Two bills in Texas show how these types of legislation can lay the groundwork for privacy and data control, underpinning further work. The Texas Data Privacy and Security Act, known as House Bill 4, passed in 2023 and regulated how businesses collect and use personal information. It outlined businesses’ responsibilities to minimize data collection, notify consumers about what’s gathered and respond to access or correction requests.
The bill was born from frustration over stalled federal efforts on privacy.
“A comprehensive privacy law regulating the collection of consumers’ information has certainly been on the forefront of legislators’ minds,” Jennie Hoelscher, Texas privacy officer, said. “We’ve seen it try to pass again and again at the federal level, but it wasn’t happening. So, there were several legislators in different states who took it into their own hands and said, ‘If they’re not going to regulate at the federal level, we’re going to do this here.’”
That state-level approach took shape in Texas through HB 4, which, among other provisions, required the Department of Information Resources to launch a public feedback tool on its website to garner resident sentiment about data usage. The results of its first survey question were striking: 77 percent of respondents said they were “very concerned” about how businesses handled their data.
The bill, Hoelscher said, provided an opportunity to not only hear critical perspectives such as these, but afforded the ability to apply changes and resolve residents’ concerns.
“Through the bill, I think more people feel they have control over their data,” she said. “It takes some work on their part to have that control. But the methods for them to have that are now in place, so I do think it is a step in the right direction.”
One of those is the ability to designate authorized agents — like universal opt-out tools — to manage opt-out requests on a consumer’s behalf. Hoelscher said this includes browser settings that send global privacy signals.
“Rather than having to visit each site, a universal opt-out mechanism is a way that consumers can do that much more broadly and without as much effort,” she said.
This approach is echoed in HB 5495, a bill now going through the Texas Legislature that would formally recognize global privacy controls as binding, joining states like California and Colorado on this. It states that a “controller” collecting personal data from a consumer online must treat the consumer’s use of a global privacy control as a valid request to not share the consumer’s data.
But laws like these only go so far without a broader cultural shift, Hoelscher said. She stressed the importance of data minimization.
“If we can emphasize to businesses the importance of only collecting the data that they need, there can’t be a breach and there can’t be improper use of data if you don’t have it,” she said.
That same principle of data minimization and protection underpins a consumer data bill making its way through Montana’s legislature — state Senate Bill 163. Introduced by state Sen. Daniel Zolnikov, the bill would expand the state’s Genetic Information Privacy Act to prohibit the collection, use and disclosure of neurotechnology data like brainwaves without consent.
“Last session, I passed a DNA bill where you own your DNA, and there was no bill like that in the country,” Zolnikov said. “You have full rights to consent to collect, ability to delete rights if it’s sold, or not, with that bill. Then, I added neural data which says you own your brainwaves and your thoughts, and you have to have consent to collect, and you can delete if you gave consent previously.”
Zolnikov’s motivation isn’t just about reacting to privacy violations, but pre-emptively shaping the rules of engagement.
“We’re trying to get ahead of what is already being created,” he said. “Instead of it becoming a multibillion-dollar industry and then we have to rein it in, we’re trying to put the sideboards in and be proactive as these technologies are being created.”
West Virginia’s House Bill 2987 charts a slightly different course, while still focusing on building a state data strategy with privacy in mind. Sponsored by Del. Daniel Linville, the bill borrows from Virginia’s Consumer Data Protection Act, proposing to establish a consumer data protection framework that would grant consumers the right to access, correct, delete and obtain copies of their information.
It would apply to businesses handling significant amounts of personal data — those processing information from at least 100,000 consumers or earning over half their revenue from selling such information, while handling data for at least 25,000 individuals.
“The data collected about people in the modern world is vast, and frankly most people don’t even realize that data is being collected,” Linville said. “They often have very few rights to obtain a copy, correct or delete it.”
The bill’s “safe harbor” provision would allow businesses following certain cybersecurity standards to defend themselves against some legal claims in the event of a data breach. Government entities and federally governed data types, like those under the Health Insurance Portability and Accountability Act, would be exempt.
Though still pending approval by lawmakers, Montana’s and West Virginia’s bills would mark a shift from enacting basic privacy protections to creating full frameworks for emerging technologies.
“Technologies are being created. And a lot of people react,” Zolnikov said. “Here, we’re working to be proactive.”
