A bill that would give Texans more insight into who has access to their personal data and how it’s being used received overwhelming support during a recent House committee meeting.

Senate Bill 2105, authored by Sen. Nathan Johnson (D-Dallas), would establish a data broker registry and require data brokers to maintain notices on their websites and apps. It would also create a new, comprehensive set of cybersecurity safeguards for brokers to keep personal information more secure.

The bill, a companion piece to House Bill 4917, was discussed last week during a Business and Commerce Committee meeting. It has since been voted out of committee and will be discussed in the House.

During the meeting, proponents discussed how it could benefit vulnerable populations by regulating data brokers, who collect information online and sell it to third parties who might use it for advertising, fraud, or other purposes.

The bills would require brokers to:

• • Register annually with the Secretary of State;
  • Disclose their identities, the data they’re collecting, and the platforms they’re using to gather data;
  • Comply with the state’s “do not collect” registry and allow Texans to have their data deleted and no longer collected if they choose to opt-out.

The bill would allow collision repairers and others who might encounter disgruntled customers to keep their personal information private to prevent harassment or stalking. It would not apply to businesses analyzing or collecting customer data, instead honing in on third parties that have no personal or professional relationship with the people they’re tracking.

Speaking during the committee meeting, Johnson said the legislation was built to protect the public and give people the ability to control access to their personal information.

“It defines data brokers [as] businesses, [that] have no direct relationship with the individual, yet whose principal source of revenue comes from collecting, processing or transferring other individuals’ personal data,” he said.

“This definition is narrowly tailored to ensure that the bill carries out its original intent, which is to ensure the data brokers are identifying and comply with state law. It doesn’t pick up everybody who collects any data about you, it’s specifically data brokers.”

Governmental entities, government contractors, consumer reporting agencies, and other financial institutions that collect data are covered by federal law and exempt from the bill, he added.

Briana Gordley, a policy analyst at the nonprofit Texas Appleseed, spoke in support of the bill saying it will create more awareness about data brokers while allowing legislators to learn more about them.

“A lot of Americans, specifically Texans, are not aware that these types of businesses exist,” Gordley said. “The main point of this registry is to bring them to light. If we want to know how to effectively regulate these types of businesses, we need to know who they are [and] what type of entities are handling our data. We need to know what types of data they’re handling, what their purchase or credentialing processes look like, [and] what their current safeguards are. And if there is a lack of safeguards, the third part of this bill would implement a comprehensive security program.”

Breall Baccus, a policy coordinator for the Texas Council on Family Violence, said the bill could potentially be lifesaving for domestic abuse victims leaving a violent relationship.

“Leaving requires a survivor to move into a new home, change their phone number, protect their address, find a new job or have the need for credit to purchase a new car, [or] belongings [requires] interacting with necessary systems to rebuild their lives,” Baccus said. “What many of these systems have in common is that they require you to share personal data and that data feeds into data brokers’ sites which put together a readily purchasable profile of information that would typically be considered private.

“Imagine working diligently to protect your address and phone number only to find out it’s for sale online for your abusive partner to find and purchase.”

She said SB 2105 could help survivors make an informed decision on what information to share, and with whom.

Gregory Porter, of Texans for Liberty, said the bill being discussed was “sensible” but asked that an amendment be made to include relationships between businesses.

Porter said the fines must also be increased for defiant data brokers. Under the proposed legislation, they would be fined $100 for each day they’re in violation, up to a maximum of $10,000 per year.

“We have to increase these penalties,” he said. “One hundred dollar penalty per incident is not going to deter anybody from doing anything. We should make that 100 times what it is and hold these guys accountable.”

As it stands, at least six states now have data privacy laws on the books, with Iowa as the latest. For collision repair shop owners, the laws call for end-user license agreements and data collection/use consumer disclosures sooner rather than later, if not already in place.

Iowa’s passage of SF 262 lays out standards and practices for types of data that can be collected and consumer rights in data processing.

“In our digital age, it’s never been more important to state, clearly and unmistakably, that consumers deserve a reasonable level of transparency and control over their personal data,” said Gov. Kim Reynolds. “That’s exactly what this bill does, making Iowa just the sixth state to provide this kind of comprehensive protection.”

Images

Featured image: Texas State Capitol building in downtown Austin. (Credit: Pgiam/iStock)