A third iteration of the Washington Privacy Act came before the Senate Environment, Energy & Technology Committee for a public hearing Thursday where testimony ranged from support to criticism.

The 2021 bill, Senate Bill 5062, follows last year’s proposal, which failed to reach consensus in the House on certain issues, key among them the lack of a private right of action for consumers.

However, the bill's sponsor expressed optimism that it would provide robust consumer rights.

“Today, the individuals in our state, the people of Washington, only have the rights to protect their own data that is so granted by companies and organizations that those organizations may choose,” said Sen. Reuven Carlyle, D-Wash. “I believe in a civic society like ours, and in a state that is a thought leader like Washington, that those rights should have a strong framework and baseline that is the premiere in the world. I think this is the strongest legislation in the world relative to the best practices of Europe, as well as California.”

Representatives of the retail, technology and business industries support SB 5062, including the Association of Washington Business General Counsel and Government Affairs Director Bob Battles, who said it is the culmination of three years of work, resulting in “a good compromise for consumers and business.”

The bill builds on the EU’s General Data Protection Regulation and California’s privacy laws, said Microsoft’s Senior Director, Public Policy Ryan Harkins, “providing the most comprehensive and robust privacy law with the strongest protections for consumers in the United States.”

“It would empower Washington consumers to control their personal data by providing them with certain rights," he said. "It would impose affirmative obligations on companies to responsibly steward the personal data that they collect and, importantly, it would provide for civil rights by banning the processing of personal data in ways to unlawfully discriminate against consumers. We also think the bill would be good for business. It would go a long way towards earning back the trust of the public in technology and it would allow companies to innovate responsibly.”

As with previous versions of the Washington Privacy Act, enforcement falls under the attorney general. The 2021 enforcement provision includes a 30-day right to cure, with potential violations of up to $7,500 for each violation of the act.

Legislative Director for the Washington Attorney General’s Office Yasmin Trudeau said changes have been made within the newest version to give the office necessary enforcement tools, but she suggested a sunset date for the right to cure provision and a private right of action for consumers.

The state attorney general’s office believes in the private right of action “as a policy matter,” she said, “furthered by the sensitive nature of data related to contact tracing. Ultimately, we’ve always believed individuals should have the ability to enforce their rights including and especially their privacy rights.”  

The proposal maintains previous versions’ preemption of local laws, ordinances and regulations, but does not preempt those adopted prior to July 1, 2020. Its provisions would take effect July 31, 2022, with a four-year delayed effective date for higher education institutions and non-profit corporations.

Opponents who spoke Thursday continued calls for redress for citizens, as well as the need to give consumers the right to opt-in to use of their data, as opposed to the proposal’s current opt-out provisions.

It is for these reasons ACLU Washington Technology & Liberty Project Manager Jennifer Lee said the bill provides “an illusion of privacy protections, but not real privacy."

“This bill not only contains myriad exemptions that undermine people’s privacy rights, but it also lacks a strong enforcement mechanism because this bill prohibits people from holding companies accountable when they violate people’s privacy rights,” she said. “This bill does not meaningfully empower people to control if and how our information is collected, used and shared.”

While the 2021 WaPA gives consumers important new rights, Consumer Reports Policy Analyst Maureen Mahoney said the responsibility is put on consumers to submit requests to “hundreds if not thousands of different companies.” She urged incorporating measures similar to California’s Consumer Privacy Act and the recently passed California Privacy Rights Act that make it easier for consumers to exercise their rights.

“Companies are required to honor browser privacy signals as a global opt-out. There is also an authorized agent provision that allows consumers to delegate to third parties the right to submit opt-out and other requests on their behalf, making it much more workable for consumers,” she said of California law.

Common Sense Media Director for Multistate Policy Joseph Jerome, CIPP/US, said SB 5062 does improve on previous proposals, but recommended including data of teens up to age 16 in its definition of sensitive data. As proposed, the bill covers the personal data of children under the age of 13.  

“In every other area of society, from education access to alcohol or voting rights, the specific vulnerability and evolving capacities of teenagers are recognized,” Jerome said.

While similar to the 2020 proposal — giving consumers the right to access, correct or delete data collected on them by commercial entities, as well as the right to opt-out of certain data processing for targeted advertising, sale of data and profiling — SB 5062 includes a new section related to COVID-19 for “data privacy regarding public health emergencies,” regulating the processing of personal data for contact tracing.

Through the inclusion of contact-tracing provisions, Carlyle said he wants the state legislature “to put it on the table that we think this is an important issue” to build public confidence in its use as an effective health tool. “I think all of us know that contact tracing is an evidence-based best practice in public health going back hundreds of years, but with technology, with mobile phones and other data sources we know that the public must have confidence that state government is managing and overseeing that data with the utmost integrity and protection,” he said.

While software engineer Jon Pincus, representing Indivisible Plus Washington, and Consumer Federation of America’s Director of Consumer Protection and Privacy Susan Grant said they appreciate the importance of protecting personal information collected for purposes of contact tracing, both suggested the issue should be addressed separately in a targeted bill.

The Senate Environment, Energy & Technology Committee is next scheduled to hold an executive session on SB 5062 Thursday, Jan. 21.

Photo by Zhifei Zhou on Unsplash