On June 18, 2023, Senate Bill 2105 relating to the registration of and certain other requirements relating to data brokers; providing a civil penalty and authorizing a fee was signed by the Governor of Texas following its passage by the Senate and the House respectively. In particular, the bill entered into force on September 1, 2023.

Scope

The bill applies to personal data from an individual that is collected, transferred, or processed by a data broker. 'Data broker' is defined under the bill as a 'business entity whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly from the individual linked or linkable to data.'

More specifically, the bill applies to a data broker that, in a 12-month period, derives:

• more than 50 percent of its revenue from processing or transferring personal data that it did not collect directly from the individuals to whom the data pertains; or
• revenue from processing or transferring the personal data of more than 50,000 individuals that it did not collect directly from the individuals to whom the data pertains.

Notice

Data brokers that maintain an internet website or mobile app must post a conspicuous notice on the website or app that:

• states that the entity maintaining the website or app is a data broker;
• is clear, not misleading, and readily accessible by the general public, including individuals with a disability; and
• contains language provided by the rule of the Secretary of State for inclusion in the notice.

Registration

Data brokers must register with the Secretary of State by filing a registration statement and paying a registration fee of $300, with the statement including:

• the legal name of the broker;
• the contact person and primary physical address, e-mail address, telephone number, and internet website address for the data broker;
• a description of the categories of the data the data broker processes or transfers;
• a statement of whether or not the data broker implements a purchaser credentialing process;
• if the data broker has actual knowledge that the data broker possesses the personal data of a known child:
  • a statement detailing the data collection practices, databases, sales activities, and opt-out policies that are applicable to the personal data of a known child; and
  • a statement on how the data broker complies with applicable federal and state law regarding the collection, use, or disclosure of personal data from and about a child on the internet; and
• the number of security breaches the data broker has experienced during the year immediately preceding the year in which the registration is filed and, if known, the total number of consumers affected by each breach.

Registration may also include any additional information or explanation of the data broker. Registration certificates expire on the first anniversary of the issuance of the certificate and may be renewed in the same manner.

Data protection

Notably, the bill also establishes data protection obligations on data brokers, including the development, implementation, and maintenance of a comprehensive information security program. Such a program must contain requirements specified in the bill, including the provision of employee and contractor education and training and regular reviews of the program.

Penalty

Data brokers that violate the bill are liable for a civil penalty of $100 for each day the data broker is found to be in violation, and the amount of unpaid registration feeds for each year the entity failed to register.

You can read the bill here and track its history here.