The 2022 legislative session is off and running in Washington state, the home to what's become one of the most-followed efforts to pass comprehensive state privacy legislation. The Washington State Legislature will have until March 18 to see if the fourth time is the charm to get a law on the books, something it hasn't been able to do since the original Washington Privacy Act was proposed in 2019.
This year's wrinkle in Washington's privacy debate goes beyond specific provisions added or removed to the proposed WPA. Now state lawmakers are faced with multiple comprehensive bills under consideration in the Washington Senate and House of Representatives. Additionally, state Sen. Reuven Carlyle, D-Wash., proposed a narrowly focused bill that regulates some of the most prevalent present day privacy issues instead of going for all-out regulation like the WPA, which Carlyle also re-introduced for a fourth time.
It's not yet clear what the ripple effects of competing bills might be on the prospects of passing comprehensive legislation during the 2022 session or in future sessions. Hintze Law Partner Mike Hintze, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP, wonders whether "the dynamics that got in the way of final passage" in previous years, including key disagreements between House and Senate leadership during the 2021 session, will be affected for better or worse by the new thinking that could arise from having multiple bills in play.
However, the growing attention and thoughtfulness from Washington lawmakers on privacy matters continues to be welcomed by the privacy community.
"It just makes me think about why the Washington Privacy Act hasn't passed as well as the debates and disagreements between different stakeholders," IBM Data Governance & Regulatory Compliance Manager Pollyanna Sanderson said, expressing her personal views on the matter. "You can tell legislators are taking this topic seriously with multiple bills and all these fresh ideas. Other states just introduce these copycat bills, but Washington really is a leader when it comes to bringing forward ideas that should actually go into law."
The lay of the comprehensive land
On the table this session are three comprehensive proposals, including two carryover bills and a new bill. Here's a brief snapshot of the slate of bills and things worth keeping in mind with each.
Senate Bill 5062: Raised for a fourth consecutive session, Carlyle's Washington Privacy Act passed the Senate last year before failing to get a floor vote after being sent to the House. Carlyle has yet to release the updated text for the bill, but previous versions of the WPA carried consumer rights and a number of transparency and accountability obligations comparable to those found in the EU General Data Protection Regulation, the California Consumer Privacy Act and the California Privacy Rights Act. Past points of debate with this bill were focused on the inclusion of some form of a private right of action and limits on a company's right to cure.
House Bill 1433: Rep. Shelley Kloba, D-Wash., reintroduced The People's Privacy Act after debuting it a year ago as a pro-consumer alternative to the WPA. Kloba's bill saw no action after introduction in 2021, but it gained brief traction as part of the House's WPA consideration with an attempt to amend the WPA with elements of The People's Privacy Act. Kloba told the IAPP that her proposal is modeled after Brazil's General Data Protection Law and "moves toward privacy by design" with "robust protections and appropriate avenues for recourse." She said the bill will cover "all companies anywhere that collect or process data about residents of Washington." The 2022 text will carry the previously proposed private right of action and an updated the definition of personally identifiable information that adds biometric and location data.
- House Bill 1850: The Washington Foundational Data Privacy Act is a bit of fresh perspective from Reps. Vandana Slatter, D-Wash., and April Berg, D-Wash. Hintze said this bill "is much closer to the WPA" with its data subject rights and business obligations while proposing optouts for targeted advertising, some data sharing and automated decision-making. In contrast to the WPA, the WFDP proposes the creation of the Washington State Consumer Data Privacy Commission and contains a private right of action.
Novelties and stumbling blocks
The conversation around original thinking is mostly left to HB 1433 and HB 1850 given the WPA proposal is a re-tread framework that's acted as the basis for comprehensive laws in Colorado and Virginia despite the failures in its legislature of origin. Having the WPA's bones spread to other states and thus creating an alignment of core provisions and requirements across states speaks to why the business community favors Washington state lawmakers finishing the job with the WPA.
"Businesses appreciated that it offered a level of predictability and consistency," Hintze said "That meant they would not have to start from scratch after investing heavily in compliance with those earlier laws, and would not have to deal with the uncertainty of trying to reconcile inconsistent, unfamiliar or untested standards."
On the other side of the line drawn on the WPA, privacy advocates will not budge from their opposition without a more meaningful and protective framework for consumers. American Civil Liberties Union Washington Technology & Liberty Project Manager Jennifer Lee mentioned opt-in consent and a PRA as the most necessary provisions.
"Passing something weak like the WPA could be more detrimental than helpful," Lee said. "Any incremental step must provide a sound foundation for incorporating minimum standards for a strong data privacy policy. Undermining those principles hinders Washington’s ability to meaningfully protect people’s privacy now and in the future."
Lee called HB 1433, with its opt-in model and PRA, "the most comprehensive of the bills" and the one garnering the "strongest backing from impacted communities." Beyond safeguards and a consumer redress mechanism, HB 1433 calls for a heightened and simplified level of transparency that aims to help consumers better comprehend a company's privacy notice.
"The legislation would require companies to provide both a long-form and short-form privacy notice to individuals," BakerHostetler Associate Shea Leitch, CIPP/E, CIPP/US, said. She explained the required short-form notice must be 500 words or fewer, written in understandably plain language and presented upon a consumer's initial interaction on a website. "The bill also contains a provision that would require companies to provide the short-form notice and obtain consent before engaging in 'surreptitious surveillance,' which would include activating the microphone or camera on an individual’s device to record data."
Arguably the most intriguing aspect of HB 1850 is the creation of a state data protection authority, which will function in the same capacity as the California Privacy Protection Agency. As currently proposed, the commission would be headed up by three governor-appointed commissioners and be given rulemaking and enforcement powers.
HB 1850 also contains unique provisions for a ban on targeted advertising based on protected characteristics like race, ethnicity and sex. The ban, which mirrors provisions recently proposed by members of U.S. Congress in the Banning Surveillance Advertising Act, could bring unintended consequences to specialized businesses if it sticks.
"It sounds like a really good idea in practice, but I worry about small niche businesses," Sanderson said. "Let’s say you're a Black-owned small business that wants to specifically target hair products for Black people. Would they be prohibited from doing that under this bill? The intention is good, but we need to find a more nuanced solution in order to have exceptions for these types of scenarios."
The narrowed approach
With the absence of compromise on the WPA or any comprehensive privacy proposal going on years now, it's fair to wonder whether a more targeted approach to privacy may be required. It appears Carlyle is ready to explore that avenue with Senate Bill 5813, which expands upon WPA provisions regarding children's privacy, data brokers and honoring the Global Privacy Control user optout. The bill also notably includes a PRA limited to injunctive relief plus attorneys’ fees.
Carlyle sought to explain his current vision privacy legislation during a public hearing before the Senate Committee on Environment, Energy & Technology regarding SB 5813. While he explicitly noted he is "absolutely committed" to following through on a comprehensive bill, he acknowledged he "tried to step back a little bit" with SB 5813 with the intention to "elevate the dialogue."
"I was asking if there was some elements of the larger bill that we can get our head around," Carlyle said. "I made some moves around enforcement and other areas just to have the public policy discussion relative to whether or not we might be able to find a path forward."
Hintze assumes Carlyle "would characterize the two bills as complementary rather than competing," meaning a potential passage of SB 5813 might pave the way for other incremental work toward getting a comprehensive law in place. However, SB 5813 is not without potential hang-ups. Hintze argues the children's privacy provisions "are arguably unnecessary because they are largely redundant of" the Children's Online Privacy Protection Act while adoption of standards around GPC may be burdensome if they don't mirror what's in place with privacy laws in California and Colorado.
"I’m interested to see how much he can get done with the short window," Sanderson said. "I haven’t seen the right for adults to have data rights go back to when they were a child and then the section on data brokers goes beyond a registry with real prohibitions and rights. It feels like he’s taking inspiration from other places, be it state or federal bills. He’s like a sponge taking it all in and incorporating what he likes."
Photo by oakie on Unsplash