Texas at the Crossroads – An Update on Privacy Legislation


The 87th Texas legislature considered data privacy bills covering both publicly- and privately-held personal data. The state passed some new laws protecting data, but none passed to address how private companies use your personal data. Where does this leave us now? What’s happening in other states?  And, how can we move forward to protect our privacy, as well as uphold civil rights and fair lending laws as they relate to data privacy?

Texas Appleseed report on privacy and civil rights

In an earlier report, we discussed a number of problems caused by the lack of privacy laws and lax accountability. FTC Commissioner Rebecca Slaughter echoed our suggestions to pass privacy legislation that moves beyond simply thinking about “data privacy” to a broader concept of “data abuse” that:

“reflects the fact that rampant corporate data collection, sharing, and exploitation harms consumers, workers, and competition in ways that go well beyond more traditional or libertarian privacy concerns.” She further stated, “We must examine a wide variety of data abuses, including questions of racial bias, civil rights, and economic exclusion, considering practices that undermine personal autonomy and dignity.”

New privacy laws are needed to help us regain control of our own data and stop potential discriminatory behavior by companies.

Privacy bills introduced in the 87th Texas legislature

The 86th legislature set up the Texas Privacy Protection Advisory Council to study laws around the country and make recommendations for new laws. The Council stated that “Texans have the right to know how their personal information is being used, and the Legislature should consider ways to strengthen that right.” We hoped legislators would act on this recommendation. 

The table below outlines nine privacy bills filed in the 87th legislature. The two bills that would have had the greatest impact on Texans (gold highlight) never received committee hearings. HB 3741 would have given Texans the right to know that their personal data is being processed by a company and the right to correct and delete that data, among other provisions. SB 16 would have stopped state agencies from disseminating personal data without an individual’s consent. These bills, had they passed, would have been important steps in the right direction.

The three bills that made it through the legislative process (blue) impact how the State of Texas handles data. HB 3746 requires the state Attorney General to post more information about data breaches. SB 15, referred to as Texas Consumer Privacy Act Phase 1, stops the state from selling individuals’ motor vehicle records and driver’s license data except for very limited purposes. SB 475 establishes a risk management program for government entities. These new laws make meaningful changes that benefit Texans, but they do not address the largest area of concern — the ability for Texans to control their personal data that is held by businesses. 

Bill number

Short title



HB 3741

Data Privacy Omnibus

Increasing protection of personal identifying information collected, processed, or maintained by businesses in the private sector.

Never had a committee hearing in the House

HB 3742

Data Privacy - Genetic Testing

Prohibiting the use of direct-to-consumer genetic tests to set insurance premiums.

Passed the House, never taken up by a Senate committee

HB 3743

Data Privacy - Educational Data & Ransomware Payments

Ensuring data privacy during distance learning and prohibiting ransomware payments.

Passed House committee, never voted on by House.

HB 3744

Data Crime - Doxxing, Catfishing & Extortion Mugshots

Prohibiting dissemination of false information, impersonation, and removal of mugshots for a fee.

Passed House, never taken up by a Senate committee.

HB 3745

Data Crime - Ticket Scalping & Retail Hacker Ban

Prohibiting the use of bots and hacking devices to buy and resell event tickets and retail items.

Passed House, passed Senate committee, no Senate vote.

HB 3746

Data Breaches - AG Portal Clean-Up

Requiring the AG data breach portal to be public and show information related to victims.

Signed by Governor


SB 15

State of Texas may not sell individuals’ motor vehicle records

Relating to the Texas Consumer Privacy Act Phase I

Signed by Governor

SB 16

State agencies may not disseminate an individual’s data

Relating to prohibitions on the dissemination by a state agency on an individual’s personal data without written permission.

Never had a committee hearing in the Senate

SB 475

State must develop tools to prevent and respond to cyber incidents

Relating to state agency and local government information and risk management.

Signed by Governor

Legislators and citizens did not have the opportunity to hear arguments for and against HB 3741 and SB 16. Representative Capriglione talked with a reporter about how lobbyists attacked his privacy bill (HB 3741): “Honestly, I've never seen anything like this opposition. Usually, my bills get killed in the back. This time, it was, ‘We're going to do it in front of you. We're going to make you watch.’”  

So, at the end of the 87th session, we are in the same place we were two years ago, without protection from private sector data abuses. 

State privacy legislation

State privacy laws are necessary because the United States does not have a comprehensive federal privacy law. In recent years, Congress has written legislation to address this gap in the law, but no bill has passed, and prospects are unclear. There are federal privacy regulations in certain sectors, such as health care and financial services, but we lack a broad approach parallel to Europe’s General Data Protection Regulation, implemented in 2018. 

The number of comprehensive privacy bills introduced in state legislatures has increased dramatically from only two in 2018 to 21 in 2021. This increase reflects the growing concern about privacy. Pew Research found that 81% of adults say they have very little or no control over the data collected by companies.  

The International Association of Privacy Professionals (IAPP) tracks “comprehensive” state privacy bills — approaches that broadly govern the use of personal information. As outlined in the table below, the IAPP identified eight “consumer rights” and five “business responsibilities” common to most meaningful state bills. There is some consensus across states on what should be covered, though there are also major differences.  

California, Colorado, and Virginia passed comprehensive reforms in 2020 and 2021 that cover many of the privacy issues defined by IAPP. Stronger consumer protections are highlighted in green, weaker ones in yellow. Overall, the provisions in the California bills give individuals the most control over their personal information, while Virginia’s is the most business friendly and Colorado’s law falls between the two.  

Provisions common to most state privacy bills – developed by the IAPP


Prop 24






Individuals have the right to 


Right of Access

know whether personal data is being processed and access that data

Right of Rectification

correct personal data if it is inaccurate or incomplete 

Right of Deletion

request that a business delete any personal information collected from that consumer

Right of Restriction

limit the way that an organization uses their data


Right of Portability

obtain and reuse their personal data for their own purposes across different services

Right of Opt-Out

stop businesses from selling or exchanging their personal information

Right Against Automated Decision Making

not be subject to a decision based solely on automated processing, including profiling


Private Right of Action

sue a violating company directly, rather than asking the state to sue for them



Business Obligations

Businesses are required to 


Opt-in requirement age

collect opt-in consent to sell the personal information of a child under a specified age

age 16

age 13 limited

age 13

Notice/Transparency Requirement

provide fair notice about what they are going to do with the personal data they collect

Risk Assessments

determine possible mishaps, their likelihood and consequences

Prohibition on Discrimination

not discriminate against a consumer who exercises his privacy rights 

Purpose/Processing Limitation

not use data collected for one specified purpose for a new purpose, without consent

* In 2020, California Proposition 24 (the California Privacy Rights Act) passed as a ballot initiative, expanding existing privacy protections in the CCPA (the California Consumer Protection Act of 2018).  For more details on state bills, see Byte Back, Wirecutter and IAPP tracker.

These laws will evolve as states write detailed regulations.  Legislators and regulators must work through a number of issues such as which companies will be covered (based on revenue and customer size) and how the laws will be enforced.  

Call for an interim charge to chart next steps in data privacy protections for Texans 

This past session, the legislature passed the Texas Consumer Privacy Act, Phase 1, which addresses privacy issues related to certain data held by the state. We urge the Texas Lieutenant Governor and the Speaker of the House to issue interim charges for the 87th legislature to address Phase 2 of this important work, including:

  • Protecting Texans from corporate data abuse by giving them control of personal data and 
  • Outlawing discriminatory use of personal data by private companies.   

Privacy has been on the legislative agenda for the past two sessions with limited progress. An interim charge, building on the work of the Texas Privacy Protection Advisory Council, is a logical next step.

About the Authors

Steve Perkins is former Associate Dean of Graduate Programs in the School of Management at the University of Texas at Dallas and a Certified Information Privacy Professional

Ann Baddour is the director of the Fair Financial Services Project at Texas Appleseed