Lessons learned
TX state Representative Giovanni Capriglione, author of HB 4390
HB 4390 established the Advisory Council
Late in the fall of 2018, I met with TX state Rep Gio Capriglione to discuss privacy, particularly as it relates to fintech lending. He had an interest in the topic due to his tech / finance background and later wrote HB 4390. The original version of the bill focused on what some people call “purpose specification” - gather only the data needed for a specific purpose and do not use it or sell it for another purpose. During the April 2019 Business & Industry Committee, 24 companies/individuals registered against the bill and 5 for. Lobbyists pushed through a “complete substitution” - threw out the original bill and substituted their version which ultimately passed the House and Senate.
Dave Lieber from the Dallas Morning News wrote an article about how the lobbyists influenced the bill.
This bill established the Texas Privacy Protection Advisory Council. Gov Abbott named Rep Capriglione and Senator Nelson as co-chairs. The bill reads:
The council shall convene on a regular basis at the joint call of the co-chairs.
The council shall:
study and evaluate the laws in this state, other states, and relevant foreign jurisdictions that govern the privacy and protection of information that alone or in conjunction with other information identifies or is linked or reasonably linkable to a specific individual, technological device, or household; and
Not later than September 1, 2020, the council shall report the council's findings and recommendations to the members of the legislature, based on their study.
The Governor, Speaker of the House, and the Lite Gov appointed members to the Council - 6 legislators and 9 citizens. The Council never met and never held a hearing. I have contacted all the Representatives and Senators on the Council, not hearing back from most - some responses from staff members.
This is their report to the Legislature:
My quick review of the report. Almost nothing I suggested to the Council made it into the report or their recommendations.
More than half of the report focuses on how the state of Texas maintains cybersecurity for sensitive data.
A brief overview of GDPR, none of its provisions make it into the Council’s final recommendations. Some discussion of CCPA, characterizing it as the “most controversial” law passed in the US and emphasizing the cost of compliance, though the firm that made that estimate called it “back of the envelope”
The report claims that they received over 30 responses to the survey they sent out on August 13. Report was written by September 1. I obtained a copy of all the responses sent to the Council. About 2/3 were from trade associations as might be expected.
Their final recommendations:
process for ensuring that all state agencies are adhering to privacy standards, and policies are continually updated to reflect new technologies, business practices, and risks - that is fine but does not address what consumers or even most companies care about
proposals should consider a new and appropriate balance between additional consumer privacy protections and data security with a fair regulatory/compliance privacy framework - in other words, maybe we will think about privacy but don’t upset businesses
proposals should consider the impact to highly regulated data, like health information and banking data, and how those proposals compliment applicable federal law - HIPAA and FCRA handle these and would over-rule any state laws anyway
legislation should be written broadly enough to allow the adoption of new technology and business standards - OK, allow innovation, got it
proposals should consider existing laws in Texas and other states in order to not conflict - this is impossible
Texans have the right to know how their personal information is being used and the Legislature should consider ways to strengthen that right - the devil is in the details, but this is the closest we have to a “consumer advocacy” view of privacy
Overall my assessment is that the Council failed. They did not provide legislative recommendations to the legislature based on their study. They whiffed.
New article from Dave Lieber 10/2/20 how the Council failed.
Plus an article by Joe Duball, writer for the International Association of Privacy Professionals, 10/9/20 Privacy Pros Underwhelmed
And my longer article about the Council. Not a pretty picture. The elected legislators failed because they did not put in the time and effort for the Council to succeed. The industry lobbyists won because they will always have a seat at the table, Council or no Council. The real losers are Texans who thought that legislators cared.
Mr Smith goes to Washington
Breakthrough with a little help from my friends
Over the last 2 years, I have attended/watched dozens of presentations/hearings to learn about privacy legislation - think tanks, law firms, trade associations, US House and Senate, TX House, etc. And I have written hundreds of emails to legislators, lawyers, think tanks, lobbyists, media, academics trying to encourage stronger privacy legislation. Overall I have had only moderate success. Learning a new area and then learning a new “job” was slow.
While under lockdown from the pandemic, I studied for and passed the exam to become a “certified information privacy professional” from the International Association of Privacy Professionals. In July I wrote to an editor at IAPP who gave me the names of a few members who were interested in privacy from a consumer advocacy perspective - most members think of privacy from a corporate point of view.
My “breakthrough” came from talking to one of those she mentioned - Joe Jerome who had been policy counsel for the Center for Democracy and Technology (CDT) one of the most influential privacy think tanks in DC. He read the powerpoint I will give to the Council; he assured me that I was going in the right direction. And he gave me the names of people at the Electronic Frontier Foundation, Consumer Reports, Future of Privacy Forum, etc. And I traded emails with others at Brookings, National Consumer Law Center, etc
Most of these groups position themselves as objective think tanks rather than as lobbying groups (even if they do some lobbying on the side). But they did give me a number of good ideas - present myself as a resource for legislative staff people, decide whether to go for a big “statement” bill or a small “practical” bill, try to form a coalition of advocates rather than being a lone ranger, etc.
A different angle was to contact media such as the Dallas Morning News, Austin American-Statesman, Texas Monthly, Texas Tribune, IAPP newsletter, etc. I have heard back from very few. It is lonely out on the consumer frontier.
And I had fairly good luck contacting academics, particularly from law schools- Howard, William & Mary, U Maryland, George Washington U,Yale, etc. Privacy is rarely discussed in business schools these days, more often law schools, information science, data science. Someday business schools will wake up. And in a different direction I contacted some of the people who registered to speak for HB 4390 and interestingly have connected with a couple of businesses.
On the other hand, there were at least a dozen privacy think tanks / lobbying groups that never responded. This was disappointing - they do not seem to walk the walk. One of the problems that some people mentioned is that Texas is so conservative and anti-regulation that national privacy groups do not see the benefit of putting resources into Texas. Hopefully that will change over time.
Sam Houston, longest serving President of the Republic of Texas
What to look forward to
By law the Council had to report their recommendations to the legislature by September 1, 2020. On Thursday August 13, the Council sent out a link to an online survey consisting of three questions - what laws governing the private sector should they consider, what laws governing the public sector should they consider, and what key components of privacy should be considered. This link went to the non-elected officials on the Council and some others including myself. We were given one week to respond and then the Council had one week to write the report. Not much input from consumer privacy advocates.
To me the workings of the Council have not come close to fulfilling the “spirit and the letter” of the law. Hard to tell if this is incompetence or malfeasance or both. The Council has said they could not meet because of the virus. But everyone from the Texas Legislative Budget Board to my Sunday school class has figured out how to use zoom, so I am not convinced. The recommendations coming from the Council will lack credibility.
One frustration is that the state government does not care - the Speaker of the House asks committees to monitor the implementation of bills but he is being thrown out of the House for telling big city mayors that they are “dumb asses”, the Attorney General should watch over state laws but he has been indicted for securities fraud so is watching out for his own ass, on and on. One party dominance results in very weak accountability.
The 87th Texas Legislative Session will begin on January 12, 2021 and wrap up 140 days later, May 31.
I plan to update this page until the end of the session.