A San Antonio state representative is backing a digital privacy bill that could make it to the governor’s desk in a matter of weeks.
Rep. Trey Martinez Fischer (D-San Antonio) was one of the authors of House Bill 4390, which requires companies to disclose when they have experienced a data breach within two months of the incident. The bill would also create an advisory body for future policies that would protect consumers from having their personal information swiped by social media networks, auto insurance companies, retail stores, and financial institutions without their knowledge.
“You don’t have to go very far … to see all the things that are happening by way of data privacy, from Facebook facing a potentially $5 billion fine to the fact that Alexa devices, your Nest thermostats, and your television have the ability to listen to your conversations,” Martinez Fischer said. “Data privacy is becoming a big issue. More importantly, as we continue to see pretty much nothing happening in the United States Congress, it’s incumbent upon the states to act.”
HB 4390, co-authored by Martinez Fischer, Dallas-area Republican Giovanni Capriglione, and two other representatives, passed the House on Friday, a unanimous 140-0 vote. The bill is slated to come before the Senate in the next few weeks. Martinez Fischer said he’s confident the piece of legislation has bipartisan support.
“There seems to be an appetite for [protecting consumer data] no matter where you fall on the partisan scale,” he said.
The well-publicized data breach at Facebook and the potential surveillance that consumers may be subjecting themselves to when they purchase smart-home and other internet-connected devices have spurred increasing interest among everyday citizens in gaining a handle on how their data is used. From wearable activity trackers, such as Fitbits, to smartphone apps that track whether your phone is being charged at night, the data tech consumers are creating every day is almost impossible to enumerate.
Martinez Fischer originally proposed his own bill at the beginning of the legislative session in January. He chairs the House’s business and industry committee. If a bill concerning digital privacy was going to be introduced, he wanted to have a say.
When he heard Capriglione was proposing similar legislation, the two joined forces. Capriglione has in the past authored statewide cybersecurity measures and legislation to update the state’s information technology infrastructure. He’s gained a reputation for his IT policy expertise. Capriglione said the law would serve as a model that other states – and possibly countries – can adopt to protect their residents’ privacy.
“Today, data privacy initiatives require unique and robust solutions to defend people’s right to privacy,” Capriglione said in a statement. “A Texas solution would not burden businesses, but would put Texans first.”
The issue of data privacy first came to Martinez Fischer’s attention in 2017, when Equifax disclosed about 143 million individuals’ private information had been exposed in a massive breach. About 12.2 million Texans were affected.
State officials did not have the tools to protect those residents whose data was now being peddled on the dark web, Martinez Fischer said. Instead, the state had to rely on laws written in California and New York. Using financial regulatory bodies in each state, Texas was able to force Equifax into a settlement, he said.
California was the first state to sign into law a comprehensive consumer privacy act in 2018. The regulations are set to be phased in come January 2020 with an eye toward working out any kinks in the interim.
“There seems to be a mixed bag of criticism as to whether [California] did it right, but the fact remains that they took the initiative,” Martinez Fischer said. “Should Texas take similar action and begin to take its data privacy into its own hands, this will certainly spark a national conversation.”
The bill would create an advisory council composed of members of the state Legislature as well as industry leaders, subject matter experts, and other stakeholders. It would spend the year and a half after the legislative session studying best practices in the area of data privacy.
But private industry has not offered its full-throated support for the bill.
During last week’s testimony regarding the proposed legislation, a handful of individuals and organizations spoke in favor of the bill. But a long list of trade associations, chambers of commerce, businesses, and even online databases opposed the measure, including the North San Antonio Chamber of Commerce. That group’s President and CEO Cristina Aldrete could not be reached by publication.
A coalition of advertising and marketing trade associations that represents Texas businesses, however, sent a letter to representatives Martinez Fischer and Capriglione in April to voice its concerns about the so-called Texas Privacy Protection Act.
The crux of their argument revolves around the potential for a patchwork of regulation to arise from state to state, which would “create a fragmented internet environment for consumers,” wrote the associations, which include the Association of National Advertisers and the American Advertising Federation.
“As such, we support an effective strong national standard to protect consumer privacy,” the organizations continued. “A patchwork of legislation throughout the United States will create consumer confusion and present significant challenges for businesses trying to comply with these laws.”
With the gridlock plaguing Congress, the state Legislature had to take matters into its own hands to protect private citizens, Martinez Fischer said.
Dallas-based telecommunications giant ATT initially spoke out against the bill but worked out a compromise with Capriglione, said Adrianna Bernal, the company’s assistant vice president for external affairs.
“We are no longer opposed to the bill,” Bernal said.
Although legislators will be seeking input from the data-mining enterprises they want to regulate, Martinez Fischer said the status quo will not suffice.
“Make no mistake, this conversation isn’t to allow Big Data to continue to operate the way they’ve been operating,” he said. “This is a way to make it very transparent very clear that we care about consumer protection.”
If it is passed, HB 4390 would take effect Sept. 1.