Texas Enacts US’ Most Robust Data Broker Registry Law

[Update October 2023: the California Delete Act aka SB 362 was signed into law on October 10, 2023 by Governor Newsom. My analysis of the law can be found here.]

There has been a lot written — and justifiably so — about Texas becoming the 10th state (and 5th in 2023) to pass a comprehensive privacy law when Governor Abbott signed HB 4 aka the Texas Data Privacy and Security Act (TDPSA). What has not gotten any significant press is that Governor Abbott also signed another Texas privacy bill — SB 2105 — that makes Texas the third state (after Vermont and California) to require data brokers to register with the state and have some additional level of regulation. [Update: Oregon became 4th in July 2023]. In fact, Texas now has the most robust data broker registry law in the US, i.e., more so than the other two states (although if the California Delete Act, aka Cal SB 362 passes, it will blow away Texas’ and Vermont’s data broker laws, given that it will create a portal to enable global deletions from data brokers). In this blog post, I will spell out how Texas SB 2103 goes beyond Vermont and California’s laws.

[And full disclosure, I am a volunteer policy advisor to the great folks at Texas Appleseed (the civil society group behind the bill that partnered with State Senator Johnson on this bill) and worked closely with the team to shape this bill throughout the process (e.g., I added some of the registration requirements such as requiring data brokers to disclose if they collect kids’ data or if they have breached). I am also the person who proposed the California Delete Act to my local State Senator (Josh Becker) and co-drafted the bill.]

Motivation Behind SB 2105

The team at Texas Appleseed and I set out to better regulate data brokers in Texas. Our rationale was the following (per an unpublished Texas Appleseed FAQ on SB 2105):

“Privacy, data security, discrimination, and transparency concerns are some of the most dominating reasons that data broker businesses have come under scrutiny. The data broker industry is largely unregulated, with very few laws governing a very narrow category of data brokers. Little to no accountability exists regarding what type of data can be collected, who has access to the data, or how it is protected. For example, many data brokers collect sensitive health data that is aggregated through website visits and purchase history, but data brokers are not regulated under Health Insurance Portability and Accountability Act (HIPAA). Regulating data brokers will help ensure that these businesses are handling consumers’ data in a responsible and ethical manner. Most consumers are not aware that data brokers exist, let alone what personal information data brokers have collected, the accuracy of the information, and how that information is being used. Regulating data brokers will help give people more control over their personal data, ensure that personal data is kept secure and protected from data breaches, and prevent discrimination in employment, housing, or credit decisions.”

Of particular interest to Texas Appleseed was that the lack of regulation of data brokers was “particularly problematic for vulnerable populations, such as survivors of domestic violence, victims of human trafficking, youth, and older adults.” Furthermore, “the current state of the law enables and facilitates harmful actions by abusers, fraudsters, and scammers who can easily glean information from the Internet and use it to perpetuate abuse and fraud.” (Quoted from this document.)

These concerns dovetail with what I wrote about data brokers in my book Containing Big Tech where I noted that anyone with a credit card can easily buy incredibly sensitive personal information about us, including tracking our precise geolocation.

The Framework Behind SB 2105

We realized that Texas is a conservative “red” state and that it could be negatively perceived by Texas politicians if we modeled a data broker law after a “blue” state law such as California’s or Vermont’s.  Fortunately, robust data broker regulation was included in the federal proposed bill called the American Data Privacy and Protection Act (ADPPA). This bill received all Republican votes in the House Energy and Commerce Committee in 2022, including a number of Texas congressmen such as conservative Dan Crenshaw. (Note that the ADPPA did not make it to a House floor vote because of concerns by then-Speaker Pelosi regarding the issue of preemption).

Besides having a registry, we did originally have the language to enable a global deletion (ala the DELETE Act proposed by Senators Ossoff and Cassidy, what is in the currently proposed California Delete Act, and what was also called for in the ADPPA), but that was too much of an ask in this political go-around, so instead we focused on delivering a robust registry law that required significant transparency and security requirements of data brokers. Senator Johnson does a nice job of spelling out what’s in the law in this video.

How SB 2105 is More Robust than Other State Laws

SB 2105 leapfrogs California’s and Vermont’s data broker registry laws in a number of ways.

First, the Texas law’s definition of a data broker is broader. California’s data broker law defines a data broker as a business that “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” So, a data broker is defined in part as entities that must “sell” personal data. But what we have found is that data brokers will “share” the data and claim they are not technically selling it, so you can see that data brokers will weasel their way out of registering. Texas avoids this by defining data brokers as entities that get their revenue from “collecting, processing, or transferring” personal data that it did not collect directly from the consumer. So, the use of “processing or transferring” vs. “selling” means that it will be harder for data brokers to claim they don’t have to register, so I believe this will result in a higher registration number in Texas.

Second, SB 2015’s definition of “personal data” includes pseudonymous data (as does HB 4’s).  Pseudonymous data is information that is “used by a controller or processor in conjunction with additional information that reasonably links the information to an identified or identifiable individual.” But data brokers are very good at combining multiple data sets that links bits of data to an individual. Other states do not have that in their definition of personal data. So, Texas’ data broker registry casts a wider net in terms of getting data brokers to register given its broader definition of personal data, as historically data brokers may claim they don’t have personal data that in fact can eventually identify people and thus may not register. So again, Texas can hopefully cast a wider registration net given these various definitions.

Third, SB 2015 requires data brokers to specify if they collect data on children and if they have been breached. Vermont asks about collecting kids data but California does not, and neither of the other two state data broker registry laws ask about breaches. I tried to add the latter as a registration requirement with my California SB 1059 bill but the industry squawked and SB 1059 got killed. So, for the first time, we will be able to see from the Texas data broker registry what data brokers have “fessed up” to be breached. These registration requirements were ones I specifically had added to the bill during its drafting.

Fourth and final, the Texas law really requires data brokers to really step up its information security program game. There are nearly five pages of requirements for data brokers, more so than what you see in any state privacy laws, and nothing in the two other states’ data broker laws. In light that many of the largest data brokers have been hacked, this will up the ante for getting data brokers to protect our personal data better.

Eyes Back to California

I know many people may say “But it’s just a registry.” But at least we get more transparency with respect to data brokers, as they have historically operated in the dark. But yes, I agree, a registry and more transparency are pretty good things to have, but what we really need to do is empower consumers and be able to easily get their data deleted and tell data brokers to no longer track them.

That’s what the California Delete Act aka SB 362 is about. So if Texas has leapfrogged California and Vermont in their data broker registry laws, SB 362 leapfrogs all of these laws by 5x. SB 362 builds upon the existing data broker registry we have here in California and our existing privacy law. The bill would create a webpage (managed by the California Privacy Protection Agency) that would let consumers request the deletion of their personal information from each registered data broker’s databases. The bill also requires data brokers to report what information they collect on consumers, including reproductive healthcare data and imposes civil penalties and fines on data brokers who fail to comply with the deletion requirements.

[Also made misc. updates in Aug and Sept 2023 to this blog post, e.g. Oregon becoming 4th state.]