Understanding Data Broker Regulations in the U.S.

tl;dr

• The 4 Data Broker Registration laws in the United States currently impact 1,000s of businesses within and outside the U.S

• Most businesses that collect and transfer personal data about consumers they don't have a direct relationship with have to register

• The deadlines to register have already passed, but businesses should still register immediately to avoid accruing more fines

• A registration agency service like Superset can make registering 4x faster and safer for your business

If you're here you're probably concerned with if and how you need to comply, so we'll cover the fundamentals of 1) what is the current state of data broker registration laws in the US, 2) who qualifies as a data broker, and 3) how to get in compliance.

Current State of Data Broker Regulations in the U.S.

Today 4 US states have passed regulations requiring Data Brokers to sign up for a public registry or they could face collective fines of over $100,000 per year of non-compliance:

• Vermont was the first state to pass regulation requiring data brokers to register with the Data Broker Act passed back in 2018

• In 2023, the ball really started rolling when Texas passed SB2105- Data Broker Act in June 2023 requiring Data Brokers to register with the Secretary of State

• Then Oregon showed up in July 2023 to pass HB 2052 requiring registration starting January 1st 2024

• Finally California’s Amended Data Broker Registration Law was signed into law in October 2023

When was the deadline to register?

Each state required registration before a certain date or they could owe quite a lot of fines, and each state requires an annual renewal of the registration.

• Vermont's registration deadline was Jan 31st, 2019

• Oregon's registration deadline was Jan 1st, 2024

• California's registration deadline was Jan 31st, 2024

• Texas' registration deadline was March 1, 2024

Who needs to register?

Each state has slightly different requirements on who most register, but broadly companies that meet the definition of data broker usually meet the following requirements:

1. A business that knowingly collects the personal information of a consumer with whom the business does not have a direct relationship

2. That business participates in Selling a consumer’s personal information

   1. Selling is broadly defined as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating to a third party for monetary or other valuable consideration (including advertising)

      
      

Notably, this definitions is WAY beyond what most people think of when they think of data brokers. This definition includes many more categories of businesses that need to register including:

• Sales prospecting tools,

• Lead-generation services,

• CRMs,

• ATSs,

• People search sites, &

• Advertisers who use lead lists for look-alike advertising

As long as you're transferring the personal data of anyone who's not a direct user/customer to a third party in exchange for any value at all, you likely have to register.

There are specific exemptions and qualifications for registering in certain states such as:

• Oregon and Vermont only requires registration if you are Selling the data of one of their residents.

• Texas only requires registration if more than 50% of your business' revenue comes from Selling data OR if you're Selling the data of more than 50,000 people

• Most states also have exemptions carved out for employee data, credit reporting data, banking data, and medical data covered by HIPPA

Bonus Tip: To know for sure if you need to register, you can take the free assessment at https://TrustSuperset.com

What are the consequences of noncompliance?

Each state has it's own fee schedule laid out for non-compliance. There are typically annual limits to the fees, but they do roll over year to year and we know California plans to enforce up to the statue of 5 years of non-compliance. So the sooner you register, the safer you are from high penalties.

• California has a fee schedule of $200 a day plus the costs incurred by the CPPA in handling your case

• Texas has a fee schedule of $100 a day, up to a maximum of $10,000 per year

• Oregon has a fee schedule of $500 a day, up to a maximum of $10,000 per year

• Vermont has a fee schedule of $50 a day, up to a maximum of $10,000 per year

So in total, Data Brokers that fail to register can expect to face up to $103,000 in fines per year plus additional administrative costs.

What are the costs of registering?

All 4 states require some kind of form to be submitted and some registration fee to be paid to become registered. They each also require an annual renewal of that registration.

The current registration fees come out to a total of $1,400 annually:

• California - $400 registration fee

• Vermont - $100 registration fee

• Texas - $300 registration fee

• Oregon - $600 registration fee

How to get in compliance with Data Broker Laws?

Getting in compliance with all 4 states regulations is unfortunately difficult, as there's no consistency in the registration process across the "regulatory patchwork".

Some states have some special complications and requirements to be in compliance, for example:

• California requires physically mailing a check to pay the registration fee

• Oregon requires a registered agent in OR to get an entity number from the Secretary of State to register

• Texas requires the business to list that they are a registered data broker on their website

• California requires posting metrics on the number of and average response time to data access and deletion requests

By far the easiest way to comply with the Data Broker Laws in the US is with an registration agent such as Superset. By registering once with an agency, they can determine which states you need to register in and automate your compliance for you.