Texas and Kentucky Privacy Laws Considered Viable Models for Federal Legislation
Comprehensive privacy laws in Texas and Kentucky are viewed as “betting favorites” to serve as potential models for a federal privacy law, Texas’ Privacy Enforcement Director Tyler Bridegan said Thursday.
Sign up for a free preview to unlock the rest of this article
Both states are well-represented in privacy discussions on Capitol Hill, with House Commerce Committee Chairman Brett Guthrie (R) from Kentucky and Texas' Ted Cruz (R), the Senate Commerce Committee Chairman. Guthrie is leading a House Republican effort to deliver a new privacy bill, while Cruz has been largely focused on children’s online safety (see 2504070065 and 2503260068).
What Congress will do is “impossible to predict,” but the Texas privacy model offers a reasonable approach in terms of identifying claims that can be fixed within the 30-day right-to-cure window and real data abuse that needs enforcement attention, Bridegan said.
Texas enforcers understand companies are trying to comply with statutory requirements across multiple states, he said: “We’re not trying to needle people on the nitty-gritty of word choice you used in your privacy notice. We’re more looking at complying with the spirit of the law.” If a company is communicating with enforcers and taking reasonable steps to come into compliance, the attorney general’s office is willing to extend the 30-day window. “We’re real people, too. We try to take a practical approach to all of this. The worst thing you could do is ignore or dispute that the notice is sufficient. We’re learning on the fly, as well.”
The AG’s office is as forthcoming as possible, and companies should do the same. “Never assume we don’t know anything before we contact you,” he said. “Oftentimes, a lot of investigations overlap” with different companies and counterparties involved in similar practices. “We come at a lot of these things with specific knowledge about what your practices are, so we always encourage people to make sure that they are accurately representing what’s going on, even with the smallest investigations,” he said. “Engage early and engage often. Ask questions.”
Future of Privacy Forum Senior Director Keir Lamont agreed Texas is one potential model for Congress, but he said at least 16 of the other 19 states with comprehensive privacy laws rely on a similar framework, so that overlap would be a good place for Congress to start. Based on his conversations on Capitol Hill, he said privacy remains an issue staffers are taking “seriously.”
There’s more alignment between state privacy laws than what was expected in 2018 when California passed its statute, but there’s not one state to follow in terms of forming a compliance regime for the entire country, Lamont argued. There are “unique differences,” he said, noting Texas’ novel disclosure requirements for companies selling sensitive data. Texas has shown interest in ensuring that this particular provision of its law is enforced, he said, noting Nebraska replicated Texas’ language in this area of enforcement.
He agreed with Bridegan on the importance of companies communicating with regulators when they receive a right to cure notice. “You do not want to be stonewalling,” he said. “You do not want to be dragging your feet. It’s just very important to take those notices seriously and act” within the statutory window. California, Connecticut and Oregon have offered a lot of public information about how companies have exercised their right to cure, he said.