Texas at the Crossroads – An Update on Privacy Legislation

November 15, 2021 by Steve Perkins and Ann Baddour

The 87th Texas legislature considered data privacy bills covering both publicly- and privately-held personal data. The state passed some new laws protecting data, but none passed to address how private companies use your personal data. Where does this leave us now? What’s happening in other states? And, how can we move forward to protect our privacy, as well as uphold civil rights and fair lending laws as they relate to data privacy?

Texas Appleseed report on privacy and civil rights

In an earlier report, we discussed a number of problems caused by the lack of privacy laws and lax accountability. FTC Commissioner Rebecca Slaughter echoed our suggestions to pass privacy legislation that moves beyond simply thinking about “data privacy” to a broader concept of “data abuse” that:

“reflects the fact that rampant corporate data collection, sharing, and exploitation harms consumers, workers, and competition in ways that go well beyond more traditional or libertarian privacy concerns.” She further stated, “We must examine a wide variety of data abuses, including questions of racial bias, civil rights, and economic exclusion, considering practices that undermine personal autonomy and dignity.”

New privacy laws are needed to help us regain control of our own data and stop potential discriminatory behavior by companies.

Privacy bills introduced in the 87th Texas legislature

The 86th legislature set up the Texas Privacy Protection Advisory Council to study laws around the country and make recommendations for new laws. The Council stated that “Texans have the right to know how their personal information is being used, and the Legislature should consider ways to strengthen that right.” We hoped legislators would act on this recommendation.

The table below outlines nine privacy bills filed in the 87th legislature. The two bills that would have had the greatest impact on Texans (gold highlight) never received committee hearings. HB 3741 would have given Texans the right to know that their personal data is being processed by a company and the right to correct and delete that data, among other provisions. SB 16 would have stopped state agencies from disseminating personal data without an individual’s consent. These bills, had they passed, would have been important steps in the right direction.

The three bills that made it through the legislative process (blue) impact how the State of Texas handles data. HB 3746 requires the state Attorney General to post more information about data breaches. SB 15, referred to as Texas Consumer Privacy Act Phase 1, stops the state from selling individuals’ motor vehicle records and driver’s license data except for very limited purposes. SB 475 establishes a risk management program for government entities. These new laws make meaningful changes that benefit Texans, but they do not address the largest area of concern — the ability for Texans to control their personal data that is held by businesses.

Bill number	Short title	Description	Result
HB 3741	Data Privacy Omnibus	Increasing protection of personal identifying information collected, processed, or maintained by businesses in the private sector.	Never had a committee hearing in the House
HB 3742	Data Privacy - Genetic Testing	Prohibiting the use of direct-to-consumer genetic tests to set insurance premiums.	Passed the House, never taken up by a Senate committee
HB 3743	Data Privacy - Educational Data & Ransomware Payments	Ensuring data privacy during distance learning and prohibiting ransomware payments.	Passed House committee, never voted on by House.
HB 3744	Data Crime - Doxxing, Catfishing & Extortion Mugshots	Prohibiting dissemination of false information, impersonation, and removal of mugshots for a fee.	Passed House, never taken up by a Senate committee.
HB 3745	Data Crime - Ticket Scalping & Retail Hacker Ban	Prohibiting the use of bots and hacking devices to buy and resell event tickets and retail items.	Passed House, passed Senate committee, no Senate vote.
HB 3746	Data Breaches - AG Portal Clean-Up	Requiring the AG data breach portal to be public and show information related to victims.	Signed by Governor

SB 15	State of Texas may not sell individuals’ motor vehicle records	Relating to the Texas Consumer Privacy Act Phase I	Signed by Governor
SB 16	State agencies may not disseminate an individual’s data	Relating to prohibitions on the dissemination by a state agency on an individual’s personal data without written permission.	Never had a committee hearing in the Senate
SB 475	State must develop tools to prevent and respond to cyber incidents	Relating to state agency and local government information and risk management.	Signed by Governor

Legislators and citizens did not have the opportunity to hear arguments for and against HB 3741 and SB 16. Representative Capriglione talked with a reporter about how lobbyists attacked his privacy bill (HB 3741): “Honestly, I've never seen anything like this opposition. Usually, my bills get killed in the back. This time, it was, ‘We're going to do it in front of you. We're going to make you watch.’”

So, at the end of the 87th session, we are in the same place we were two years ago, without protection from private sector data abuses.

State privacy legislation

State privacy laws are necessary because the United States does not have a comprehensive federal privacy law. In recent years, Congress has written legislation to address this gap in the law, but no bill has passed, and prospects are unclear. There are federal privacy regulations in certain sectors, such as health care and financial services, but we lack a broad approach parallel to Europe’s General Data Protection Regulation, implemented in 2018.

The number of comprehensive privacy bills introduced in state legislatures has increased dramatically from only two in 2018 to 21 in 2021. This increase reflects the growing concern about privacy. Pew Research found that 81% of adults say they have very little or no control over the data collected by companies.

The International Association of Privacy Professionals (IAPP) tracks “comprehensive” state privacy bills — approaches that broadly govern the use of personal information. As outlined in the table below, the IAPP identified eight “consumer rights” and five “business responsibilities” common to most meaningful state bills. There is some consensus across states on what should be covered, though there are also major differences.

California, Colorado, and Virginia passed comprehensive reforms in 2020 and 2021 that cover many of the privacy issues defined by IAPP. Stronger consumer protections are highlighted in green, weaker ones in yellow. Overall, the provisions in the California bills give individuals the most control over their personal information, while Virginia’s is the most business friendly and Colorado’s law falls between the two.

Provisions common to most state privacy bills – developed by the IAPP		CA* Prop 24	CO SB190	VA SB1392
Rights	Individuals have the right to
Right of Access	know whether personal data is being processed and access that data	✔	✔	✔
Right of Rectification	correct personal data if it is inaccurate or incomplete	✔	✔	✔
Right of Deletion	request that a business delete any personal information collected from that consumer	✔	✔	✔
Right of Restriction	limit the way that an organization uses their data	✔
Right of Portability	obtain and reuse their personal data for their own purposes across different services	✔	✔	✔
Right of Opt-Out	stop businesses from selling or exchanging their personal information	✔	✔	✔
Right Against Automated Decision Making	not be subject to a decision based solely on automated processing, including profiling	✔	limited	✔
Private Right of Action	sue a violating company directly, rather than asking the state to sue for them	limited

Business Obligations	Businesses are required to
Opt-in requirement age	collect opt-in consent to sell the personal information of a child under a specified age	age 16	age 13 limited	age 13
Notice/Transparency Requirement	provide fair notice about what they are going to do with the personal data they collect	✔	✔	✔
Risk Assessments	determine possible mishaps, their likelihood and consequences	✔	✔	✔
Prohibition on Discrimination	not discriminate against a consumer who exercises his privacy rights	✔	✔	✔
Purpose/Processing Limitation	not use data collected for one specified purpose for a new purpose, without consent	✔	✔	✔

* In 2020, California Proposition 24 (the California Privacy Rights Act) passed as a ballot initiative, expanding existing privacy protections in the CCPA (the California Consumer Protection Act of 2018). For more details on state bills, see Byte Back, Wirecutter and IAPP tracker.

These laws will evolve as states write detailed regulations. Legislators and regulators must work through a number of issues such as which companies will be covered (based on revenue and customer size) and how the laws will be enforced.

Call for an interim charge to chart next steps in data privacy protections for Texans

This past session, the legislature passed the Texas Consumer Privacy Act, Phase 1, which addresses privacy issues related to certain data held by the state. We urge the Texas Lieutenant Governor and the Speaker of the House to issue interim charges for the 87th legislature to address Phase 2 of this important work, including:

Protecting Texans from corporate data abuse by giving them control of personal data and
Outlawing discriminatory use of personal data by private companies.

Privacy has been on the legislative agenda for the past two sessions with limited progress. An interim charge, building on the work of the Texas Privacy Protection Advisory Council, is a logical next step.

About the Authors

Steve Perkins is former Associate Dean of Graduate Programs in the School of Management at the University of Texas at Dallas and a Certified Information Privacy Professional

Ann Baddour is the director of the Fair Financial Services Project at Texas Appleseed