On Tuesday, April 2, 2019, the Texas House Committee on Business and Industry held a public hearing (testimony starts at the 4:13:55 mark) on House Bill 4390, also known as the Texas Privacy Protection Act, and House Bill 4518, also known as the Texas Consumer Privacy Act. An overview of both bills as filed is available here. Both bills received a mix of testimony in support and opposition. In addition to the verbal testimony heard in committee, several other stakeholders registered their testimony for or against each bill.

Testimony on HB 4390, aka the Texas Privacy Protection Act

Rep. Giovanni Capriglione, R-Texas, the bill's author, began by presenting it to the committee — no notes, nothing rehearsed, just a candid conversation on why he authored this legislation. Capriglione started by pointing out that another representative was using hand sanitizer and that now we will surely all see advertisements for hand sanitizer in the next few days. He added, “What my bill aims to do is to provide a little bit more regulation, a little bit more oversight, into the information that is being collected on us, about us, every single day without our knowledge — a lot of times without our permission — and is being used in ways that can negatively affect our credit scores, our health insurance premiums, or car insurance premiums, and even what kind of cars and hotels you’ll be able to get into.”

Stephen Scurlock, testifying neutral on the bill on behalf of the Independent Bankers Association of Texas, stated that other entities should be subject to regulations similar to the Gramm-Leach-Bliley Act, just as banks are. He went on to testify that “any entity keeping personally identifiable information should be subject to the same rigorous standards we live under, and while breaches happen, both consumers and banks who do bear the brunt of losses from these breaches, would be much better off if that standard were adhered to.” John Heasley, testifying in favor of the bill on behalf of the Texas Bankers Association, also emphasized that other entities should be subject to regulations similar to the GLBA.

Sarah Matz, director of state government affairs for the Computing Technology Industry Association, expressed opposition to the bill, stating the legislation, as filed, is modeled after the California Consumer Privacy Act and “while these laws were developed with the best of intentions, they are more likely to result in significant compliance costs and stifle innovation, rather than improving consumer safety.”

She suggested that instead of moving forward with legislation at the state level, Texas should continue to study the evolution of the CCPA and continue a dialogue with impacted stakeholders.

Deborah Giles, testifying against the bill on behalf of the Texas Technology Consortium, conveyed that data privacy regulation should be handled at the federal level and not at the state level. She added, “We’ve already seen signs of every state doing everything differently, and we look at the internet and data privacy, and feel like if 50 states have 50 different laws, what it could do as far as the consequences of costing business would be exorbitant.”

In response, Rep. Michelle Beckley, D-Texas, raised concern that federal legislation could take too long, stating that “right now, [federal legislation] seems like it’s just an idea, whereas we have something we can vote on.” Ms. Giles jovially responded, “I completely agree with you – it’s the other states that scare the ‘begeebees’ out of us.”

James Hines, who also opposed the bill on behalf of the Texas Association of Business, stated that “we do urge that we work with our congressional members on a national framework, and the reason we are in favor of a single national framework is because of the nature of the internet – the internet has no borders.”

Rep. Jared Patterson, R-Texas, responded, “…we can see what works in the different states. Texas a lot of times leads the way on that, and then other states adopt what works best… I think we can probably do it better than DC.” Beckley also added that states adopting their own data privacy laws could be the very thing that leads to a single national framework.

The final witness, Chris Humphreys, testifying in favor of the bill on behalf of himself and the Anfield Group, stated, “It’s inevitable, [the EU General Data Protection Regulation] or GDPR-lite is going to be here at the federal level eventually. We are delaying the inevitable by not doing anything now.” Humpheys said bill presents an opportunity for Texas to handle data privacy their way, and ultimately federal legislation may be developed that lands somewhere between Texas and California.

Capriglione closed on the bill by respectfully disagreeing that Congress will reach consensus on federal legislation anytime soon and that Texas has an opportunity to implement these protections now. He also clarified that this legislation is not modeled after the CCPA.

Testimony on HB 4518, aka the Texas Consumer Privacy Act

The committee received far less testimony on HB 4518, but this was in large part due to the fact that most witnesses did not want to repeat similar testimony just laid out on HB 4390.

Rep. Martinez Fischer, D-Texas, said, “I fully appreciate and recognize that there might be ‘higher-ups’ in the federal government that could grade our papers on this, and come up with a solution that can be applied to the entire nation. But unless and until that happens, I think we can’t just sit on our hands and watch time go by.”

The only additional witness who testified on HB 4518 but did not testify previously on HB 4390 was David Foy, testifying against the bill on behalf of RELX/Lexis Nexis. Foy stated that this bill is very close, if not identical, to the CCPA and that California is now on the third iteration of that legislation. He stated that “there are currently 40 bills filed right now in California being discussed to go back and fix and try to address what happened in 2018.” He added that to this date, there have been about 30 bills filed nationwide and that California is the only state to have adopted it.

He reiterated that experts from the privacy and business industries need to collaborate to get this right before implementing legislation too quickly.

Next legislative steps

Now that both bills have received public testimony, they await a committee vote and then would head to the full Texas House of Representatives. From there, the bills still need to clear committee and floor votes in the Texas Senate before heading to the governor’s desk. As the 86th Texas Legislative Session ends May 27, both bills are racing against the clock.

Photo by Jeremy Banks on Unsplash