Second Time Could Be Charm for Washington State Privacy Bill
Washington state is closer to privacy consensus for the 2020 legislative session, said Senate Environment, Energy and Technology Committee Chairman Reuven Carlyle (D) in an interview. After months of talks, industry and consumer privacy groups see momentum on a bill that failed in 2019. The privacy groups said a draft last week improves upon the previous version they thought weighed too heavily in industry’s favor.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Up against the buzzer last spring, the House didn’t take up a Senate-passed version that Microsoft and other tech companies backed but privacy groups condemned (see 1904180036). Carlyle sees “a desire to get to yes" and aims to gain consensus more quickly this time: “I do not expect this to go to the last day.” Carlyle spoke to new House Speaker Laurie Jinkins (D), who he said is “very committed to resolution” and more up on tech issues than the previous speaker. Releasing a draft two months before session starts allows time for feedback, Carlyle said this week.
Carlyle said he has listened “very intently to the deep concerns of some of the opponents” and is working closely with House Innovation, Technology and Economic Development Committee Chairman Zack Hudgins (D). Carlyle tried to make consumer rights more explicit and took another pass at consent, enforcement and various definitions, he said. Consumer groups had a “very legitimate” concern about a loophole allowing companies to continue using data even after a user requested its deletion, Carlyle said. He didn’t add a private right of action sought by some privacy groups but would be open to reviewing that issue in a few years.
Washington’s privacy bill is “incredibly important to get right,” said Center for Democracy and Technology Privacy and Data Project Director Michelle Richardson in an interview. “Everybody’s watching Washington as one of the most likely to get across the line” in 2020 because lawmakers “got so far last year.” Businesses seek an alternative to the California Consumer Privacy Act to use as a model elsewhere, while consumer privacy groups see “potential to add in new protections for users that we haven’t seen in other states,” including data minimization and secondary-use limitations, she said.
Privacy advocates complained last session about feeling excluded from the process in favor of Washington-based tech companies like Amazon and Microsoft. “It’s been a very open process,” Carlyle said about the fresh effort to reach consensus, though he said process concerns are sometimes “euphemisms for the outcome.” Carlyle sees the presence of big tech companies in his state as an advantage for writing a good privacy bill.
Hudgins appreciates Carlyle “listening to my concerns with such intentionality, and the clear changes he made to many parts of his bill,” the House member emailed in an update last week with the new draft. “I do have some concerns and questions and I am working through those details.”
Positive Steps
The new draft would explicitly give consumers rights to opt out, as well as to access, correct, delete and move data.
It would require businesses to conduct a data protection assessment for personal data processing activities “that present a heightened risk of harm to consumers, such as processing for purposes of targeted advertising or processing sensitive data," said a summary. The state attorney general would enforce the proposed law, which has no private right of action. Proposed privacy rules apply to businesses that target residents and that control or process data of more than 100,000 consumers or derive 50 percent of gross revenue from sale of personal information and control or process data of more than 25,000 consumers.
Washington’s bill is “moving in the right direction” but isn’t “there yet,” said CDT’s Richardson. It has “more principles that are about better corporate behavior and not just individual responsibilities,” she said. But CDT is worried the bill is more concerned with whether a company tells consumers what it's going to do than making objective standards about what a company should be doing. The group supports a method for citizen complaints to supplement limited AG resources, though including a private right of action wouldn’t likely be a “red line” for the group, Richardson said.
The measure is improved from last session, emailed Justin Brookman, Consumer Reports director-consumer privacy and technology policy. “There's been more outreach than there was at this point last year,” showing “the extent of opposition from advocates last year may have surprised them.” Brookman applauded removal of language “predicating privacy rights on companies' internal risk determinations.” He said lawmakers should tighten definitions including for sale, de-identified and pseudonymous, and add more consumer protections about first-party obligations and nondiscrimination.
The draft bill improves in some ways on the California Consumer Privacy Act and EU's general data protection regulation, said Interactive Advertising Bureau Senior Director-Public Policy Alex Propes in a statement: "We welcome the acknowledgement of the benefits of pseudonymized data in providing meaningful protections to consumers." IAB supports opt-out here over opt-in in GDPR, he said. Differences with state laws in California and Nevada show "the need for Congress to pass a uniform federal privacy standard that provides greater clarity to consumers and businesses alike," he said.
TechNet and members are reviewing the draft and conversing with legislators, said Samantha Kersul, TechNet executive director-Washington. Microsoft, Comcast and others in industry didn’t comment through Thursday.