Concord Privacy News: 9/30/2025

Texas Tightens Data Broker Rules: What You Need to Know

On September 1, 2025, changes to the Texas Data Broker Act went into effect—marked by two new laws signed earlier this summer: SB 2121 and SB 1343.

Who’s Now a ‘Data Broker’ in Texas?

Before: Only businesses whose main income came from selling, sharing, or handling personal data they didn't collect directly were considered data brokers.

Now (SB 2121): Any business that collects, processes, or transfers someone’s personal data—if that data wasn’t collected directly from the individual—is considered a data broker, regardless of where most of its revenue comes from.

This expanded definition brings more businesses under the law’s reach, some of which might have previously thought they were outside its scope.

Does the Law Apply to You?

Even under the updated law, the same two thresholds apply—though now more straightforward. In a 12-month period, the law covers any business that either:

• Gets over 50% of its revenue from handling personal data collected indirectly, or
• Handles personal data from more than 50,000 people, without collecting it directly.

New Transparency Requirements

SB 1343 adds to enforcement by demanding clearer disclosures:

• If you run a website or mobile app and are a data broker, you must publish a clear, understandable notice stating that you’re a data broker under Texas law.
• This notice must also tell users how to exercise their privacy rights under the Texas Data Privacy & Security Act (TDPSA), pointing to consumer rights and how to act on them.

Your registration form with the Secretary of State must similarly include a link to where you explain users’ rights.

Why This Matters & What’s at Stake

• More businesses now qualify as data brokers, even if handling data wasn’t their main business model.
• Compliance isn’t optional: The Texas Attorney General has already sent reminders and enforcement notices to companies that didn’t register. With the expanded scope, more entities may come under scrutiny.
• The penalties are real: Fines are $100 per day, capped at $10,000 per year, plus any unpaid registration fees. Noncompliance could also trigger broader investigations under deceptive trade practices laws.

‍

Other Privacy News of Note

European Court Upholds EU-US Data Privacy Framework Data-Sharing Agreement

Europe’s General Court has upheld the lawfulness of the data-sharing agreement between the European Union (EU) and the United States (US) following a legal challenge. The court on Sept. 3 dismissed legal action brought by a French MP to annul the EU-US Data Privacy Framework (DPF). It found that the framework, which businesses rely on to transfer data between the EU and the US, ensured “an adequate level” of protection for personal data passing between the EU and the US. Read more.

FTC Chair Warns Tech Firms Not to Weaken Data Privacy to Comply with EU, UK Laws

The chairman of the U.S. Federal Trade Commission warned Apple, Alphabet, and other technology companies on Aug. 21 that efforts to comply with British and European digital content laws could violate U.S. law if they weaken privacy and data security protections for American users. FTC Chairman Andrew Ferguson expressed concerns about the EU Digital Services Act, and the UK Online Safety Act, which are aimed at cracking down on illegal and harmful online content, and the UK Investigatory Powers Act. Read more.