Kirk J. Nahra, Ali A. Jessani, and Samuel Kane of WilmerHale write:
Earlier this year, Texas and Oregon each passed a data broker registration law, joining California and Vermont to double the number of states that have enacted such legislation. Texas Governor Greg Abbott signed SB 2105 into law on June 18, 2023 and the Office of the Secretary of State adopted on December 1, 2023 a set of rules to operationalize the state’s data broker registry. Oregon Governor Tina Kotek signed HB 2052 on July 27, 2023 and the Rulemaking Advisory Committee adopted the Temporary Rules for Data Brokers Registry to be effective from December 1, 2023 through May 28, 2024.
From California’s recently enacted Delete Act, which empowers consumers with stronger data deletion rights and increases penalties for noncompliance, to the Consumer Financial Protection Bureau’s March 2023 request for information about data brokers, state and federal regulators are shining a spotlight on these actors in the data marketplace. The most common way that states are regulating data brokers is through the establishment of data broker registries, like those in Vermont, California, Texas, and Oregon. Although the registries form the driving component of these laws, the laws can also include mandates on security protocols, public disclosures, and consumer rights to delete or opt out. These laws do not include a private right of action, but the enforcing entity for each of these laws (including California’s recently formed California Privacy Protection Agency) has the authority to administer fines for noncompliance. Companies that do business in these states or have consumers living in these states should keep a close eye on how these laws define “data broker” and the types of personal data covered under these laws.
Read more at WilmerHale Privacy and Cybersecurity Law Blog.