Why WA's data-privacy bill might not go far enough
State lawmakers looked to Europe and California for a data-privacy model. But privacy advocates say Washington's bill is too soft by comparison.
The question of how much control consumers should be able to wield over their online data has been increasingly on people's minds. As breaches of databases, and public trust, have become more common, a few events have been especially jarring in their scope and possible impact. In particular, the Cambridge Analytica scandal exposed the potential effects on democracies, revealing the firm had acquired data on millions of Facebook users without their permission, then used that information to assist political campaigns.
The European Union has been a leader when it comes to data protection, adopting robust regulations that took effect last May. In the U.S., California lawmakers followed suit last year, passing a bill that was signed into law in June 2018.
Now, Washington lawmakers are considering their own regulation, likening their efforts to these existing regulatory regimes. In January, state Sen. Reuven Carlyle, D-Seattle, said his proposal to address how companies collect and share internet users' data “is designed to take those best practices from around the world."
Yet privacy advocates say the proposals advancing in Washington are significantly weaker than either California or the EU’s regulations, and wouldn't go nearly as far when it comes to protecting consumers.
Though the legislation that recently passed the Washington State Senate, SB 5376, has been billed as similar to the California and European Union laws, a few key differences are making some groups question whether Washington's approach would be as effective.
One of their concerns is whether companies would truly be required to delete customer data when a customer requests that they do so.
“If you look at the California law, it is super simple: It says when the consumers ask for this, you’ve got to delete the data. And that’s just not the case here,” said Shankar Narayan, director of the American Civil Liberties Union of Washington's Technology and Liberty Project. “This is really crafted so only the most egregious conduct has requirements to act, and even that, with the number of exemptions, is far from a guarantee.”
Carlyle disputed that characterization, saying many of the exceptions in his bill are for small businesses, or pertain to data already covered under federal privacy regulations. He said some critics of the bill are making "the perfect the enemy of the good."
"The activists and the privacy folks have the wonderful luxury of being absolute purists and I respect that. That’s their job," Carlyle said.
But, he said, "The idea that we shouldn’t take this dramatic step forward because it isn’t giving the ability to a consumer to have any data deleted in any format, by any company, globally, at any time ... is not a realistic scenario."
Another factor that is fostering suspicion among privacy advocates: Microsoft is publicly supporting the bill and has played a significant role in helping shape it. Amazon has also been involved in back-and-forth discussions, Carlyle said recently.
“This came from tech companies, and it should not be surprising it is permissive,” Narayan said. He called many of the bill’s provisions “feel-good language that doesn’t actually get to where we need to be on data privacy.”
The Center for Democracy and Technology, a nonprofit based in Washington, D.C., wrote a letter to members of the state Senate’s budget committee last month saying the measure puts too much faith in corporations that have not shown themselves to be worthy of that trust.
Get daily news in your inbox
This newsletter curates some of the most important headlines of the day from Crosscut and other news outlets.
Joseph Jerome, policy counsel for the organization, said one concern is that the bill would exempt data that is “deindentified” from requirements to protect personal information. But the way deidentified data is defined, it could mean just removing a name from records that can still be linked to an individual, he said.
Genetic data or geolocation data, which effectively can show where a person lives and goes to work, can still be easily tied to a person even if the person's name is removed, he said.
“You have a lot of companies already arguing that they don’t have a specific name attached to it, so it’s deidentified,” Jerome said. “That’s not really realistic.”
Enforcement is another way the European and California laws differ from Washington’s proposal. Under the EU’s General Data Protection Regulation (GDPR), specialized enforcement agencies in each EU member country are tasked with ensuring companies comply with the law’s provisions. A violation can result in fines of up to 20 million euros or 4 percent of a company’s worldwide annual revenue from the previous year.
In a high-profile example from January, French data-privacy regulators announced they were fining Google 50 million euros — about $57 million — for not properly telling users how their data was being collected and used for targeted advertising.
California’s law, meanwhile, gives individuals a right to sue in certain cases, unlike the proposal in Washington.
“California has a private right of action for unreasonable security practices,” said Jerome, adding that is one of multiple ways California's law gives clearer rights to individuals.
During a public hearing before Carlyle’s committee in January, a Microsoft representative had a different take on the proposal and how it compares with its European and Californian predecessors. Julie Brill, a corporate vice president and deputy general counsel for privacy and regulatory affairs at Microsoft, said Senate Bill 5376 would empower consumers and “protect consumer privacy more than any law in the United States.”
“We believe this bill, the bill before you, represents a thoughtful approach, taking the best provisions from European law, from California’s law, and indeed from some federal laws,” Brill testified Jan. 22. She previously served as a commissioner at the Federal Trade Commission.
In a departure from the EU's law, the Washington bill contains some different provisions addressing the use of facial recognition technology in the private and public sectors. Narayan, of the ACLU-WA, said those parts of the legislation also fail to provide adequate protections, particularly for marginalized communities and communities of color that are already overpoliced.
According to the bill, as long as companies post signs at their stores providing "conspicious notice" that facial-recognition technology is being deployed, a customer who enters is automatically consenting to the technology's use. Carlyle said he is open to changing the bill so "perhaps disclosure itself doesn't make for full consent."
Senate Bill 5376 passed the state Senate on a 46-1 vote earlier this month. Only Sen. Bob Hasegawa, D-Seattle, voted no.
The measure will receive a hearing Friday in the state House's Innovation, Technology and Economic Development Committee.
Reuven Carlyle and Shankar Narayan will be speaking Thursday evening as part of a panel event organized by Crosscut. The state’s data-privacy bill will be one of the topics of discussion at “News & Brews: Regulating Big Tech.” The other speakers include Sally Hubbard, an expert on antitrust and tech platforms and host of the "Women Killing It!" podcast; Noah Purcell, Washington's solicitor general; and Jack Kirkwood, a law professor at Seattle University.