Texas Data Broker Act

The Texas Data Broker Act[1] applies to business entities whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly from an individual. The Act requires these entities to register as a data broker with the Texas Secretary of State; post a conspicuous notice on its website or app disclosing that it is a data broker; implement comprehensive information security safeguards to protect personal data; conduct ongoing employee and contractor education; and take measures to ensure third party service providers maintain appropriate security safeguards.

Read the full text of the Data Broker Act

Overview Of The Texas Data Broker Act

This overview is for informational purposes only and is not legal advice. Please consult your attorney if you have specific legal questions. Texas law prohibits the Office of the Attorney General from providing legal advice, opinions, or representation to private individuals.

Data Brokers Operating In Texas Must Comply With The Requirements Of The Act Including: 

  • Annually registering with the Texas Secretary of State (SOS) and paying required fees; 
    • The registration statement filed with SOS must, among other things, include a description of the categories of data the data broker processes and transfers; 
    • Data brokers with actual knowledge that they possess the personal information of a child (age 12 or under) must include a statement describing how they comply with applicable federal and state law regarding the collection, use, or disclosure of such data. 
  • Posting a conspicuous notice on its websites or mobile applications disclosing that it is a data broker;
  • Implementing a comprehensive information security program to protect personal data. The program must include twelve specific safeguards enumerated in Section 509.007 including: ongoing employee and contractor education and training; measures to ensure third-party service providers maintain appropriate security measures; and annual reviews of the program’s security measures.

Definition Of “Data Broker” And Related Exemptions:

  • “Data Broker” is defined as “a business entity whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly from the individual linked or linkable to the data.” “Personal data” is any information that is linked or reasonably linkable to an identified or identifiable individual. 
  • Some “data brokers” are exempt since the Act applies only to data brokers that in a 12-month period derive (i) more than 50 percent of their revenue from processing or transferring personal data, or (ii) revenue from processing or transferring the personal data of more than 50,000 individuals, that was not collected directly from the individuals to whom the data pertains.  See, Section 509.003 
  • The Act also does not apply to:
    • deidentified data (provided certain conditions are met); 
    • employee data;
    • publicly available information;
    • inferences that do not reveal sensitive data that is derived from multiple independent sources of publicly available information; 
    • service providers that process employee data for a third-party employer; 
    • persons or entities that collect personal data from another person or entity to which they are related by common ownership or control where it is assumed a reasonable consumer would expect the data to be shared; 
    • governmental entities; 
    • nonprofits; 
    • consumer reporting agencies engaged in activity regulated or authorized by the Fair Credit Reporting Act; or 
    • data subject to the Gramm-Leach-Bliley Act or financial institutions subject to the Act. 

Enforcement:

  • Only the Texas Attorney General has authority to enforce the Act and may seek a civil penalty in an amount not less than the total of “$100 for each day the entity is in violation,” as well as the amount of unpaid registration fees for each year an entity fails to register. Penalties under the Act may not exceed $10,000 in a 12-month period. 
  • In addition, violations of Section 509.007 (requiring a comprehensive information security program) are a deceptive trade practice which the Attorney General may enforce under the Texas Deceptive Trade Practices Act.  
  • File a complaint regarding data brokers with the Texas Attorney General.

Secretary Of State’s Registry And Regulations:

  • The Texas Secretary of State is the filing officer for data broker registration and will maintain on its website a searchable central registry of registered data brokers.  The SOS does not investigate alleged violations of the data broker law. Visit the SOS website.

Effective Date:  September 1, 2023. 

[1] Tex. Bus. & Com. Code Ann. Ch. 509.