Texas is a step closer to proposing comprehensive laws protecting state residents’ data privacy, thanks in part to San Antonio state Rep. Trey Martinez Fischer, but that won’t be until 2021 at the earliest.
Earlier this month, Gov. Greg Abbott signed into law House Bill 4390, which Martinez Fischer co-authored along with Reps. Giovanni Capriglione (R-Southlake), Eddie Rodriguez (D-Austin), and Nicole Collier (D-Fort Worth). A portion of the bill, which takes effect in January, will require private entities to disclose when they’ve had a data breach affecting consumers’ identifying information, such as credit card data and personal records.
It also establishes an advisory council, composed of lawmakers, representatives from a range of private industry sectors, experts on consumer data use, and a law professor, that will study online privacy laws in Texas, other states, and other countries. The council will meet regularly and present its findings in September 2020.
The decision to study data privacy laws ahead of potential legislation in 2021 was a compromise the bill’s lead author, Capriglione, made with private industry leaders who opposed the original bill’s more robust framework for regulating online data collection and imposing civil penalties on violators. In April, HB 4390’s opponents included the Texas Association of Businesses, the North San Antonio Chamber of Commerce, the Greater Austin Chamber of Commerce, and online database LexisNexis.
“I don’t think I had anything in the legislation that was overbearing or not business friendly,” Capriglione said. “I think some of my friends in industry didn’t agree with me, so the battle ensued.”
When Capriglione filed his bill it contained provisions requiring companies to reveal what personal identifying information they were collecting about their customers, to receive permission and to have a purpose for collecting that information, and give customers the option of reviewing what information has been collected on them so that they can request for it to be changed or deleted.
By the time it reached the House floor for a vote, those provisions had been removed, and what had originally been a 14-page piece of legislation was reduced to five pages.
Capriglione said the bill’s initial opponents took issue with the lack of a stakeholder process to discuss the effects of the legislation on businesses and consumers. He said he ultimately agreed the “complicated” legislation would benefit from a stakeholder-driven discussion of the issues. But others argued states should not be regulating what is a federal issue. A patchwork of state laws, they argued, would create a confusing and cumbersome regulatory environment for those doing business in Texas and other states.
Capriglione, however, differed with those who said it’s up to federal lawmakers to take action.
“I disagree that this is the duty of the federal government, mostly because I don’t have much faith that they will do it,” he said.
The gridlock in Congress notwithstanding, the issue of protecting people’s private information online has received bipartisan support in recent years, so there appears to be the political will to enact legislation on Capitol Hill, said David Edmonson, of the national IT trade organization TechNet. The group opposed HB 4390 as originally proposed, favoring a federal solution to avoid incongruous state laws.
“This is an issue that both chambers and both sides of the aisle want to tackle,” Edmonson said. “That doesn’t mean it’s necessarily greased to move quickly. We would never assume that, but we do remain hopeful the federal government will be able to act.”
TechNet – along with dozens of groups that initially opposed the bill, including the North San Antonio chamber – changed its stance on the bill when the language centering on how businesses collect personal information was wiped out and replaced with the advisory council, he said. It gives stakeholders across the state a little more than a year to craft smart regulations, Edmonson said.
“I think moving forward too quickly without something well-thought-out will be a net detriment to not only industry but also consumers,” he said. “Having a well-thought-out process is something that everybody would want.”
Although the new law fails to “add much to the plate,” the tide is quickly turning with the institution of the EU’s General Data Protection Regulation, which has affected companies globally, and a consumer privacy law passed in the California Statehouse set to take effect in January, said local attorney Debra Placette, who has represented technology firms in San Antonio.
“The trend is clearly to provide more privacy protection,” Placette said. “Maybe this [state bill] got waylaid, but it’s not over. We’re going to see more of this especially as states start passing more laws in line with what California enacted.
“There’s going to be more pressure for Texas to at least be at the baseline of privacy protections.”
San Antonio plays an increasingly important role in securing sensitive information online, with its cybersecurity industry radiating from Southwest San Antonio, where the cyber combat unit of the U.S. Air Force and NSA Texas operate. Martinez Fischer said he wants to tap industry leaders in the city to advise or serve on the council as it conducts its research into a Texas version of the GDPR and California’s Consumer Privacy Act.
“Our tech community is pretty vibrant and pretty sophisticated,” he said. “One of my goals for this is I want not only to come up with this Texas-sized solution to data privacy and consumer protection, but I’m hoping to give a little bit of a San Antonio flavor and draw on our local talent and experience.”
Capriglione said consumers are paying more and more attention to how companies use personal data, and it’s sparked a wave of regulation in Europe, California, and now Texas.
“At some point, everyone realizes legislation like this is going to be the law of land,” he said. “It’s probably going to be better working together than not.”