Print đź–¨

House Business & Industry met on September 15 to hear invited and public testimony on the following:

  • Monitor the implementation of:
    • HB 3746, relating to certain notifications required following a breach of security or computerized data; and
    • SB 1588 and SB 581, relating to the powers and duties of certain property owners’ associations.
  • Evaluate the overall state of data privacy and online consumer protections in Texas and study the related laws and legislative efforts of other states. Make recommendations to ensure consumer data protections and online privacy.

 

This report is intended to give you an overview and highlight of the discussions on the various topics taken up. It is not a verbatim transcript of the discussions but is based upon what was audible or understandable to the observer and the desire to get details out as quickly as possible with few errors or omissions.

 

Opening Comments

  • Chair C. Turner – Will explore if bills are achieving their goals

 

Monitor the implementation of SB 1588 and SB 581, relating to the powers and duties of certain property owners’ associations.

Chelsey Buchholtz, Texas Real Estate Commission

  • Requirement for TREC to collect management certificates and amended management certificates for HOAs
  • By bill deadline TREC created a dashboard to collect MCs and make them publicly available
  • HOAs have certificate filing deadlines; simple information is included in these MCs
    • If they fail to file, there are various legal consequences
  • Are more than 9.2k HOA MCs available on the website
  • Have made accessibility adjustments to the site based on feedback
  • Chair C. Turner – Are just hosting MCs of these HOAs?
    • Correct
  • Chair C. Turner – Know what the compliance rate?
    • Do not; possible there are 20k HOAs in Texas, but no way of knowing how many exist
  • Chair C. Turner – If they did not know about the submission; no penalty for submitting late?
    • Not for TREC, are legal remedies, but cannot speak to that
  • Thompson – Ideas on how we can know how many HOAs are in the state?
    • Is part of the motivation of this bill

 

Christy Gessler, Texas Association of Realtors

  • Real estate buyers see HOAs as positive/negative; hear about challenges of those living in HOA areas
  • This bill is the first significant HOA reform in a decade; collected hundreds of stories living in HOAs around the state
  • Texans still have issues with HOAs mainly fees, privacy and dispute resolution
  • Hearing of increasing fees since SB 1588 passed
  • C. Turner – Is an additional filing fee?
    • Correct; happened recently in the Villages of Hidden Lake in Travis County
  • Grateful for changes that allowed some disputes to be heard by justices of the peace
    • Continue to hear complaints there is no middle ground before escalation
  • Crockett – Not an option prior to JP court, suggesting something similar to an arbitration?
    • Members expect a friendly pathway like mediation; would like for collaboration among stakeholders to discuss that route
  • Shine – Asks about this new path; boards have some time of arbitration authority?
    • Need a regulatory body of some time; yes, is a model there that could be replicated
  • Lambert – Rural associates are having same issues? Not just an urban issue?
    • Yes, are undisclosed and rampant
  • Chair C. Turner – Law limits HOA from getting tenant contact information; language of bill does not permit the HOA to get additional information?
    • Some HOAs requiring them to be listed as power of attorney concerning leases
  • Chair C. Turner – HOA in Providence Village in Denton County passed a rule that bans Section 8 renters; how does current law address inspection/limitation of forms of payment?
    • Are still a lot of problems
  • Patterson – Clarifies Providence Village has multiple HOAs and the largest HOA did this
  • Shine – Before a developer files for a new development, is a requirement through TREC to notify if they intend form an HOA? Should be required?
    • Believe the answer is no; should have all information on the table before formation

 

Connie Heyer, Texas Community Association Advocates

  • Have been some bumps in implementation such as:
  • Requirement that board of director members be different than architectural review members
    • Is difficult to staff these
  • Could make a majority have to be different rather than all
  • Bill allowed homeowners to build any security item on the home including a security perimeter fence; causes obstruction of drainage ditches, easements, etc.
    • Request the commission can grant setbacks
  • Chair C. Turner and Heyer discuss examples of obstruction due to security fences
  • Chair C. Turner – Intent of bill is to not allow this type of obstruction

 

Bill Higgins, Crest Management

  • Manage 174 communities in the Houston area; overviews services of community associations
  • Majority of residents believe associations are a benefit to the community
  • Lambert – HOAs required to enforce permit restrictions by developer?
    • Yes
  • Lambert – See unintended consequences with fencing? Will clean up that
    • Yes; are insisting that security items are fences
  • Shine – HOAs do that negatively impact homes?
    • When people abuse their power, is uncommon and elections are remedies
  • Shine – Feel process to address negative issues is adequate?
    • Yes; deed restrictions provide elections for board members once a year
  • Shine asks Higgins to overview the positives of HOAs
  • Thompson – Represent Pine Village North HOA?
    • Thompson and Higgins discuss instances of deed restriction violations
  • Crockett – Regulations that dictate how elections take place?
    • Yes, are provisions in governing documents during development and state laws
  • Crockett – Law does not dictate online voting, early voting, time/day?
    • Are set up in declaration of the community; not required
  • Patterson – If legislature requires HOA to amend documents, would have to bear that cost?
    • Would be borne by the members of the association
  • Patterson – HOA have a right to limit homeowners from leasing/owning common area facility space? Like a political event?
    • Have the right to put up fees and scheduled times; cannot say definitively
  • Chair C. Turner – Thoughts about the concerns with fees and rental agreements?
    • Only heard about that today; would oppose anything that would have a discriminatory or disparate impact
  • Chair C. Turner – If the legislature passed a law that prevented limitation in form of payment, would be in support?
    • Cannot see why we would oppose

 

Nick Kornuta, HOA Terraces on Memorial

  • Overviews the community services provided by the HOA; people are drawn to HOA communities due to maintenance, services and aesthetics
  • Unintended consequences of the bill requirement that architectural review committee members have to be separate from the board; hard to find volunteers
    • Hiring out people to fill these places is a cost to the homeowners
  • Chair C. Turner – How many homes in your HOA? Manage trash services?
    • 273 and yes; city provides once a week we provide twice a week

 

Evaluate the overall state of data privacy and online consumer protections in Texas and study the related laws and legislative efforts of other states. Make recommendations to ensure consumer data protections and online privacy.

  • Chair C. Turner – This is a very board category, but we will get through what we can today; have several invited witnesses
  • Chair C. Turner – Have hard questions today, appreciate all those who came today
  • Chair C. Turner – Have a number who have declined that we wanted to hear from today including the Texas Cable Association, Equifax, and the Consumer Data Industry Association

 

Steve Perkins, Self

  • Specialty is in IT and research and data analysis; has not been a parallel growth for individual protections and commercial entities
  • Overviews the profiling that can happen due to facial recognition, location tracking data, and other marketing tactics using personal data
    • Can lead to discrimination against consumers
  • Vermont and California have passed laws restricting data brokers; four other states have legislation pending
  • Texas can focus privacy by focusing on restricting these data brokers
  • Are 4k data brokers worldwide and is an over $200b industry
  • Discusses the Equifax data breach in 2017
  • U.S. does not have a federal comprehensive privacy law; FTC started rule making process due to surveillance and security
  • Texas has some privacy and protection laws on the books which prohibit the capture of biometric identifiers without consent and AG Paxton is suing Facebook using AI without consent
  • Texas Privacy Protection Council stated Texans needs to strengthen privacy laws
    • Previous privacy bills were met with extreme lobbying from the other side
  • Texas law could build on Section 206 of the American Data Privacy and Protection Act which has not passed the U.S. House
  • Chair C. Turner – Do not have faith federal legislation will pass?
    • Correct
  • Chair C. Turner – Is a fair point cannot have 50 different data privacy frameworks; data broker has 11k different datapoints on every individual?
    • Correct; Axion particularly has these large amounts of datapoints on individuals
    • Problem is people do not know data brokers exist; few allow you to see/correct data
  • Chair C. Turner – Gather data by buying it? Transferred voluntarily?
    • May gather data from phone or websites or could buy it; can use website cookies
  • Chair C. Turner – Loyalty programs share data with other entities?
    • Yes; not necessarily against this, but consumers need consent
  • Chair C. Turner – Feasible in a state law to define what a data broker is, register them, make database available to the public, give consumers right to delete their data, and add an enforcement mechanism
    • Yes; mechanism could be the secretary of state, attorney general’s office, or other entity to enforce/regulate
  • Chair C. Turner – Users would have to request data removal multiple times?
    • Is possible
  • Crockett – What prevents a company from going to an in-house model to gather this same information?
    • Is a business decision

 

Andrew Kingman, State Privacy and Security Coalition

  • 30 different companies and trade associations that represent across industries
  • Want well-crafted federal regulation, but encourage Texas to look at practical and consistent legislation concerning privacy
  • Virginia framework has spread to Colorado, Utah and Connecticut through their legislation
  • Committee may consider Virginia framework as a good starting point
    • Are several advantages over the California framework
  • VF is more comprehensible and clearer; streamlines compliance for small/mid-size companies
  • Offers stronger protections and shares core consumer rights like corrections and deletions; are limitations on secondary uses
  • Requires companies to have data protection assessments; requires if there is a heightened risk to consumer
  • Has an opt-in consent for sensitive data and an opt-out for targeted advertising
  • Prohibits unlawful discrimination and discrimination over consumers for exercising consumer rights
  • VF encourages inter-operability among states; definitions are not too prescriptive as technology and expectations evolve
  • All bills provide a rate to cure; which prevents the strain on resources of the entity enforcing penalties
  • All statutes including California do not have a right of action; all states have same enforcement path
  • California framework has been amended multiple times and is very complex; extremely difficult small-to-mid-size businesses to implement
    • May lead to increased consumer frustration
  • No other state has adopted the California framework
  • Chair C. Turner – What would a consumer be able to do to protect their privacy under Virginia framework?
    • Right to delete data company-by-company, opt-out of sale of their data or targeted ads, can correct their data, right to access the personal data a business has on you
  • Chair C. Turner – What about data brokers?
    • Same obligations on those entities like other companies; not a specific requirement about data broker registries
  • Chair C. Turner – In California and where else have broker registries?
    • Was a separate piece of legislation in California; and Vermont
    • Is a good plan as it allows companies to look at cybersecurity implications
    • Connecticut has a third party opt- out
  • Chair C. Turner – Consumer can opt-out of profiling, how interacts with credit scoring?
    • All frameworks exempt and recognize federal laws that deal with similar regulatory schemes like the Fair Credit Reporting Act
  • Thompson – Recourse if you make a request deletion and it is not?
    • Is a right to appeal back to the company and company is required to include information on how to file
  • Crockett – Why not have an opt-out list/registry with the AG’s office? Seems simpler
    • Is our recommendation to look at legislation that is sector neutral
    • Happy to think about it, but gets complicated

 

Evelyn Miller, Meta

  • Invested in communities in this state; have 2k employees in the state
    • Invested $1.5b data center campus in Fort Worth
  • Temple will be home to new data center; $800m investment and 100 jobs
  • Encouraged to see pragmatic laws like those in Virginia
  • Texas is position to build an approach which avoids more challenging aspects of legislation around the company
    • Legislation needs consistency with existing laws
  • Have built a strong privacy foundation in our products; implemented compliance and measures
    • Established a high level of oversight and accountability
  • Have integrated a tool in Facebook where members can view, delete their data, and share their information directly with other services
  • Privacy laws have not kept pace with technology; need uniform standards
  • Strong legislation has the following:
    • Personal data rights; rights to access/delete/transfer information
    • Require all responsible data handling like internal privacy programs and obligations concerning transparency
    • Centralized enforcement
  • Legislation needs to be technology neutral, requirements should apply to all and be scalable, obligations and protects should be harm and risk based, and need to recognize value of personalized advertising
    • Virginia and Connecticut are good examples
  • Is an increasing risk for regulatory fragmentation, but absent federal law, need privacy protections in place
  • Chair C. Turner – Additional attributes legislation you want to highlight?
    • Should have strong individual rights
  • Chair C. Turner – How get a personalized ad experience? Buy/sell data from data brokers?
    • Do not sell users data; get information from advertisers or interactions on our platform
  • Chair C. Turner – Would not extend to other data like location?
    • Do not collect location data unless it is provided to the company
  • Chair C. Turner – Asks about a custom browser that Facebook uses
    • Do not believe we have that product
  • Thompson – Share data with other companies?
    • With Meta companies like Instagram and Facebook; share metrics around user interaction to advertisers
  • Thompson – How protect children and teens? Notes an uptick in suicide and human trafficking; interact with law enforcement?
    • Have a comprehensive privacy program like parental controls; Meta does not actively monitor activity of any users
    • Not my expertise, have a team that does work with law enforcement
  • Shine – Define technology neutral?
    • Idea is that bill needs to keep up with technology modernization
  • Shine – Top two principals are the most important?
    • Robust and pragmatic rights and accountability of organizations
  • Shine – Familiar with existing laws that meet those?
    • Virginia and Connecticut
  • Shine – How protect users’ privacy when engaging in targeting advertising?
    • Have tools that show users how these ads are target and can remove it
  • Crockett – Notes are a lot of benefits to tracking data; number of data breeches on average in a year? How many people effected?
    • Have experts who deal with security and integrity of the site; will put in contact with you
  • Crockett – Not as concerned about the advertising, but data breeches are more concerning
  • Patterson – Recent study said majority do not read terms of services, effects how Meta crafts their privacy policies?
    • Have a privacy center that makes these more user friendly
  • Patterson – Does Facebook track users on other websites?
    • Track success of advertising experiences
  • Patterson – Data is the individual property of the user?
    • Users have control over their data and can delete their data
  • Patterson – Third part collects data on users? Examples? Collecting data on emails?
    • All collected by Meta; information about employment, interaction with content/ads
    • Do not have access to search history, email, photos, heartbeat/health data currently
  • Patterson – Package or sell data?
    • Do not do either
  • Thompson – Have a choice to not have data collected? How long retained?
    • Have a choice to manage what data is retained
    • Not familiar with, will get to you
  • Lambert – Scalable; referring to the cost associated with businesses implementing safeguards?
    • Yes; speaks to the privacy
  • Lambert – Have implemented metrics to determined what small and large businesses
    • Virginia and Connecticut have bills we support
  • Lambert – Notes Shine appreciates the new Meta data center in his district
    • Thompson – Notes Houston should be in consideration as it is the largest city in the state
  • Chair C. Turner – Was referring to a Washington Post article about Meta opening an in-app browser that could monitor what you do on your devise?
    • Do not have that answer, not familiar with this article
  • Chair C. Turner – Meta have technology to prevent scraping of user data?
    • Is a challenge; are working on technology to prevent that

 

Ryan Harkins, Microsoft

  • Encourages legislature to pass a comprehensive privacy law next session
  • Rest of the world has raced ahead with privacy policy, still have no federal privacy law; complexity of data and industry means urgent need for robust privacy laws
  • Microsoft has been supporting efforts in states to advance comprehensive privacy laws
  • EU has had the Data Protection Directive in place since 1995, General Data Protection Regulation updated this law recently
  • US has narrow, issue-specific, or sector-specific privacy laws like HIPAA and COPPA; has left gaps in the US approach
  • In 2018, California passed the California Consumer Privacy Act, first comprehensive law in the US and has inspired other privacy laws
  • Goal is for laws that are clear, concise, and interoperable with international law; helpful for businesses
  • 4 states have passed laws with this framework, VA, CO, UT, and CT; 9 others introduced bills, but did not finally pass
  • Activity has appeared to have positive impact on Congress; multiple members introducing privacy bills & paying attention to issue
  • Not clear that there will be a federal law soon; action likely with states
  • Needs strong consumer protections & clear business rules; needs strong definitions around data covered and not, needs to apply to identified and identifiable data
  • State laws have differences in how data is defined, could lead to arguments that definition does not cover modern datasets, e.g. identifiable data linked to cookies, IP addresses, etc., and not necessarily names
  • Law should include consent rights, incl. opt-out for general data and opt-in for sensitive data
  • Heard comments from members earlier on how these consent rights could be scalable instead of individuals having to do this website by website, e.g. global privacy control, universal opt-out
  • Need to look at right to delete, California and Utah allow for right to delete data from a consumer, but may not apply to data companies get from 3rd party sources or inferences companies may derives from other data
  • Colorado law allows right to delete data concerning an individual, which would cover these other categories
  • Tracking data today largely consists of inferences derived from browsing activity, trends, purchased data, etc.
  • Should also contain obligations on companies to steward data effectively, incl. risk assessments, transparency obligations, limits on secondary use, etc.
  • Privacy laws need to impose different but complimentary obligations depending on company’s role, e.g. consumer-facing vs. enterprise cloud
  • Any privacy laws needs strong enforcement; California has a narrow private right of action for certain security breaches, Washington law was derailed by whether to include private right of action
  • Chair Turner – You mentioned an “easy button” for consumer rights consent, I real easy way for consumers to say they don’t want info tracked and stored?
    • That is the idea, CA, CO, UT, CT included these
  • Chair Turner – Mobile companies give you the option to use private browsers, how effective are those?
    • These can be effective in preventing 3rd parties from tracking you, but depends upon terms offered
    • Most of those don’t do what the laws in CA, CO, UT, and CT have done, don’t convey signals to websites you’re browsing that you don’t want data tracked
    • Need to work through questions about the “easy button,” want to make sure it represents choices made by the consumer and not on by default, want to make sure there is no competitive disadvantage, etc.
  • Chair Turner – Would that also protect the consumer from ISP data tracking?
    • In theory the law could apply to anyone receiving the data
  • Thompson – What kind of private right of action would you recommend?
    • Not necessarily recommending a specific private right of action, would defer to lawmakers on what makes sense for TX, TX businesses, and TX consumers
    • Would hate to see this issue derail privacy laws in TX as in WA

 

Briana Gordley, Texas Appleseed

  • Focusing on specific harms consumers face due to lack of data privacy protections
  • Data is collected on medical data, student data, financial data, etc.; highlights report that suggests expanding consumer’s right to know what data is collected
  • Data collection has large implications for survivors of domestic violence, privacy is crucial
  • Economic exploitation is one-way abusers are able to use data collected to continue harming victims, e.g. taking out loans in someone’s name using their info, interfering with jobs, etc.
  • Provides example of stalker able to purchase data on another
  • Urging legislature to consider how lack of privacy protection harm consumers on many levels; support right to know, opt-ins
  • Chair Turner – Different lens for us to look at this through, stakes are much higher
  • Chair Turner – Do you have any perspective on other states that have passed laws?
    • Laws are steps in the right direction, but don’t protect consumers entirely
    • Companies can still target consumers with exploitative pricing
    • VA contains the opt-out model, lacks default privacy protections
  • Patterson – Have you had a chance to reach out to House members, particularly those intending to file legislation?
    • Haven’t had any conversations yet, currently providing research and testimony
    • Have connected with other groups working on this issue for next steps
    • Know Rep. Capriglione’s bill has made steps, but not going entirely the way he wants

 

John McCord, Texas Retailers Association

  • Businesses should provide transparency regarding consumer’s personal data, consumers should have ability to opt-out, consumer should have right to delete data, and consumers should have right to correct
  • On California and the data privacy bill, required independent economic assessment of the bill draft evaluating impact on CA economy; assessment came back at $55b, risk of not carefully considering bill with stakeholder input
  • VA bill offered many of the same protections but did so much more simply and with more clarity
  • CA defines “sale” broadly for monetary or “other valuable consideration,” VA law kept it to monetary consideration; for businesses VA is very clear
  • Should focus on the core privacy aspects, simplify and offer clear law for businesses and consumers, and follow models that exist; consistency across states is crucial
  • Chair Turner – Can you expand on the CA law?
    • Definition provided is an example of how complex the entire bill was; definition of consumer was any resident of CA so led to questions about whether employees could opt-out of employee files, etc.
    • Happy to connect with members working through these issues
  • Chair Turner – Do your members sell data to 3rd parties?
    • Would be a business question, would assume some members do

 

Celeste Embrey, Texas Bankers Association

  • Banks have had a data protection obligation for 50 years, used to receive annual opt-out notices for consumer data and transfer to affiliates, 2007 saw guidelines for identity theft prevention and defense
  • Banks also comply with other regulations, like Dodd Frank authority for AG to pursue DTPA claims on inadequate data protection & extensive breach notification requirements
  • Dept. of Banking required banks to notify within 15 days of any cyber incidents
  • As of 2022, banks also required to notify CISA within 24-72 hours depending on severity of cybersecurity issue
  • Chair Turner – Banking, health care, etc. have the most stringent privacy protections
    • Yes, welcome conversations about data security, banks are reasonable for financial damages from breaches
    • Welcome opportunities for all industry participants to protect data the same way as banks and health care
  • Chair Turner – Would any of the things we’re discussing affect the financial service industry?
    • It would impact members, for instance CA law has broad definition of consumer & banks need to provide CA law notifications to CA consumers
    • VA model would impact banks as well, want to make sure banks are not having to double report on top of federal requirements
  • Thompson – Compliments banking industry for help received on recent breach

 

Glenn Hamer, Texas Association of Business

  • Represent 1500 members and over 200 chambers of commerce
  • Know data privacy is the top issue for businesses and consumers across the state
    • The stakes are “sky high”
  • Economic impact of California’s bill has been estimated $55b in implementation costs; total compliance could be up to $16b
  • Overviews Texas’ previous privacy laws specifically those for students/school districts
  • Need a standard to ensure transparency and give them clear and balanced rights to control their data
  • Federal or state should pre-empt other entities from enacting laws how personal data is collected/managed; like local governments
  • Oppose creation of any new private right of legal action against employers/businesses
  • Thompson – Opt-out includes other derived data or inference data?
    • Would be a general principle; if they want to opt-out, they should
  • Chair C. Turner – California law has been in effect for a couple years, what has the actual cost been; where have these costs come from?
    • Heard was hastily prepared and other states have passed laws in a more thoughtful and bipartisan way
    • Is a narrow private cause of action in the law, encourage state to avoid that
    • Anything California passes am skeptical about; will do more research and get that to you
  • Chair C. Turner – Represent cable and service providers?
    • Yes
  • Chair C. Turner – Are able to speak to industry-specific concerns on privacy
    • Not specifically
  • Chair C. Turner – Do ISPs track browsers’ activity?
    • Do not feel comfortable getting in the weeds
  • Chair C. Turner – Familiar with the FTC report 2021? Brought up several concerns with data privacy with ISPs
    • Not really familiar with the report
    • Cautions that the FTC has been “hostile” to the business community
  • Crockett – Reiterates biggest concern is not targeted ads, is breeches; how balance?
    • Getting the definitions right is going to be important especially consumer rights
    • Need to protect the safety of consumers as well

 

Public Testimony

Stephen Scurlock, Independent Bankers Association

  • Represent community banks in Texas; take extraordinary steps to protect customer data
  • Clear and concise disclosure, ease of opting-out; without penalties, entities do not behave the way they should
  • Data security and privacy is priority for the upcoming session
  • When a breech occurs at any entity banks are responsible for losses and other costs
  • If an entity keeps sensitive data, should adhere to same standards banks and other financial service entities do
  • FTC has issued an ANPR to gather information about the prevalence of commercial surveillance and data privacy
  • Every state has enacted data breech notification protocols; banks should be prioritized in this notification
  • Should be some form for financial accountability for those subject to a breech
    • Could be applicable if they were not meeting standards
  • Would be supportive of a bill that followed recommendations above
  • Urge stakeholders that would like federal standards to work in good faith to get something done
  • Chair C. Turner – PII includes DOB, SS number, what else?
    • Account numbers, credit card numbers, address, name, cell phone numbers, etc.
  • Chair C. Turner – Under federal law are PII? Provides a definition provided in a Capriglione bill; is pretty comprehensive
    • Are broader issues; specifically concerned about leaking of bank account and credit card information
    • If an entity is going to keep that information, need stronger oversight and standards

 

Monitor the implementation of HB 3746, relating to certain notifications required following a breach of security or computerized data.

Ester Chavez, Office of the Attorney General

  • Notes in chapter 521 B&C code have definitions about personal identification information
  • Identity Theft Enforcement and Protection Act Bill amended in 2019 to require breech be reported to the office of attorney general
  • Amended in 2021 notice has to specifically report the number of Texans effect and if the company has notified Texans of the breech
  • Bill gave the AG’s office the responsibility to maintain a website of the data breech notifications, update the listing and remove a company’s name in a timely manner with exceptions
  • AG’s office developed a web form that any business may fill to meet these reporting requirements
  • FY 22 AG received 468 data breech reports; overviews processing of electronic vs paper notices
    • Totaled 6.6m Texans who were affected; majority types of data breeched were SS numbers and medical information
    • Majority of breech notices were submitted by entities who sell goods, followed by health care providers, financial providers, insurance providers, and educational institutions
  • Chair C. Turner – Barriers to implementation? Find there is majority compliance?
    • Focused on informing businesses these requirements are out there
    • Do not know about certain breeches; will hear about things from other sources of information
    • Impression is that by and large businesses are stepping up to comply