Industry Praises Texas Privacy Bill's Interoperability at Hearing
Texas “cannot continue to wait on Washington, D.C., to protect” state residents’ privacy, said Rep. Giovanni Capriglione (R) at a livestreamed hearing Monday. The Texas House Business Committee heard testimony on a privacy bill (HB-4) that Microsoft and other businesses praised as being interoperable with other state laws they like.
Renumbered from HB-1844, HB-4 is a priority bill this session for House Speaker Dade Phelan (R). The bill, which builds on Virginia’s and other states’ privacy laws, has been in development for six years with more than 200 stakeholders, said Capriglione.
One key difference with other state laws is how the bill determines to whom privacy rules will apply, he said. Other states use a threshold based on a company’s number of users or the percentage of revenue, often 50%, that they make from selling data. But it’s hard to tell how many customers a company has, and few companies make 50% of revenue from selling data, the state rep said. HB-4 “simplifies” things by applying regulations to any company that has products or services used by Texas residents, engages in the sale or processing of personal data and that isn’t a small business, he said. Small businesses would still be required to receive consumer consent before selling sensitive data, he noted.
Unlike some other states’ privacy policies, HB-4’s sale definition includes transactions that involve compensation other than cash, Capriglione said. Also, the bill would cover pseudonymous data that doesn’t directly link to an individual but could be used to identify someone in combination with other data, he said. Like laws in other states, the bill gives sole enforcement authority to the attorney general and no private right of action. It would include a 30-day right to cure.
Rep. Gina Hinojosa (D) raised concerns with the bill’s enforcement section saying the AG could open an investigation with reasonable cause to believe that a person “is about to engage in a violation.” Hinojosa gets “a Minority Report vibe” from that phrasing, said the Democrat, referring to the Tom Cruise sci-fi movie in which police arrest citizens for crimes it's predicted they will commit. Capriglione said the intention was to allow the AG to review a company’s data impact assessments, but he will talk to stakeholders about possibly removing the “about to” wording.
Microsoft thinks the Texas bill is “among the strongest … we've seen” for protecting consumers, while setting “very reasonable” requirements for companies, said Senior Director-Public Policy Ryan Harkins. HB-4 is much like Virginia, Connecticut and Colorado laws, plus it’s interoperable with many international privacy regulations, said Harkins, a common fixture at hearings for state bills based on a Washington state privacy bill that failed several times. TechNet Executive Director-Texas Servando Esparza agreed the bill will be interoperable with other states.
The U.S. Chamber of Commerce is “neutral” about the bill, since it’s similar to, but could be even more like, other state laws, said Vice President Jordan Crenshaw. Texas could more closely align with other states, but HB-4 is good enough for the Texas Association of Businesses, said lobbyist Megan Mauro. The industry group hopes rules proposed in HB-4 “are the only such data privacy measures placed on Texas businesses this session,” she said. HB-4 also got kudos from the Texas Public Policy Foundation, a nonprofit advocating for free enterprise. “The status quo is simply unacceptable,” said David Dunmoyer, campaign director.
Social justice nonprofit Texas Appleseed supports HB-4 because there are currently no protections for survivors of domestic violence, said Briana Gordley, policy analyst. However, 45 days for a business to handle a consumer’s privacy request could be too long for someone facing immediate danger, said Gordley: Consumers should be able to tell a company their personal safety is at risk so companies can prioritize their requests.
It's worrisome that lawmakers must negotiate privacy rules with large companies like Microsoft, said Texas for Liberty co-founder Gregory Porter, who said he's an entrepreneur who used to work in data security. Consumers should have opt-in control of their data, he said. “Opt-out assumes that the corporation is in control and has all the leverage.”
Five states passed a privacy bill through one chamber so far this year, Husch Blackwell lawyer David Stauss blogged Monday. They are Hawaii, Indiana, Iowa, Montana and Oklahoma. When the Oklahoma House voted 84-11 last week for HB-1030, it was the third year in a row the state House passed a privacy bill, said Stauss: Previous versions failed to get Senate consideration. The lawyer noted Hawaii’s bill (SB-974), which passed the Senate 23-1 last week, wouldn’t take effect until 2050 as currently drafted.