Enrolled Bill Summary

Senate Bill 2105	Senate Author:  Johnson et al.
Effective:  9-1-23	House Sponsor:  Holland

Senate Bill 2105 amends the Business & Commerce Code to require an applicable data broker to register annually with the secretary of state, to pay a filing fee, and submit a registration statement containing certain information, and to post a conspicuous notice on the data broker's website or application that states that the entity maintaining the website or application is a data broker. The bill sets out a range of information that must be contained in the registration statement, including the number of security breaches the data broker has experienced during the year immediately preceding the year in which the registration is filed and if known, the total number of consumers affected by each breach. The secretary of state's website must include a searchable, central registry of data brokers registered with the secretary of state that includes a search feature with specified functionality.

Senate Bill 2105 requires a data broker to develop, implement, and maintain a comprehensive information security program which, in addition to other requirements, must incorporate safeguards that are consistent with the safeguards for protection of personal data and information of a similar character under state or federal laws and regulations applicable to the data broker.  A data broker that violates the bill's notice or registration requirements is liable to the state for a civil penalty and further establishes that a violation of its provisions relating to the protection of personal data by a data broker and to the comprehensive information security program constitutes a deceptive trade practice and is actionable under that act.

            Senate Bill 2105 applies to personal data from an individual that is collected, transferred, or processed by a data broker, except for the following data: deidentified data, but only under specified conditions as specified by the bill; employee data; publicly available information; inferences made exclusively from multiple independent sources of publicly available information that do not reveal sensitive data with respect to an individual; or data subject to Title V of the federal Gramm‑Leach-Bliley Act. Finally, the bill applies only to a data broker that, in a 12‑month period, derives more than 50 percent of the broker's revenue from processing or transferring personal data that the broker did not collect directly from the individuals to whom the data pertains or derives revenue from processing or transferring the personal data of more than 50,000 individuals that the data broker did not collect directly from the individuals to whom the data pertains.