Increased Data Broker Regulation Has Companies Weighing Multistate Compliance
The expansion of data broker liability in states like Texas and California has companies considering multistate compliance approaches, privacy attorneys told us in interviews.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
They said forthcoming amendments to the Texas Data Broker Act, effective Sept. 1, mean regulation there will be more in line with California’s data broker law. Additionally, the California Delete Act, which further expands definitions of what constitutes a data broker, will increase the cross-state compliance burden starting in August 2026. Data broker laws in Oregon and Vermont mean more compliance burdens for companies not traditionally considered data brokers, lawyers said.
“Businesses like certainty,” said Morrison Foerster’s Boris Segalis: If registering in multiple states doesn’t carry significant risk, companies will consider a uniform approach to avoid unnecessary back and forth with state regulators. Sometimes there’s “no harm in registering and moving on,” he said.
Davis+Gilbert’s Gary Kibel noted how attorneys general in Texas and Oregon sent letters to companies asking why entities are registering in California but not their states. Texas Attorney General Ken Paxton (R) in June 2024 sent warnings to more than 100 companies about an alleged failure to register in Texas.
Daniel Goldberg, privacy attorney with Frankfurt Kurnit, suggested the amendments in Texas were driven in part by the Paxton letters and the pushback from companies claiming they fall outside the scope of the data broker law.
The original Texas statute applies to businesses with a "principal source of revenue” derived from collecting, processing or transferring personal data that wasn’t collected directly from consumers. The amended law removes the "principal source of revenue” stipulation. Instead, it targets data brokers that collect more than 50% of their revenue from processing or transferring data not collected directly from the consumer, or when the company earns revenue from processing or transferring personal data of more than 50,000 individuals if the data is collected indirectly from the consumer.
Dropping the "principal source of revenue” provision brings the law more in line with California's, he said. It’s not surprising Texas appears to be following California’s lead, he added: “The various state regulators look to each other" when interpreting potential enforcement action.
King & Spalding’s Jarno Vanto said Texas’ amended law still targets companies that indirectly collect consumer data, like adtech businesses tracking online activity and location data brokers. Even Texas’ amended definition is “traditional” from that viewpoint, he added.
Deciding whether to take a cross-state compliance approach is often not a simple, yes-or-no decision, noted Kibel. He’s heard from companies asking if they should be overly cautious and register everywhere or avoid registration where possible. “You sort of only want to subject yourself to a law if you’re really subject to the law, and why put yourself on the radar of a regulator if you believe you’re not subject to the law?”
Goldberg said some companies adopt the cautious approach. Texas’ amended law “really captures companies that are not really quintessential data brokers,” companies that are engaging in data-processing practices that are fairly common in the industry, he said: The laws are simply becoming “more prescriptive” and “more complex.”
Kibel said everyone should be paying attention to California and what enforcement looks like under the Delete Act. “It’s going to be much, much easier for consumers to opt out” of data broker processing in 2026, he added.