Texas Data Broker Act: Another Privacy Framework at the State Level

In Europe, we often talk about complex and over regulated environments. But the U.S. has its own unique challenge: in addition to federal laws, states are creating their own privacy and data protection rules. The example is Texas, a state often seen as a “freedom-first” environment, which implemented data broker obligations to protect consumer privacy and improve cybersecurity.

What the Texas Data Broker Act Requires

The law applies to business entities whose main source of revenue comes from collecting, processing, or transferring personal data that they did not collect directly from individuals.

Data brokers must:

✅ Register annually with the Texas Secretary of State, paying required fees.

✅ Disclose their status by posting a clear notice on websites or mobile apps.

✅ Maintain a comprehensive information security program with administrative, technical, and physical safeguards (see Sec. 509.007).

✅ Train employees and contractors regularly on data security practices.

✅ Supervise third-party service providers and ensure contracts include security requirements.

✅ Encrypt sensitive data, implement access controls, monitor systems, and enforce password and authentication protocols.

✅ Conduct annual reviews of their security program, and perform post-incident reviews after breaches.

✅ Failure to comply can lead to civil penalties (at least $100 per day, capped at $10,000 annually) and classification of violations as deceptive trade practices enforceable by the Texas Attorney General.

Who Is Covered and Who Is Exempt?

☑️ The Act defines a “data broker” as an entity whose primary business is monetizing personal data collected indirectly.

Exemptions include:

✅ De-identified data

✅ Employee data

✅ Publicly available information

✅ Nonprofits, government entities, and certain regulated industries (e.g., financial institutions under GLBA, consumer reporting agencies under FCRA)

Link to the Act

Author: Sebastian Burgemejster