Like hundreds of millions of Americans during the pandemic, residents of the District of Columbia walked about the city, smartphone in hand. Some listened to podcasts, talked to a loved one, or bided time in the augmented reality of Pokémon GO. Many residents were likely aware that their phones were tracking them as they stretched their legs—but surely few could have expected that this data would be handed over to their government.

In 2020, location data broker Veraset had assembled an impressive proprietary database replete with “highly sensitive” smart phone GPS data for the entirety of the D.C. metro area. When government officials in D.C. were made aware of this, they jumped at the opportunity to obtain this data, and the government would go on to receive regular updates about the movements of hundreds of thousands of its residents.

Ostensibly, this data was to be used for COVID-19 research, but the purpose belies the point.

Plenty of Americans—including Texans—are unaware of what data is being harvested from them and how it is being used, despite a cursory acceptance of opaque terms of service. We have become so immersed in the digitized world that we do not often stop to think about what kinds of information data brokers and companies have on us. Sure, we know that Facebook knows our name, birthday, and city of residence—but how does it know to serve me an advertisement for that pillow I looked at on Amazon?

To understand the scope of our digitally created personal information, a good place to start is with data brokers. Data brokers exist to collect personal information, bundle this information together, and sell to third-party buyers. They do so by employing data scrubbing tactics to scour through personal information users provide on social media, and work with other major companies to buy user data that is for sale. They then assemble data profiles on individuals, sort them into neatly organized categories, and sell or provide them to third parties such as advertisers, businesses, and yes, governments, and Texans have virtually no way of knowing what personal data is being collected, who has access to it, and no say in whether a business can sell their data.

But Texans should have basic data privacy protections, and the way to provide this is through a Digital Bill of Rights.

The Better Tech for Tomorrow campaign at the Texas Public Policy Foundation has outlined three technology policy priorities for the 88th Legislature, and a Digital Bill of Rights is at the top of the list. As a good starting point, Texans should have the following digital rights:

  • The right to know what personal data is being collected;
  • The right to know if their personal data is sold or shared, and to whom;
  • The right to say no—or opt-out—from the sale of their personal data; and
  • The right to easily access, collect, or delete their personal data.

The reality is that government and other actors could be using Texans’ personal information without our legitimate consent or actual knowledge. It’s time for Texans to be empowered to tell these entities to “come and take it” if they so choose, rather than have them use our data without a shred of our knowledge or our consent.