Both Texas and Oregon recently adopted rules that will, among other things, implement a registry required by both states’ data broker laws. The Texas law went into effect September 1, 2023, and the Oregon law will go into effect January 1, 2024. Both are similar to laws in Vermont and California.
Texas defines data brokers more broadly than Oregon, namely entities whose “principal source of revenue” comes from collecting or transferring personal information that the entity did not itself collect. However, the requirements under the law apply only to those data brokers who over the last 12 months received 50% or more of their revenue from data broker activity or of 50,000 or more individuals. Under the Texas law, data brokers must, inter alia, register with the Texas secretary of state and post a privacy policy on its website saying that it is a data broker. The law called for the Texas secretary of state to create language for this notice, which it has done for both websites and apps. The notice is lengthy, especially in a mobile context.
With respect to the registry, the new Texas rules address the law’s requirement that data brokers register and renew annually. Those subject to the law should keep in mind that it requires disclosure not just of contact information, but also disclosing the number of breaches the data broker has suffered, and if the broker knows that it has information about children. These disclosures are no doubt linked to the law’s obligations around data security, something lacking in the Oregon law. Namely, in Texas, brokers must have a “comprehensive information security program” that includes training. It also needs to include vendor oversight.
The Oregon registry process is an interim one, given that the law is going into effect in a little over two weeks. Data brokers covered by the Oregon law must submit not only contact information, but also answers to some specific questions. These include whether individuals can opt-out of having their information brokered, and how they can do so.
Putting it Into Practice: These rulemaking activities are a reminder that data broker activities are in legislators’ minds. The obligations under these laws are for specific types of activities, but reflect a broader trend on concerns with sharing and “selling” of personal information, and are a reminder that companies may want to look at their practices even if not “brokers.”