Data Broker Rulemaking in Texas and Oregon

Liisa Thomas
Sheppard Mullin Richter & Hampton LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Sheppard Mullin Richter & Hampton LLP

[co-author: Kathryn Smith*]

Both Texas and Oregon recently adopted rules that will, among other things, implement a registry required by both states’ data broker laws. The Texas law went into effect September 1, 2023, and the Oregon law will go into effect January 1, 2024. Both are similar to laws in Vermont and California.

Texas defines data brokers more broadly than Oregon, namely entities whose “principal source of revenue” comes from collecting or transferring personal information that the entity did not itself collect. However, the requirements under the law apply only to those data brokers who over the last 12 months received 50% or more of their revenue from data broker activity or of 50,000 or more individuals. Under the Texas law, data brokers must, inter alia, register with the Texas secretary of state and post a privacy policy on its website saying that it is a data broker. The law called for the Texas secretary of state to create language for this notice, which it has done for both websites and apps. The notice is lengthy, especially in a mobile context.

With respect to the registry, the new Texas rules address the law’s requirement that data brokers register and renew annually. Those subject to the law should keep in mind that it requires disclosure not just of contact information, but also disclosing the number of breaches the data broker has suffered, and if the broker knows that it has information about children. These disclosures are no doubt linked to the law’s obligations around data security, something lacking in the Oregon law. Namely, in Texas, brokers must have a “comprehensive information security program” that includes training. It also needs to include vendor oversight.

The Oregon registry process is an interim one, given that the law is going into effect in a little over two weeks. Data brokers covered by the Oregon law must submit not only contact information, but also answers to some specific questions. These include whether individuals can opt-out of having their information brokered, and how they can do so.

*Kathryn Smith 1s a fellow in the firm’s Chicago office.

Putting it Into Practice: These rulemaking activities are a reminder that data broker activities are in legislators’ minds. The obligations under these laws are for specific types of activities, but reflect a broader trend on concerns with sharing and “selling” of personal information, and are a reminder that companies may want to look at their practices even if not “brokers.”

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP
Sheppard Mullin Richter & Hampton LLP
Contact
more
less

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide