Enforcement was front and center during a public hearing before the Washington State Senate Ways & Means Committee Monday as lawmakers and stakeholders hashed out a potential comprehensive privacy law for the state. 

Privacy advocates called the Washington Privacy Act’s enforcement provisions “insufficient,” while representatives of the technology industry argued they are “robust.” A representative from the Office of the Attorney General, the sole enforcement authority under the proposal, said the legislation includes language enabling effective enforcement but also said the office could need to seek additional funding for compliance in the future.

According to a fiscal note summary for Senate Bill 5062, the proposed 2021 Washington Privacy Act, a total of $1.4 million would be budgeted through 2023 — $1.2 million for the Office of the Attorney General, including a full-time equivalent of 3.6 employees, $129,296 for Consolidated Technology Services and $73,000 for the Department of Health. In the years 2023 to 2027, the amounts for Consolidated Technology Services and the Department of Health would be eliminated, and funding for the OAG would be reduced to $1,096,000, with employees remaining at 3.6 full-time equivalent.

The WPA, now in its third iteration, passed the State Senate Committee on Environment, Energy and Technology with a 12–1 vote in late January.

Common Sense Media Director for Multistate Policy Joseph Jerome, CIPP/US, said the organization is concerned about the level of enforcement possible under the WPA, given the proposed funding and staffing level, an indication by the OAG that three investigations would be completed a year, and the broad scope of the technology industry. He cited the IAPP-FTI Consulting Privacy Governance Report 2020, which found the average business employs a full-time privacy staff of 15 and a part-time privacy staff of 18, adding Facebook employs more than 150 privacy lawyers.

“The tech industry is complex and privacy violations go unchecked because law enforcement lacks the resources to investigate problems,” he said. “Three investigations in a year account for the number of privacy violations I track in a week. For all the talk about making this a strong privacy law backed by strong enforcement at the (attorney general’s) office, Common Sense remains skeptical, and we encourage additional resources to be provided to the (attorney general).”

State Sen. Bob Hasegawa, D-Wash., asked OAG Legislative Director Yasmin Trudeau what it will take to enforce privacy laws “looking down the road.” Trudeau said, “the unknowns are where the challenge remains.”

“We are addressing this bill as drafted right now,” she said. “There may be a number of issues where we come back to the Legislature in future sessions and say we need more dollars for compliance, but what we’re working with is the legislation as drafted.”

The OAG has called for a private right of action for consumers, currently not proposed within the WPA, and Trudeau said that remains a concern they hope to resolve. She also called for a two-year sunset provision on the proposal’s 30-day right to cure.

“We appreciate the reasoning behind the right to cure, and that there will be a period of time for businesses to figure out their roles and responsibilities under the bill, but we know that the need for transition and compliance shouldn’t go into perpetuity,” she said. “We are not and should not be in the position of sending warning letters to businesses to let them know they are violating the law. It’s not the usual course of business for us and it shouldn’t be long term.”

Representatives of the technology industry stated support for the proposal, including Google representative Ian Goodhew, who supported the right to cure as making the bill “more enforceable.”

“The right to cure actually gives businesses big and small the ability to be notified by the (attorney general) of a potential violation and to fix that error within 30 days and actually restore the consumers’ rights to where they should be, as opposed to waiting years for a lawsuit to play out,” he said.

Microsoft Senior Director of Public Policy Ryan Harkins called the WPA a “thoughtful approach to address an urgent need to modernize United States privacy law” that would provide “robust” enforcement by the attorney general.

But American Civil Liberties Union of Washington Technology & Liberty Project Manager Jennifer Lee argued the $1.4 million allocation for 3.6 employees is “absolutely insufficient.” Lee continued the ACLU’s calls for a private right of action within the proposal, which she said would create a stronger privacy bill at reduced costs for the state.

“If you look to the implementation of the (EU General Data Protection Regulation), countries with smaller populations than Washington state spend over 16 times more than what is being proposed here and still have reported insufficient resources,” she said. “Why should Washington state spend taxpayer dollars on a bill that would only provide a façade of privacy protections?”

Photo by Zhifei Zhou on Unsplash