Is the third time a charm for the Washington Privacy Act? 2021 will tell as a third version of the proposed legislation is before the Legislature.
Last week, the Senate Committee on Environment, Energy & Technology passed the 2021 proposal, Senate Bill 5062, by a 12–1 vote. This third iteration of the bill — which gives consumers the right to access, correct or delete data collected on them by commercial entities, as well as the right to opt-out of certain data processing for targeted advertising, sale of data and profiling — now moves on to the Senate Ways and Means Committee.
A proposal last year failed to reach consensus in the House of Representatives on certain provisions, namely a private right of action for consumers. Retail, technology and business industry representatives have indicated support for the 2021 proposal, while privacy advocates have continued calls for stronger privacy protections. While a broader scope to this year’s proposal and new provisions, including sections for data privacy related to public health emergencies, signal an attempt to compromise on some of the contested issues, a private right of action has not been added and whether recent changes are strong enough to bring consensus will remain to be seen.
“I think the same issues that plagued the bill last year are going to continue to be difficulties, but I think that there’s room here for consensus, and so, hopefully, now that it’s in its third iteration, the bill has become a better product of consensus and a collaborative and driven process,” said Future of Privacy Forum’s Christopher Wolf Diversity Law Fellow Katelyn Ringrose, CIPP/US, adding the bill is more closely aligned with what privacy advocates want to see and with the EU General Data Protection Regulation. As the U.S. moves toward comprehensive federal privacy legislation, the Washington proposal "could be a model for the entire U.S.," she said.
Now about three years in the making, Ringrose said SB 5062 would enshrine strong consumer protections and could also serve as a model for other states looking to pass privacy legislation.
“For example: New York, Virginia. As these states start recognizing their potential and their ability to protect their consumers through a comprehensive state bill, they might start looking at the Washington Privacy Act,” she said. “So that means that the bill really matters now. It matters more than ever and its provisions are going to be heavily scrutinized.”
State Sen. Reuven Carlyle, D-Wash., the Washington Privacy Act’s sponsor, said the proposed legislation combines the best practices of the GDPR and California Consumer Privacy Act, giving Washingtonians “a strong framework” to protect their data.
“I think the takeaway is we should question that, and we might all disagree on what the best part of the GPDR is,” said Joe Jerome, CIPP/US, multistate policy director for Common Sense Media, which argues the bill should protect the sensitive data of children and teens, instead of only children under the age of 13 as currently proposed. “We think that’s what the CCPA does. That’s what the GDPR has done.”
Looking at the history of the Washington Privacy Act, Jerome said it is likely the legislation will pass through the Senate. It has previously been held up in the House, where some called for a stronger privacy law. It’s worth acknowledging, he said, that the 2021 version incorporates some components the House previously called for.
It broadens the scope, lowering the revenue threshold for covered entities to companies that derive more than 25% of gross revenue from the sale of personal data and process or control personal data of 25,000 consumers or more, in line with an amendment approved last year by the House Innovation, Technology & Economic Development Committee. The 2020 bill had a 50% revenue threshold.
While the ITED Committee presented amendments last year, that committee has now disbanded and the 2021 proposal will go through the House Civil Rights and Judiciary Committee, Jerome said. The fact that the 2021 bill will go through a different committee adds “a wildcard,” he said.
The stance of the Washington Attorney General’s Office, which is responsible for enforcement of the proposed legislation, could also impact the trajectory of the 2021 bill, he said. Last year, the office said the proposal limited its ability to enforce the law, but during a Jan. 14 Senate Environment, Energy & Technology Committee hearing, Legislative Director Yasmin Trudeau said changes have been made within the 2021 proposal to give the office necessary enforcement tools, though it continues calls for a private right of action.
“Their voice will have a lot of sway in the House. A lot will depend on what the (attorney general) says,” Jerome said. “And last year, they became very vocal about the bill.”
Large companies operating in Washington could also impact the bill’s success, Jerome said. While Microsoft Senior Director of Public Policy Ryan Harkins said during the recent Senate hearing that the bill provides “the most comprehensive and robust privacy law with the strongest protections for consumers in the United States” and trade associations representing the industry sector have indicated support, many companies have been relatively quiet.
“There are a lot of companies in Washington state that hold a lot of influence and they could go a long way to holding it up,” Jerome said.
The steps taken to bring in support from the attorney general and consumer advocates “may dampen some of the enthusiasm that some in industry had last year,” said Hintze Law Managing Partner Mike Hintze, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP.
“There have been some changes this year that may affect different sectors of industry in different ways and they may affect the enthusiasm of some, it may increase in some cases and decrease in others,” he said. “I still think there will be pretty broad support for this.”
New in the proposal is a provision that consent obtained through “dark patterns” does not constitute actual consent. Hintze said some in industry view this provision as “problematic, because it’s just so vague.”
“It’s unclear what really would constitute a dark pattern, and does it give the attorney general essentially unfettered discretion to second guess design options — that’s troubling and scary for a number of companies,” he said. “It creates a lot of ambiguity and uncertainty about what could potentially be considered a violation of the law. That’s something new that could be the subject of some further discussion and concern among different parties and stakeholders.”
FPF's Ringrose said the “dark patterns” provision aligns with Article 6 of the GDPR and follows trends in U.S. legislation to put in place “stronger protections and stricter limits.” Similar provisions are included within Sen. Roger Wicker’s, R-Miss., Safe Data Act and Sen. Mark Warner’s, D-Va., Detour Act, she said.
“We expect this kind of trend to continue and if we do come back for a fourth time, we’ll probably see this being part of the bill,” Ringrose said.
An alternative bill that's expected to be introduced in the House could also make things interesting for the Washington Privacy Act. The American Civil Liberties Union of Washington Technology and Liberty Manager Jennifer Lee discussed the bill during a forum hosted last week by Common Sense Media. The proposal is being drafted in part by the Tech Equity Coalition, she said, and should be introduced soon.
The House bill would include a private right of action, require affirmative, opt-in consent for the use, sale or sharing of data, and would not restrict local jurisdictions from passing stronger privacy laws, she said.
“I don’t think realistically that bill could get passed, but it will affect the dynamic of how the Senate Bill is perceived,” Hintze said. “And it could create some pressure to continue to move the Senate Bill with ever increasing strengthening of those protections for consumers.”
Photo by oakie on Unsplash
If you want to comment on this post, you need to login.