/>iIn late June, Governor Abbott signed into law SB 2121 and SB 1343, two bills that amend the existing Texas Data Broker Act. The amendments broaden the definition of “data broker” and alter the applicability thresholds (SB 2121), and provide enhanced notice and registration statement requirements regarding how consumers can exercise their privacy rights (SB 1343). As we discuss below, companies that previously assessed and decided that Texas’ data broker law may not apply to them should likely review and re-evaluate this decision in view of these amendments, which become effective September 1, 2025.
Expanded “Data Broker” Definition
To fall under the scope of the data broker law, entities must meet the definition of “data broker” and one of two applicability criteria that are tied to revenue derived from processing or transferring personal data not collected directly from individuals. SB 2121 broadens the definition of “data broker” substantially to mean a “business entity that collects, processes, or transfers personal data that the business entity did not collect directly from the individual linked or linkable to the data.” The italicized text replaces the previous, much narrower text that pulled in only entities “whose principle source of revenue is derived from the collecting, processing, and transferring” of personal data that the entity did not collect directly. This new definition likely means that any business entity which collects personal data from a source other than the individual – the vast majority of companies – may meet the definition of data broker.
Narrowed Applicability Thresholds
While the definition has been broadened, the applicability provisions have arguably been narrowed to require deriving revenue “directly” from processing or transferring personal data not collected directly from individuals. Specifically, in order for the law to apply, an entity that meets the definition of data broker must either derive more than 50 percent of its revenue directly from collecting or transferring personal data that it did not collect directly from individuals, OR derive any amount of revenue directly from processing or transferring the personal data of more than 50,000 individuals that the entity did not collect directly from individuals. The previous language of this section did not require revenue to be “directly” derived from such activities and thus arguably marks a narrowing of the applicability thresholds: “this chapter applies only to a data broker that, in a 12-month period, derives: (1) more than 50 percent of the data broker’s revenue directly from processing or transferring personal data that the data broker did not collected by the data broker collect directly from individuals to whom the data pertains; or (2) revenue directly from processing or transferring the personal data of more than 50,000 individuals that the data broker did not collected by the data broker collect directly from the individuals to whom the data pertains.” Notably, “directly” is not defined in the law and there is no legislative history discussing or indicating the legislature’s intent as to the term.
Of course, there are likely many use cases where revenue is more arguably “directly” generated from collection or transferring of personal data. On the other hand, even in data-intensive industries, like advertising technology, there are likely viable arguments that revenue is not being derived directly from the collection or processing of personal data but rather from the provision of services or success of campaigns. In any event, companies in many industries will likely have to make risk-based decisions regarding the applicability of this law as amended and whether to register as a data broker in Texas.
Changes to Registration and Notice Requirements
The Texas Data Broker law requires data brokers that maintain an internet website or mobile application to provide a notice that, among other things, states that the entity is a data broker. SB 1343 amends the law to require data brokers to also include in the notice how a consumer can “exercise any consumer rights the consumer may have under [the Texas Data Security and Privacy Act (TDSPA)].” Most companies that are in compliance with the TDSPA should already have such information in their online privacy notice. The amendment also now requires, in a data broker’s registration statement, inclusion of “a link to a page on the data broker’s Internet website that provides consumers with specific instructions, which must be prominently displayed, on how to exercise their consumer rights under [the TDSPA], and any other applicable data privacy rights under [the TDSPA].” Companies seemingly could seemingly comply with this section by providing a deep link to the section of their privacy notice which has information on exercising consumer privacy rights. Alternatively, data brokers could create a separate webpage with the required information and provide a link to such webpage.
Other State Data Broker Laws
In addition to Texas, four other states – California, Nevada, Oregon, and Vermont – also have data broker laws in place with specific obligations, including registration (excluding Nevada) and, as to some, processing consumer rights requests. See below for a handy chart that includes certain details regarding these states’ data broker laws.
As Privacy World readers may know, California amended its data broker law through the Delete Act in 2023, with significant changes that come into effect over the course of several years through 2028 (see our blog post for more details). The California Privacy Protection Agency is close to completing rulemaking under the Delete Act, and its proposed regulations would add further complexity and compliance burdens to businesses that qualify as data brokers in California, including most notably the processing of deletion and opt-out requests through the Deletion Request and Opt-Out Platform – or DROP – which is the subject of the CPPA’s forthcoming regulations. The CPPA recently announced a board meeting that will take place on July 24, during which the CPPA Board is likely to vote to approve the proposed regulations. As of the date of this post, the CPPA has not provided any Meeting Records, such as a proposed final draft of the regulations.
Stay tuned to Privacy World for more on this and other pressing topics.
State Data Broker Laws
| State | Registration requirement | Necessary to be registered to do business in state to register as data broker | Consumer rights | Specific Notice Obligations/ Privacy Policy Content | Timing of Registration |
| California | Yes | No | Yes | Yes | Between January 1 and January 31 following each year in which entity meets data broker definition. Must renew registration annually. |
| Nevada | No | N/A | Yes | No | No registration requirement |
| Oregon | Yes | Yes | Yes (seemingly optional) | Unclear, may be needed for explaining consumer rights obligations | Must register prior to collecting, selling or licensing brokered personal data within Oregon. Registration valid until December 31 of the year in which approved, after which need to renew. |
| Texas | Yes | No | No (but requires notice of rights under Texas Data Security and Privacy Act) | Yes | Before conducting business in Texas, a data broker must register. Expires on first anniversary of issuance date, after which must renew |
| Vermont | Yes | No | Yes (seemingly optional) | Unclear, may be needed for explaining consumer rights obligations | Between January 1st and January 31st following each calendar year in which meet data broker definition. Must renew registration annually. |
