On September 1, 2025, the amendments to the Texas Data Broker Act (the Act) became effective. The Act, which originally came into effect on September 1, 2023, defines “data brokers” as business entities that derive their principal source of revenue from collecting, processing, or transferring personal data that they did not collect directly from consumers. The law requires data brokers to post an online notice of its status as a data broker, register annually with the Texas Secretary of State (the SOS), and implement a written information security program. The newly enacted amendments expand the scope of required disclosures in data brokers’ online notices and annual registration filings.
Enhanced Online Notice Requirements
Under the Act prior to the amendments, data brokers operating a website or mobile application were required to post a clear, accurate, and readily accessible online notice that:
- Identifies the entity as a data broker.
- Includes language prescribed by the SOS, which has not yet been issued.
The amendments require data brokers to add information to their online notices about how consumers can exercise their privacy rights under the Texas Data Privacy and Security Act. This addition aims to improve transparency for consumers as to the rights available to them under Texas’s privacy regime.
Expanded Annual Registration Disclosures
The Act prior to the amendments required data brokers to submit an annual registration to the SOS that includes the following information:
- Legal name of the data broker and contact person at the data broker.
- Primary physical address, email address, telephone number, and website of the data broker.
- Whether the data broker uses a purchaser credentialing process. The Act does not define “purchaser credentialing process,” but the Guidance on the Vermont Data Broker Regulation by the Vermont Attorney General suggests that such a process would likely refer to the process for verifying data purchasers’ identities and confirming their legitimate business purposes for acquiring personal data.
- Certain details regarding the practices of the data broker concerning the processing of personal data of known children under the age of thirteen, including measures the data broker takes to comply with applicable state and federal children’s privacy laws.
- The number of security breaches experienced in the past year and, if known, the total number of consumers affected by each breach.
The amendments add a new requirement for data brokers to include in their registration a link to a webpage that prominently displays specific instructions for consumers on how to exercise their privacy rights under the Texas Data Privacy and Security Act.
Enforcement
The Act’s enforcement provisions remain unchanged by the amendments. The Texas Attorney General can impose a civil penalty of $100 per day for noncompliance, in addition to any unpaid registration fees. But total penalties are capped at $10,000 in any twelve-month period. A violation of the Act also constitutes a deceptive trade practice enforceable under the Texas Deceptive Trade Practices Act.
Alston & Bird’s Privacy, Cyber & Data Strategy Team will continue to monitor developments in state data broker laws and regulations, including implementation guidance and enforcement trends. If you have questions about how data broker laws may affect your organization, need assistance with compliance planning, or would like to discuss tailored strategies, please do not hesitate to contact us. We welcome your inquiries and are here to help.
