Keypoint: The report provides five recommendations for proposed privacy legislation in Texas but does not propose specific statutory language or make recommendations on many key issues.

In a reminder that winter is likely to bring another round of proposed CCPA-like state privacy legislation, earlier this month, the Texas Privacy Protection Advisory Council issued an interim report with findings and recommendations for privacy legislation in Texas.

By way of background, in 2019, Texas lawmakers proposed two CCPA-like consumer privacy bills. The bills never progressed and, ultimately, one of the bills was significantly amended to create the Texas Privacy Protection Advisory Council.

The legislation charged the Council with “study[ing] the data privacy laws in [Texas], other states, and relevant foreign jurisdictions.” The Council was required to issue a report no later than September 1, 2020, that “make[s] recommendations to the members of the legislature on specific statutory changes regarding the privacy and protection of [personal] information . . . that appear necessary from the results of the council’s study.”

The Council issued its report on September 4, 2020. The report first provides a brief overview of some existing state, federal, and international privacy laws as well as a discussion of some basic privacy principles. The report then concludes by providing the following five recommendations for future proposed privacy legislation:

  • Process for ensuring that all state agencies are adhering to privacy standards, and policies are continually updated to reflect new technologies, business practices, and risks.
  • Proposals should consider a new and appropriate balance between additional consumer privacy protections and data security within a fair regulatory/compliance privacy framework.
  • Proposals should consider the impact to highly regulated data, like health information or banking data, and how those proposals compliment applicable federal law.
  • Legislation should be written broadly enough to allow the adoption of new technology and business standards.
  • Proposals should consider existing laws in Texas and other states in order to not conflict.
  • Texans have the right to know how their personal information is being used and the Legislature should consider ways to strengthen that right.

Ultimately, the report and its recommendations do not provide much insight into the Council’s thinking as to what provisions (if any) should be included in proposed legislation. The only privacy right mentioned in the recommendations is the right to know how information is used (as distinguished from the right to know what information is collected). The recommendations do not mention or analyze whether Texas should provide its residents with other rights such as the rights to access, deletion, correction and/or data portability. The recommendations also do not mention or analyze other issues such as consent versus opt-out for data collection, third-party data transfers, and enforceability. The absence of specific recommendations is notable given that the Council was charged with recommending “specific statutory changes . . . that appear necessary from the results of the council’s study.”

In the end, it remains to be seen whether privacy legislation will be proposed when the Texas legislature opens on January 12, 2021 and, if so, what that proposed legislation will look like.