While the passage of new comprehensive state privacy laws in numerous states grabbed the lion’s share of the privacy headlines throughout 2023, a distinct but related area of regulation was quietly expanding as well: state laws governing and requiring registration of data brokers. A data broker is generally defined as a business that monetizes the data of individuals with whom the business has no direct relationship. In fact, the individual whose data is being monetized might not even be aware that the data broker exists, which is one main impetus behind the increasing regulation of the data broker industry. New data broker laws were passed in 2023 in both Texas and Oregon, bringing us to a total of four states (along with Vermont and California) that will now impose their own requirements on the data broker industry. Existing players in the data broker industry and any other business that processes personal data not collected directly from individual data subjects will need to look carefully at the new laws in Texas and Oregon to determine if they are covered. Both states’ laws are already effective: Texas’ law went into effect on September 1, 2023, while Oregon’s law went into effect on January 1, 2024.
Texas
Texas SB 2105 defines a data broker as any business whose “principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly [from the data subjects].” The law applies to data brokers if, in the past 12 months, more than half of a data broker’s revenue came from processing/transferring personal data it did not collect directly from individuals or if the data broker earned revenue from processing/transferring personal data of over 50,000 individuals that was not collected directly from the data subjects. There are several key exceptions, including entity-level exceptions for nonprofits and financial institutions subject to the federal Gramm-Leach-Bliley Act.
Data brokers subject to Texas law must register with Texas’s Secretary of State, which includes providing details regarding their use of data and paying a filing fee of $300. Notably, the Secretary of State will make this registration information publicly available. Data brokers operating in Texas must also implement a “comprehensive information security program,” which the law outlines in detail. If a data broker has a website or mobile app, the law requires it to post on each a “conspicuous notice” stating that the business is a data broker. Failure to either register as a data broker or post the required notice is punishable by a civil fine of up to $100 per day, plus any unpaid registration fees (up to a maximum of $10,000 against a single entity in a 12-month period). The law further specifies that failure to implement the required comprehensive information security program constitutes a deceptive trade practice under Texas law. The Secretary of State may also adopt additional rules to implement the law.
Oregon
Oregon HB 2052 defines a data broker as a business, or part of a business, that “collects and sells or licenses brokered [personal] data.” Like Texas’s statute, there are several entity-level exceptions, including exceptions for consumer reporting agencies and financial institutions regulated by the federal Gramm-Leach-Bliley Act. Unlike Texas, however, Oregon’s law contains no minimum thresholds for compliance, meaning that a data broker collecting the personal information of even a small handful of Oregon residents is still obligated to comply with the law.
Oregon’s law requires data brokers collecting, selling, or licensing personal data to register with the state’s Department of Consumer and Business Services. To register, a data broker must provide a variety of information, including how a consumer may opt out of the sale of their data if an entity offers such an option. The department is required to make registration information publicly available through their website. Registration is annual and costs $600. Additionally, the department may adopt rules to implement the provisions of the law. If a data broker fails to register in Oregon or comply with a rule implemented by the department, it faces civil penalties of up to $500 per violation per day (up to a maximum of $10,000 annually).
Going Forward
In addition to these new laws in Texas and Oregon, Vermont continues to require data brokers to register in that state. California also imposed further obligations on data brokers in 2023, expanding the state’s existing regulations with the new Delete Act. (Please see our prior alert regarding the Delete Act here.) Time will tell if this expanded regulation of data brokers becomes a trend that spreads to other states. Still, it is clear that, while companies are rightfully focused on achieving compliance with the numerous new state privacy laws, they should also carefully consider whether they are acting as data brokers within the meaning of the existing laws in California and Vermont, as well as the new laws in Texas and Oregon.