Key point: The scope of Texas’ data broker registration law will change on September 1, 2025.
Two changes to Texas’ data broker registration law go into effect on September 1, 2025.
The more significant change is through SB 2121. That bill modifies the law’s definition of data broker by removing the requirement that the collection, processing, or transferring of personal data that the entity did not collect directly from the individual be the “principal source of revenue” for the entity. “Data broker” is now defined as “a business entity that collects, processes, or transfers personal data that the business entity did not collect directly from the individual linked or linkable to the data.”
SB 2121 also amends the law’s applicability provision in Section 509.003(a). As amended, the law will now apply to a data broker that, in a 12-month period, derives “(1) more than 50 percent of the data broker’s revenue directly from processing or transferring personal data not collected by the data broker directly from the individuals to whom the data pertains; or (2) revenue directly from processing or transferring the personal data of more than 50,000 individuals not collected by the data broker directly from the individuals to whom the data pertains.”
The law continues to maintain certain entity- and data-level exemptions, which entities should review when determining its applicability. However, entities — especially those registered as data brokers in other states who previously concluded that the Texas law did not apply to their operations — should carefully examine these changes in the law’s scope.
The second bill, SB 1343, modifies the law’s notice provisions to require data brokers to inform consumers how to exercise their rights under the state’s consumer data privacy law, the Texas Data Privacy and Security Act (TDPSA). It also requires data brokers to include in their registration statement a “link to a page on the data broker’s Internet website that provides consumers with specific instructions, which must be prominently displayed, on how to exercise their consumer rights under Section 541.051 [of the TDPSA], and any other appliable data privacy rights under Chapter 541.”
These changes present an opportunity for registered data brokers to review their disclosures for compliance with Texas law. For example, through rulemaking, the Texas attorney general requires data brokers to provide a disclosure on their websites and mobile applications. The required website disclosure must contain the following language:
The entity maintaining this website is a data broker under Texas law. To conduct business in Texas, a data broker must register with the Texas Secretary of State (Texas SOS). Information about data broker registrants is available on the Texas SOS website.
In addition, Texas data brokers are required to develop, implement, and maintain comprehensive information security programs.
