Incident Overview
Recently, Texas Attorney General Ken Paxton sent letters to over one hundred companies, reminding them they had not registered as data brokers with the Texas Secretary of State by the legal deadline under Texas's newly implemented Data Broker law. According to Chapter 509 of the Texas Business and Commerce Code and Chapter 106 of Title 1 of the Texas Administrative Code, the deadline for data brokers to register with the Secretary of State was March 1, 2024, failing which they would be subject to fines.
Background of the Incident and the Texas Data Broker Law
With the proliferation of data transactions, companies are increasingly acquiring personal information not directly from the data subject but from third parties. In such cases, the data subject is often unaware, leading to a higher risk of privacy breaches. As a result, many countries have started to focus on regulating and overseeing data brokers to protect personal data and privacy better. Currently, U.S. states such as California, Vermont, and Oregon have laws requiring data brokers to register with the state government according to specific regulations.
On September 1, 2023, Texas Senate Bill 2105 (codified into Chapter 509 of the Texas Business and Commerce Code, hereinafter referred to as S.B. 2105) officially took effect. This bill aims to regulate the behavior of data brokers, and its main content is as follows:
1. Definition of Data Broker
S.B. 2105 defines a "data broker" as a business entity whose primary source of revenue comes from collecting, processing, or transferring personal data that it does not collect directly from the individual to whom the data relates or can be related.
It is worth noting that, compared to other states where the definition of a data broker is usually limited to the collection and sale of data, S.B. 2105 expands its scope to include collecting, processing, or transferring data.
2. Scope of S.B. 2105
2.1 Scope of Data
S.B. 2105 applies to all personal data collected, transferred, or processed by data brokers (“personal data” refers to any information related or relatable to a natural person residing in Texas, including pseudonymous data), but does not include:
(1) Deidentified data, provided that the data broker: (a) has taken reasonable technical measures to ensure that the data cannot be used to identify the associated individual, (b) has publicly committed in a clear and prominent manner that it will process and transfer the data only in a deidentified form, does not have any reasonable means to re-identify the data, and will not attempt to identify the individual associated with the data, (c) binds those who receive the information from the data provider in a contract to comply with the provisions regarding which data does not apply to S.B. 2105 and incorporates these contractual obligations in any subsequent transfer of the data;
(2) Employee data;
(3) Publicly available information;
(4) Inferences made solely from publicly available information from multiple sources that do not involve sensitive personal data;
(5) Data regulated by the Gramm-Leach-Bliley Act (GLBA, also known as the Financial Services Modernization Act).
2.2 Scope of Data Brokers
S.B. 2105 applies to data brokers who, within a 12-month period, derive more than 50% of their revenue from processing or transferring personal data not directly collected or profit from processing or transferring such data on more than 50,000 individuals but does not include:
(1) Service providers, including those who process employee data for third-party employers to provide employee benefits;
(2) Individuals or entities collecting personal data from others with whom they share a common or corporate control relationship, provided that the general consumer can reasonably foresee that these individuals or entities would share data;
(3) Federal, state, tribal, territorial, or local government entities, including agencies, authorities, boards, bureaus, districts, or branches of such government entities;
(4) Entities designated by Congress as nonprofit, serving as national resource centers or information centers to assist victims, families, child service professionals, and the public on issues related to missing and exploited children;
(5) Consumer reporting agencies and other individuals or entities that provide information for inclusion in consumer credit reports or obtain consumer credit reports, but only for activities regulated or authorized by the Fair Credit Reporting Act (FCRA), including the collection, maintenance, disclosure, sale, communication, or use of any personal information related to a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living;
(6) Financial institutions regulated by the Gramm-Leach-Bliley Act (GLBA, also known as the Financial Services Modernization Act).
3. Data Broker’s Notice Obligations
S.B. 2105 stipulates that data brokers maintaining a website or application must post a prominent notice on that website or application, clearly and non-misleadingly stating that the entity maintaining the website or application is a data broker. This notice must be easily accessible to the general public, including people with disabilities, and must include the wording specified by the Secretary of State.
4. Data Broker’s Registration Obligations
S.B. 2105 requires data brokers to register with the Secretary of State. Registration requires the submission of a registration statement and a registration fee of $300.
The registration statement submitted by data brokers must include: (1) the legal name of the data broker; (2) a contact person, as well as the data broker’s primary address, email address, telephone number, and website address; (3) a description of the categories of data processed and transferred; (4) a statement on whether they conduct purchaser qualification reviews; (5) if they knowingly possess personal data of known children, they must also detail the data collection practices, databases, sales practices, and opt-out policies applicable to the personal data of known children, and describe how the data broker complies with applicable federal and state laws regarding the collection, use, or disclosure of children's personal data on the internet; (6) the number of security breaches experienced by the data broker in the year prior to the submission of the registration, and (if known) the total number of consumers affected by each breach. The registration statement may also include any additional information or explanations that the data broker chooses to provide.
The registration certificate expires one year from the date of issuance. Data brokers may submit a renewal application and pay $300 for renewal as required by the Secretary of State.
5. Data Broker’s Protection Obligations: Comprehensive Information Security Program
S.B. 2105 requires data brokers to develop, implement, and maintain an easily accessible comprehensive information security program. The administrative, technical, and physical safeguards in this program must be appropriate to the size, scope, and type of business, the amount of available resources, the amount of data stored, and the need for security and confidentiality of the stored personal data.
In the program, data brokers need to identify and assess internal and external risks that could reasonably be anticipated to threaten the security of personal data records and establish processes to evaluate and improve safeguards. Data brokers need to provide ongoing education and training to employees and contractors and adequately supervise third-party service providers to ensure they implement appropriate security measures.
Data brokers must also regularly review the scope of security measures, conduct reviews at least once a year, and review when there are significant changes in the business that could impact the security and integrity of personal data. In addition, data brokers must regularly monitor to ensure that the program reasonably prevents unauthorized access.
Compliance Recommendations
For companies whose revenue does not come from the collection, processing, and transfer of personal data, simply purchasing or receiving data is not regulated by S.B. 2105. Therefore, in general, companies that purchase and process personal data for purposes such as marketing products or providing services do not need to consider the relevant regulations for data brokers.
For data brokers, when handling personal data of Texas residents, it is necessary to consider the relevant compliance requirements, including posting a notice on the website or application, registering with the Texas Secretary of State and paying the registration fee, and developing and implementing a comprehensive information security program.
