Both Texas and Oregon recently adopted rules that will, among other things, implement a registry required by both states’ data broker laws. The Texas law went into effect September 1, 2023, and the Oregon law will go into effect January 1, 2024. Both are similar to laws in Vermont and California.
With respect to the registry, the new Texas rules address the law’s requirement that data brokers register and renew annually. Those subject to the law should keep in mind that it requires disclosure not just of contact information, but also disclosing the number of breaches the data broker has suffered, and if the broker knows that it has information about children. These disclosures are no doubt linked to the law’s obligations around data security, something lacking in the Oregon law. Namely, in Texas, brokers must have a “comprehensive information security program” that includes training. It also needs to include vendor oversight.
The Oregon registry process is an interim one, given that the law is going into effect in a little over two weeks. Data brokers covered by the Oregon law must submit not only contact information, but also answers to some specific questions. These include whether individuals can opt-out of having their information brokered, and how they can do so.
Putting it Into Practice: These rulemaking activities are a reminder that data broker activities are in legislators’ minds. The obligations under these laws are for specific types of activities, but reflect a broader trend on concerns with sharing and “selling” of personal information, and are a reminder that companies may want to look at their practices even if not “brokers.”