data of another person that the business does not have a direct relationship with. By contrast, the Texas Act's definition — "a business entity whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly from the individual linked or linkable to the data" — is at once both broader and more restrictive than the other states' laws.
Rather than limit the law's coverage to companies that both "collect" and "sell or license" data, the Texas Act applies to the "collecting, processing, or transferring" of personal data, which subsumes a much wider range of activities and makes it harder for businesses to claim that they are exempt. Additionally, the Texas Act abandons the prevailing "direct relationship" standard, instead covering data "that the entity did not collect directly from the individual." This means that companies could, in theory, be treated as data brokers with respect to information about their own customers or employees, provided that the data was collected from a third-party source.
At the same time, the Texas Act only applies to business entities "whose principal source of revenue is derived from" collecting, processing or transferring data not collected directly from the individual. In particular, the law only applies to data brokers that, in a 12-month period: (1) derive more than 50% of revenue from processing or transferring such data; or (2) derive revenue from processing or transferring data of more than 50,000 individuals. These threshold requirements will exempt many businesses from the law.
Data Broker Registration Requirements
While the Vermont and California acts require data brokers to register annually by a set date (January 31 under both laws), Texas and Oregon have departed from this approach and simply require that data brokers register prior to conducting business in their respective states. This means that data brokers operating in Texas and Oregon must register as soon as those states' registration mechanisms become operational. At this time, it is unclear when those registries will open. Under the Texas Act, a registration expires on the first anniversary of its date of issuance, after which a data broker may file a renewal application. The Oregon Act says that registration is valid until December 31 of the year that it was approved, which leaves some ambiguity as to whether registrations issued in the third or fourth quarters will only be effective for a matter of months.
Information required for registration under the Oregon Act is minimal. It includes the data broker's name, address, phone number, website and email address. The Oregon Act, similar to Vermont, requires a declaration as to whether the data broker provides consumers the choice to opt out of the collection, sale or licensing of brokered personal data, as well as information about the scope of such opt-out rights and how they can be exercised. However, there is no mandate to offer opt-out rights or disclose them on the data broker's website.
While the Texas Act does not require a declaration of opt-out rights, it echoes Vermont's registration requirements in all other respects, and expands upon them with two additional items not found in any of the other three state laws: (1) a description of the categories of data that the data broker processes and transfers and (2) a statement on how the data broker complies with applicable federal and state law regarding the collection, use or disclosure of personal data from and about a child on the internet.
Texas Data Security and Transparency Requirements
The Texas Act goes beyond registration and requires that data brokers implement a comprehensive information security program with physical, organizational and technical security controls. The scope and contents of these requirements are nearly identical to those found in the Vermont Act. However, Vermont's data security requirements only apply to a narrow category of "personally identifiable information," which is similar to the types of data covered by U.S. state breach notification laws. The Texas Act, by contrast, requires security controls for all "personal data," defined as "any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual," including pseudonymous data when used in conjunction with additional data that can link it to an identified or identifiable individual. As such, while data security requirements are not new to data brokers in the U.S., Texas has significantly expanded the scope of these requirements.
The Texas Act also requires that data brokers provide clear and accessible notice stating that the entity maintaining the online service is a data broker. Additional disclosure requirements may be adopted by the Texas Secretary of State later. Texas is the only other state, besides California, to require that data brokers make conspicuous privacy disclosures.
Data Broker Law Enforcement
The Oregon Act allows civil penalties of $500 per day that a violation of the law occurs, capped at $10,000 per calendar year. Under the Texas Act, violations of the registration and privacy disclosure requirements amount to $100 per day, not to exceed $10,000 in a given 12-month period. However, violations of the Texas Act's data security rules are treated as a deceptive practice under the Texas Deceptive Trade Practices Act, which allows the Texas Attorney General to seek penalties of up to $10,000 per violation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
