While California has certainly accelerated conversations about enhancing privacy protections here in the U.S., it's not just a West Coast phenomenon. Other states are beginning to warm up to the idea of enacting legislation to protect personal data.

Chief among those states poised to change their narratives on privacy legislation is Texas. The Lone Star State announced in May that it would be creating the Texas Privacy Protection Advisory Council, and Gov. Greg Abbott, R-Texas, announced the five non-congressional appointments to the council earlier this month. The appointees include Bart Huffman, CIPP/US, Justin Koplow, CIPP/E, CIPP/US, Michael Wyatt, CIPP/US, Jeanette White and Lemuel Williams Jr.

"I think it’s really a recognition on the part of the Texas Legislature that privacy is an incredibly hot field with a lot of developments we’re seeing around the world," said appointee Koplow, a data protection officer at AT&T. "And it’s something that has a lot of interest for folks in terms of how they can be protected but also engaged in the modern information economy."

The council was created after the Texas Legislature fell short with its efforts to deliver comprehensive legislation. In May, Texas had two privacy bills on the table, but only House Bill 4390 made it to Abbott's desk. That bill was amended several times by the Texas House and Senate, resulting in the original comprehensive privacy law proposal being cut down to updates to Texas' data breach notification requirements.

"There were some proposals around more comprehensive and practical privacy legislation in the last session of Congress," Koplow said. "They didn’t get the traction they were looking for in terms of drafting, coordination and fundamental formulation. In recognition of that, Texas believes this advisory council will be a good way to broaden the base for looking into privacy issues."

The job of the council will be to study data protection laws not only in Texas, but also legislation from other states and countries. A report from the council regarding its findings and evaluations will be submitted to the Texas Legislature by Sept. 1, 2020, at which point state lawmakers will use the information toward potential privacy bills for January 2021.

Huffman, a partner at law firm Reed Smith's Houston office, says a more expansive look into Texas' privacy landscape is a welcomed endeavor.

"It’s a good example of what would be useful in technology legislation generally,” Huffman said. “It’s very difficult to anticipate how various rules are going to impact consumers, companies and innovation. Legislators can't do that in a vacuum."

The makeup of the council speaks to the cross-industry aim. The five recent appointees represent views from various sectors. Koplow provides a telecommunications perspective, while Huffman and Wyatt, the national managing principal at Deloitte & Touche, have legal backgrounds.

"It’s important for us to be coming from not only different perspectives, but also different fields,” Huffman said. “The privacy profession, I think, has long advocated for the involvement across different areas of expertise. Whenever you’re looking at some of these topics, you want to have the engineering aspect, the legal aspect, the academic aspect and a policy aspect. It’s a good, diverse approach."

The remaining appointments for the 15-member council from Texas State Senate and House of Representatives, as chosen by the lieutenant governor and the speaker of the house, will come soon, according to Koplow and Huffman. As they await their first official meeting to discuss agenda and scope, Huffman and Koplow already have some preliminary ideas on what they'd like to see the council go about its work.

"I would imagine the council will not only take into consideration what you’d like to see put in place, but also look at how much of a need there is for legislation or where is it that a state might best make a law or rules," Huffman said. "What kinds of rules are the right ones to look after the state and its citizens?"

Koplow believes establishing the audience of the law is a first step with anything the council intends to explore. After that, Koplow said it will be important to recommend and state how approaches are different and then explain how the positives and negatives may shape legislation.

"Do you want to specify standards, like what has been done in the past with encryption, privacy impact assessments and other specific tools? Or do you want to have a broader approach on appropriate mechanisms and measures of security based on risk analysis that vary with different processing and data?" Koplow said.

Whether the council's work and subsequent report will lead to a comprehensive law remains to be seen, but Koplow sees no time like the present to make a push.

"We see [the California Consumer Privacy Act] now and then potentially CCPA 2.0 coming, plus the other state actions going on," Koplow said, noting the CCPA will be a reference point for the council but it won't "call it a day" on its provisions alone. "There's really no time to waste on these topics, but one of the key lessons of the CCPA and likely CCPA 2.0 is the time you spend deliberating really does benefit the end product."

Photo by Clark Van Der Beken on Unsplash