On June 18, 2023, Texas Governor Greg Abbott signed SB 2105 into law. Titled “AN ACT relating to the registration of and certain other requirements relating to data brokers; providing a civil penalty and authorizing a fee,” the law becomes the third data broker law, after that of Vermont and California, to require registration. Even though SB 2105 does not take effect until September 1, 2023, Texas data brokers should familiarize themselves with its requirements. The regulations contained in SB 2105 are significantly more stringent than data brokers operating in other states may be accustomed to.
Who Does Texas’ New Data Broker Law Apply to?
The Texas data broker law applies to entities that, within a 12-month period:
- Make at least 50% of their revenue from the processing or transferring of personal data that the data broker did not collect directly from the individuals to whom the data identifies; or
- Profits from the processing or transferring of the personal data of more than 50,000 individuals from whom the data broker did not directly collect the data.
SB 2105 defines an “individual” as “a natural person residing” in Texas. One immediately noticeable difference between the Texas data broker law and those of Vermont and California is that it applies to entities that “process or transfer” personal data. This is notable because other state data broker laws only apply to entities that “sell” personal data. This closes a loophole through which data brokers in other states may claim that they are not subject to regulation because all they do is “transfer” data.
SB 2105 defines “personal data” to include “pseudonymous data.” This is important because data brokers often combine multiple data sets, wherein individual pieces of data combine to identify a particular individual. By regulating pseudonymous data, data brokers will not be able to avoid regulation through a practice of breaking up an individual’s personal information into various data sets for storage or transmission.
What are Some Key Provisions of the Texas Data Broker Law?
The primary purpose of SB 2105 is to address privacy, data security, discrimination, and transparency concerns. Texas data brokers will need to register with the Secretary of State by filing a registration statement and paying a registration fee of $300. This registration fee will need to be renewed, and the $300 fee paid, annually.
Texas’ new data broker law also includes comprehensive information security program requirements. Among other obligations, Texas data brokers must:
- Incorporate safeguards that are consistent with those required under similar state and federal laws;
- Account for ongoing employee and contractor training on the proper use of data security procedures and protocols;
- Provide a means for detecting and preventing security system failures; and
- Encrypt all personal data that will travel across public networks or be transmitted wirelessly.
SB 2105 authorizes the Texas Attorney General to bring enforcement action against any data broker that violates the law’s provisions. Under the new law, a civil penalty will be assessed in an amount of not less than “$100 for each day the entity is in violation.” Penalties may not exceed $10,000 in a 12-month period. The Attorney General is also authorized to recover reasonable attorney’s fees and court costs.
Hire Experienced Data Privacy Attorneys to Comply with the Texas Data Broker Law
Texas’ new data broker law will take effect on September 1, 2023. Data brokers operating in Texas will gain more clarity on how to comply with the law once the Secretary of State promulgates regulations in accordance with SB 2105. The Secretary of State will have until December 1, 2023 to do so. Even though this is several months away, Texas data brokers should begin the compliance process now. Remember that SB 2105 is considerably more stringent than laws governing data brokers in other states. Furthermore, civil penalties accrue by the day, and putting compliance measures in place is not an instantaneous process. The attorneys at Klein Moynihan Turco have years of experience in advising companies on comprehensive privacy law compliance and are well-equipped to keep your business updated on significant regulatory developments.
The material contained herein is provided for information purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.
Similar Blog Posts: