Texas at the Crossroads – An Update on Privacy Legislation
The 87th Texas legislature considered data privacy bills covering both publicly- and privately-held personal data. The state passed some new laws protecting data, but none passed to address how private companies use your personal data. Where does this leave us now? What’s happening in other states? And, how can we move forward to protect our privacy, as well as uphold civil rights and fair lending laws as they relate to data privacy?
Texas Appleseed report on privacy and civil rights
In an earlier report, we discussed a number of problems caused by the lack of privacy laws and lax accountability. FTC Commissioner Rebecca Slaughter echoed our suggestions to pass privacy legislation that moves beyond simply thinking about “data privacy” to a broader concept of “data abuse” that:
“reflects the fact that rampant corporate data collection, sharing, and exploitation harms consumers, workers, and competition in ways that go well beyond more traditional or libertarian privacy concerns.” She further stated, “We must examine a wide variety of data abuses, including questions of racial bias, civil rights, and economic exclusion, considering practices that undermine personal autonomy and dignity.”
New privacy laws are needed to help us regain control of our own data and stop potential discriminatory behavior by companies.
Privacy bills introduced in the 87th Texas legislature
The 86th legislature set up the Texas Privacy Protection Advisory Council to study laws around the country and make recommendations for new laws. The Council stated that “Texans have the right to know how their personal information is being used, and the Legislature should consider ways to strengthen that right.” We hoped legislators would act on this recommendation.
The table below outlines nine privacy bills filed in the 87th legislature. The two bills that would have had the greatest impact on Texans (gold highlight) never received committee hearings. HB 3741 would have given Texans the right to know that their personal data is being processed by a company and the right to correct and delete that data, among other provisions. SB 16 would have stopped state agencies from disseminating personal data without an individual’s consent. These bills, had they passed, would have been important steps in the right direction.
The three bills that made it through the legislative process (blue) impact how the State of Texas handles data. HB 3746 requires the state Attorney General to post more information about data breaches. SB 15, referred to as Texas Consumer Privacy Act Phase 1, stops the state from selling individuals’ motor vehicle records and driver’s license data except for very limited purposes. SB 475 establishes a risk management program for government entities. These new laws make meaningful changes that benefit Texans, but they do not address the largest area of concern — the ability for Texans to control their personal data that is held by businesses.
Legislators and citizens did not have the opportunity to hear arguments for and against HB 3741 and SB 16. Representative Capriglione talked with a reporter about how lobbyists attacked his privacy bill (HB 3741): “Honestly, I've never seen anything like this opposition. Usually, my bills get killed in the back. This time, it was, ‘We're going to do it in front of you. We're going to make you watch.’”
So, at the end of the 87th session, we are in the same place we were two years ago, without protection from private sector data abuses.
State privacy legislation
State privacy laws are necessary because the United States does not have a comprehensive federal privacy law. In recent years, Congress has written legislation to address this gap in the law, but no bill has passed, and prospects are unclear. There are federal privacy regulations in certain sectors, such as health care and financial services, but we lack a broad approach parallel to Europe’s General Data Protection Regulation, implemented in 2018.
The number of comprehensive privacy bills introduced in state legislatures has increased dramatically from only two in 2018 to 21 in 2021. This increase reflects the growing concern about privacy. Pew Research found that 81% of adults say they have very little or no control over the data collected by companies.
The International Association of Privacy Professionals (IAPP) tracks “comprehensive” state privacy bills — approaches that broadly govern the use of personal information. As outlined in the table below, the IAPP identified eight “consumer rights” and five “business responsibilities” common to most meaningful state bills. There is some consensus across states on what should be covered, though there are also major differences.
California, Colorado, and Virginia passed comprehensive reforms in 2020 and 2021 that cover many of the privacy issues defined by IAPP. Stronger consumer protections are highlighted in green, weaker ones in yellow. Overall, the provisions in the California bills give individuals the most control over their personal information, while Virginia’s is the most business friendly and Colorado’s law falls between the two.
* In 2020, California Proposition 24 (the California Privacy Rights Act) passed as a ballot initiative, expanding existing privacy protections in the CCPA (the California Consumer Protection Act of 2018). For more details on state bills, see Byte Back, Wirecutter and IAPP tracker.
These laws will evolve as states write detailed regulations. Legislators and regulators must work through a number of issues such as which companies will be covered (based on revenue and customer size) and how the laws will be enforced.
Call for an interim charge to chart next steps in data privacy protections for Texans
This past session, the legislature passed the Texas Consumer Privacy Act, Phase 1, which addresses privacy issues related to certain data held by the state. We urge the Texas Lieutenant Governor and the Speaker of the House to issue interim charges for the 87th legislature to address Phase 2 of this important work, including:
- Protecting Texans from corporate data abuse by giving them control of personal data and
- Outlawing discriminatory use of personal data by private companies.
Privacy has been on the legislative agenda for the past two sessions with limited progress. An interim charge, building on the work of the Texas Privacy Protection Advisory Council, is a logical next step.
About the Authors
Steve Perkins is former Associate Dean of Graduate Programs in the School of Management at the University of Texas at Dallas and a Certified Information Privacy Professional
Ann Baddour is the director of the Fair Financial Services Project at Texas Appleseed