TX Legislature 2023

Finally had some success in 2023. The Texas Legislature passed a data privacy bill (HB 4) and a data broker bill (SB 2105). both bills could have been more consumer friendly but are decent starting points.

In September 2022, I testified before the House business and industry committee about data brokers, then testified before the same committee in march 2023 about data privacy, plus sent in comments to the senate business and industry committee on data brokers. texas appleseed gets all the credit for pushing these bills through. thanks for all your time and effort. congratULATIONS!

i have been working on these issues since 2018 - pushing the texas legislature in 2019, 2021, and 2023. may take a break.

A summary of HB 4 and SB 2105 for a graduate class at UT Dallas

Testified before the TX House Business and Industry Committee hearing March 13, 2023 on HB 4 Texas Data Privacy and Security Act. Author Rep Gio Caprigllione and Chair Rep Oscar Longoria D-Brownsville. Did pass the House and Senate, with some amendments, sent to Guv Greg for his signature.

My testimony at 1 hour and 38 minutes.

In the 2023 session, Rep Gio Capriglione will file the Texas Data Privacy Act. This bill is a copy of the Virginia Consumer Data Privacy Act which is a copy of the Washington Privacy Act which was written by lobbyists from Microsoft and Amazon then promoted by lobbyists from the State Privacy and Security Coalition. So it is fair to say that this is a pro-business bill that most consumer advocates dislike. I have sent my comments to Capriglione. There was a committee hearings in March, fairly likely to pass the committee and the House, hard to tell with the Senate these days.

Interesting new study from the University of Pennsylvania shows that the “notice and consent” approach to privacy has failed. Most Americans do not understand that companies can capture their data. And they do not understand that US laws do not protect them. Notice and consent puts the burden on the user, not the company - when was the last time you read the 4000+ word Facebook privacy policy and understood it?

We also have drafted a data broker bill which is now with the Texas Legislative Council where “staff assist legislators in drafting and analyzing proposed legislation and in obtaining information on specific legislative problems and on matters affecting the general welfare of the state.” In other words, the Council helps legislators write bills.

John Oliver on data brokers - easy to understand overview. As he says they are “the middlemen of surveillance capitalism.” Points out that politicians use data and analytics as much as companies do. Remember Ted Cruz and Cambridge Analytica? How about Donald Trump and Cambridge Analytica? Or the UK Brexit “leave” campaign and Cambridge Analytica?

Also very helpful blog posts from Tom Kemp on data brokers, cybersecurity, and privacy.

What are “data brokers”? the most influential companies you never heard of.

“a company or business unit that earns its primary revenue by supplying data or inferences about people gathered mainly from sources other than the data subjects themselves,” from Data Brokers in an Open Society. Don’t miss the headline - to a data broker, you are the product. As some have said, we know nothing about them but they know everything about us.

For example: you Google a product online. Companies you see online usually have targeted you, buying “profiles” of likely customers from brokers. After you buy the product, that company often sells or discloses data about you to a broker such as Acxiom. The broker will analyze, re-package, and sell your data to other companies, often without your consent. Acxiom says:

• “Acxiom is the global data leader with thousands of data attributes in more than 30 countries helping brands improve millions of customer experiences every day through meaningful data-driven insights, all while protecting consumer privacy. Understand, reach, and engage audiences everywhere, maximize your media investments and power more personalized experiences.”

Acxiom boasts 11,000-plus “data attributes,” from auto loan information to travel preferences, on 2.5 billion people around the world. In the US, this data gathering, buying, selling, and using is unregulated.

the texas data broker bill

• “Data broker” means a business that knowingly collects and either sells or shares to third parties the covered personal data of a consumer with whom the business does not have a direct relationship.

  • “Covered personal data” means information that identifies or is linked or reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals, including derived data and unique identifiers.

• On or before January 31 following each year in which a business meets the definition of data broker, the business shall register with the state of Texas, pay a fee, and provide information, including

  • The name of the data broker and its primary physical, email and Internet website addresses.

  • Information regarding data collection practices and options for consumers to opt out.

• Consumers may delete their data from brokers, using one global delete mechanism by which an individual may submit a single email request to the state which will contact all registered data brokers to 

  • delete all covered data related to such individual that the third-party collecting entity did not collect from the individual directly or when acting as a service provider

  • ensure that any third-party collecting entity no longer collects covered data related to such individual without the affirmative express consent of such individual, except insofar as such covered entity is acting as a service provider.

• The Texas Attorney General has the authority to adopt rules to implement the provisions of this chapter and to conduct civil investigations and bring civil actions.

Tell data brokers “do not collect my data.”

Examples of what data brokers are up to:

• Recently SafeGraph, a location data broker, stopped offering data related to Planned Parenthood and other similar family planning centers. Companies and the government could buy information on how many people were visiting the facilities, where they came from, and where they went afterwards. Given TX SB8, any concerns?

• Vermont AG initiated an enforcement action against Clearview AI, Inc saying that the company uses “screen scraping” to amass a database of three billion photographs, without consent.  While Clearview claims the technology exists to help law enforcement, the complaint alleges that Clearview has also provided its app to for-profit entities, investors, and foreign governments.

• The FTC warns that companies like Acxiom sell “modeled” profiles of consumers that categorize consumers into segments such as “Rural and Barely Making It,” or “Ethnic Second-City Strugglers,” based in part on financial venerability. The creation and use of these types of products merits close scrutiny, particularly in light of their value to predatory businesses that seek to target consumers who are economically fragile.

• Core Logic, based in Irving, TX, specializes in collecting and selling real estate data. The company has been sued by photographers for “falsification, removal and/or alteration of copyright management information (that) would induce, enable, facilitate or conceal copyright infringement of the photographic works.” And in another suit the company was sued for using discriminatory algorithms to weed out tenants, in violation of fair housing laws.

Federal efforts to regulate data brokers

The US lacks a comprehensive privacy law. For a brief overview of efforts to pass a privacy bill, see After 20 years of debate, it’s time for Congress to pass a baseline privacy law from Brookings. Follow their Center for Technology Innovation for up-to-date info on privacy policy.

Follow EPIC Electronic Privacy Information Center EPIC to keep up with the privacy news - data brokers and online payment platforms. Without a federal privacy law, private companies invade our private lives, spy on our families, and gather our most intimate facts, on a mass scale, for profit.

There has been some slow, incremental, piecemeal progress toward privacy - issues around preempting state laws and individual private right to action seem to be moderating. The FTC has new strong leaders who are focusing on privacy. Even companies seem to be pushing for some level of privacy, though they tend to say that the internet industry “self-regulates.” We still have a long way to go.

The FTC is the closest we have to a privacy watchdog. Their Bureau of Consumer Protection “stops unfair, deceptive and fraudulent business practices by collecting reports from consumers and conducting investigations, suing companies and people that break the law, developing rules to maintain a fair marketplace, and educating consumers and businesses about their rights and responsibilities.”

In their 2014 report Data Brokers: a Call for Transparency and Accountability the FTC lays out the data broker landscape we live in

Characteristics of Data Brokers

•  Collect Consumer Data from Numerous Sources, Largely Without Consumers’ Knowledge

•  Collect and Store Billions of Data Elements Covering Nearly Every U.S. Consumer

•  Combine and Analyze Data About Consumers to Make Inferences About Them, Including Potentially Sensitive Inferences

•  Combine Online and Offline Data to Market to Consumers Online

 Consumer Benefits and Risks

• Data broker products help to prevent fraud, improve product offerings, and deliver tailored advertisements to consumers.

• There are a number of potential risks to consumers from data brokers’ collection and use of consumer data.

• To the Extent Data Brokers Offer Consumers Choices About Their Data, the Choices are Largely Invisible and Incomplete

Federal legislation

• Senators Ossoff and Cassidy introduced the Data Elimination and Limiting Extensive Tracking and Exchange (DELETE) Act in February 2022

  • The bill provides for a "one-time data deletion request" tool managed by the U.S. Federal Trade Commission that would purge data from registered brokers. It also establishes a "do not track list" prohibiting future collection.

• Senator Peters introduced the Data Broker List Act of 2021

  • Data brokers are prohibited from acquiring such information by fraud or using such information for a specified prohibited purpose such as fraud or identity theft. And brokers must implement safeguards to prevent security breaches and register with the FTC.

And you may have heard of GDPR - the European Union’s General Data Protection Regulation. This has been a good model for some privacy areas, but there is concern that the implementation and enforcement have been weak.

Some privacy advocates see this federal bill as a good option that has a reasonable chance of passing - The American Data Privacy and Protection Act It has passed the House Energy and Commerce Committee already. If the Republicans take over next year, Cruz is likely to become chair of the Senate Commerce Committee and this bill, and almost any regulatory bill, will die. A 10 page summary of the bill. It is not perfect but is a good step forward.

An example of abuse by data brokers, prosecuted by the FTC - Sequoia One LLC and Gen X Marketing Group collected sensitive financial data about people seeking payday loans. They purchased some of the data from other outlets and obtained the rest through a variety of web sites the companies owned that claimed to help people obtain payday loans. The firms then sold the data to others, including Ideal Financial Solutions.

Sequoia One and Gen X Marketing Group, which both primarily operated out of Florida, supplied Ideal Financial with account information from at least 500,000 people who applied for payday loans, leading to more than $7 million being taken from those consumers’ bank accounts without their consent.

State efforts to regulate data brokers

Because the US does not have a comprehensive federal privacy law, states have been forced to protect consumers and companies. For the latest on state privacy legislation, follow the International Association of Privacy Professionals (I am a member), the Byte Back Blog by David Stauss, and the Future of Privacy Forum among others.

There has been a crazy quilt of state privacy laws passed in the last few years. Compared to the mammoth California acts, most state bills have been weak. Washington state has considered a privacy bill heavily influenced by Microsoft, Amazon, Comcast, and the Association of Washington Business, running over the ACLU version. This bill morphed into the Virginia Consumer Data Protection Act which later became the Texas data privacy act>

So who fights against data privacy bills? Tech industry groups and the State Privacy and Security Coalition and TechNet as well as the Texas Business Association. TXBiz counted the failure of HB 3741 by Gio Capriglione as a “win” saying the bill “raised concerns about potential negative consequences on businesses.” In other words, it might cost companies more so they killed it. Lobbyists often run over a bill before it even has a hearing, as happened in the 2021 TX session.

Fairly comprehensive privacy bills were introduced in the 2019 and 2021 Texas legislative sessions. I do credit my local state Rep for proposing those bills. Unfortunately industry lobbyists destroyed his bills, greatly watering down or never even allowing a committee hearing. Following the 2019 session, the legislature set up the Texas Privacy Protection Advisory Council, but the group never held a hearing and never met. They produced a report that glossed over corporate use of consumer data, instead, demanding that the state of Texas itself handle consumer data carefully - not the major concern for most consumers.

In an interesting twist, the Texas Public Policy Foundation recently came out for a digital bill of rights, saying Texans should have the following rights:

• The right to know what personal data is being collected;

• The right to know if their personal data is sold or shared, and to whom;

• The right to say no—or opt-out—from the sale of their personal data; and

• The right to easily access, collect, or delete their personal data.

All of that sounds good and they say it will be a top priority for the next legislative session. This is part of their Better Tech for Tomorrow Policy Initiative. In other states, conservative groups have pushed very pro-industry bills or ones that focused only on how the government uses data. There could be a bipartisan solution. We will see. At least glad that these issues are on their radar.

Working with Texas Appleseed, I have written articles and presentations about the need for privacy legislation in Texas. In 2021 we wrote:

• Texas at the Crossroads - Protecting Privacy and Civil Rights at the beginning of the session

• Texas at the Crossroads - Update on Privacy Legislation at the end of the session

A short presentation on data brokers, preparing for hearings before the Texas House Committee on Business & Industry.

Over the past two sessions, Texas legislators have not seriously addressed consumer data privacy. But maybe the winds of change are blowing when a conservative think tank pushes for stronger privacy laws in Texas. Color me skeptical. We will see what they propose.

As of mid 2022, only two states have passed data broker laws:

Vermont 2018 Act 171 - an act relating to data brokers and consumer protection

• good overview of the Vermont act

  • defines data brokers, brokered personal information

  • brokers must annually register with the Secretary of State, providing info about the broker, and participate in a data security program

  • but it does not require data brokers to permit consumers to opt out of collection, sales, or storage of their information; however, the AG has taken the position that providing opt-outs is a ‘best practice’ and the AG enforces the act

  • violation of the prohibition on fraudulent acquisition or use of brokered personal information is deemed an unfair and deceptive act in commerce.

• And my own one page summary of the bill.

California - 2018 CCPA California Consumer Protection Act and 2020 CPRA California Privacy Rights Act

• The data broker bill was a different bill than CCPA or CPRA, but is related. Lots of details, we will focus on how they relate to data brokers.

• Under CCPA, businesses usually must give consumers the option to say “do not sell my personal information” as a link on its web sites.

• “data brokers,” are defined as businesses that knowingly collect and sell to third parties the personal information of consumers with whom the businesses do not have direct relationships.

• data brokers must register with the state annually, currently showing about 500 brokers, and is enforced by the AG

And there was an effort by Tom Kemp to strengthen that bill, but lobbyists had the bill killed.

Comments from Ed Chau, author of the California data broker bill-

“Every internet user creates a “digital footprint,” or a record of every action the user takes on the web. These footprints contain public activity, such as posts and comments made on social media websites, as well as more sensitive activities, such as cookies that follow a user from website to website, or archived lists of all the terms entered into a browser’s search bar. Data brokers collect and sell this information without the knowledge of the individuals to whom the information relates. As an industry, data brokers have existed in the shadows and have largely been able to operate outside of any meaningful regulation, and until recently, public scrutiny.”