Understanding the New Data Broker Registration Laws

January 25, 2024

Privacy Plus+

Privacy, Technology and Perspective

This week, let’s highlight four states - California, Vermont, Oregon, and Texas – that have enacted data broker registration laws, and compare how California's pioneering "Delete Act” compares to the new data broker law in Texas.

The Evolving Landscape of Data Broker Regulation

Data brokers (entities that collect, process, transfer or sell personal data that they did not collect directly from consumers) have long operated in a largely unregulated space.

Why?

Because most consumer privacy laws focus on the entities that collect personal data directly from consumers.  Because data brokers and consumers have an indirect relationship, there is little transparency or accountability for the type of data collected, who accesses it, or how it's safeguarded.

Recognizing the risks this poses to data privacy, states like California, Vermont, Oregon, and Texas have introduced laws requiring data brokers to register with the state. This registration typically involves providing basic company information, a link to their privacy policy, and paying a fee to be listed on a publicly accessible registry. Such measures aim to increase transparency where otherwise consumers would remain in the dark about the existence of these data brokers, the extent of information gathered about them, the accuracy of this data, and how it’s shared, used, and secured.

Links to each of the laws follow:

California:

https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202320240SB362

Vermont:

https://legislature.vermont.gov/statutes/section/09/062/02447

Oregon:

https://olis.oregonlegislature.gov/liz/2023R1/Measures/Overview/HB2052

Texas:

https://statutes.capitol.texas.gov/Docs/BC/pdf/BC.509.pdf

The California's Delete Act: An Overview

Registration and Oversight of Data Brokers: The California Delete Act shifts the responsibility of data broker registration from the Attorney General to the recently formed California Privacy Protection Agency (CPPA). Data brokers must now annually register with the CPPA, pay the required fee, and provide detailed information about their data collection and processing activities.

Accessible Deletion Mechanism: The key feature of the California Delete Act is the requirement that the CPPA establish an accessible deletion mechanism by January 1, 2026. As envisioned, this mechanism will allow consumers to make a single request to delete their personal information from all registered data brokers' databases. Data brokers must then process such deletion requests every 45 days. Additionally, from August 1, 2026, upon fulfilling a consumer's deletion request, data brokers are prohibited from selling or sharing any new personal information of that consumer.

Regular Compliance Audits: Starting January 1, 2028, data brokers are required to undergo independent audits every three years to ensure compliance with the Delete Act. These audits are intended to assess compliance with privacy regulations and the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).

Penalties for Non-Compliance: The Delete Act imposes penalties, including administrative fines and fees, on data brokers that fail to comply with its requirements.

Fund Management and Utilization: The Delete Act reassigns the management of the Data Brokers’ Registry Fund to the CPPA. The fund's scope is broadened to include costs related to enforcing the act and maintaining the deletion mechanism.

Statute of Limitations: The Act also sets a limitation period for initiating administrative actions, stipulating that such actions cannot start more than five years after a violation occurs.

Compare Texas:

Broader Definition of “Data Broker”: As compared to the California Delete Act, the new Texas law broadly defines the term “data broker” to include business entities “whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly from the individual linked or linkable to the data.” California’s law covers companies that “sell” personal information that they have indirectly collected, but may not cover those that generate revenue from sharing such data.

Data Broker Registration and Requirements: In Texas, data brokers must register with the Texas Secretary of State, pay a $300 fee, and provide information about their data practices. The law mandates that the Secretary of State maintain a searchable, central registry of data brokers on its website.

Protection of Personal Data: Under the Texas law, each data broker has a “duty to protect personal data held by that data broker,” and must maintain a comprehensive written information security program (WISP) with administrative, technical, and physical safeguards. The WISP must align with state and federal laws, designate one or more employees to maintain the program, and identify and assess risks to personal data. The program must include employee training, policies for third-party service providers, access controls, and regular monitoring for unauthorized access or use of personal data.

Civil Penalties and Deceptive Trade Practices: Data brokers violating the Texas registration requirements are liable for civil penalties, but fines are capped and may not exceed $10,000 in a 12-month period. The law does provide that violations of the personal data protection requirements constitute an actionable deceptive trade practice, however.

Our Thoughts:

For consumers, these laws offer enhanced control and protection over their personal data, and answer the growing demand for technical solutions for data privacy.

For data brokers, these laws mean increased scrutiny, direct compliance requirements, and possibly a need to reevaluate their business models. In California, the Delete Act’s opt-out mechanism may lead to a substantial decrease in the amount of data available for brokers to sell.

As these laws take effect and their impacts become more evident, they are likely to influence future legislation both within the United States and globally. Businesses, particularly those operating in the data brokerage sector, will need to stay informed and adapt to these changing regulations.

---

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet, and technology. Open the Future℠.