Known as the Washington Privacy Act, Senate Bill 5062 was initially proposed by Sen. Reuven Carlyle, D-Seattle, in 2019. It aims to create an awareness of how citizen data is being used and what personal rights surround the data being held in company databases.
The privacy act, Carlyle said, differs from previous versions of the bill after several changes were made. The first change is the specification of companies that would be affected by the bill, which include companies that provide services and products targeted to Washington residents with access to data of over 100,000 consumers a year; or those that obtain over 25 percent of their revenue from selling and processing personal data from more than 25,000 consumers.
The second change centers on providing Attorney General Bob Ferguson with the necessary legal tools to enforce the act. And the third change to the bill focuses on providing the government and companies with a framework to contact trace data.
“It’s all about transparency,” Carlyle said. “You should be able to easily access a global platform and look at the data companies have about you and then correct that data and decide whether or not you want to have a relationship with that company.”
An example Carlyle used to further explain this is: “If you were to use a DNA testing service, like Ancestry.com or 23andMe, you’d want to have the right to delete your data from their database after you review the results, right?”
“This bill,” he said, “offers the same thing just with company databases.”
In addition to changes made to the bill, tech industry giants like Microsoft and Amazon have voiced support for the approach to protecting consumer privacy.
“We know data privacy issues are complex and greatly impact every sector of the economy,” Amazon VP of public policy Brian Huseman said in a letter to senator Carlyle. “Although we have long supported a federal approach to privacy, we appreciate the critical work underway at the state level.”
As for Microsoft’s response to the bill, Irene Plenefisch, the company’s government affairs director, recently wrote in a Microsoft blog post, “After extensive deliberations on this bill in recent sessions, the last significant issue to be resolved is determining the appropriate enforcement mechanism. Based on what we have seen in other jurisdictions, Microsoft remains confident that the best way to protect Washington consumers is to create a robust enforcement mechanism within the attorney general’s consumer protection division.”
To enforce the bill, Attorney General Ferguson would focus on specific patterns of abuse, such as whether or not browsers are capturing data and inappropriately selling it to marketers or checking to see if ISPs capture data in ways that may not be in the public interest.
However, a couple of organizations such as the American Civil Liberties Union and the Electronic Frontier Foundation have spoken out against the state's data privacy plan.
“If you take a closer look at the language of the bill, there are loopholes that undermine peoples’ rights to protect their privacy,” Jennifer Lee, a technology and liberty manager at ACLU-WA, said.
One of the bill’s biggest loopholes, Lee said, is having the option to opt out of companies’ privacy policies but not having the option to opt in. By having an opt-out option, it makes it more difficult for individuals to know what their rights are by making them wade through different companies’ privacy policies in order to make an informed decision.
Another concern by the ACLU is the bill’s enforcement mechanism.
“The bill provides sole enforcement to the attorney general, who will look for systematic patterns of abuse but not specific violations of companies towards individuals,” Lee said. “Individuals won’t be able to sue companies for violating their privacy.”
A possible alternative to the bill, Lee said, is the People’s Privacy Act, sponsored by Washington state Rep. Shelley Kloba.
One of the main differences between the People’s Privacy Act and the Washington Privacy Act is the option to opt in to company privacy policies, which provides individuals with the power to decide how companies use their data and whether or not they have access to it.
The bill also aims to prevent personal data from being used beyond a primary transaction and provides strong protections against biometric data collection and the use of facial recognition tech in public areas such as parks, restaurants and schools.
As for the Electronic Frontier Foundation’s response to the bill, Hayley Tsukayama, a legislative activist for EFF, said, “We have been opposing this bill for quite some time. The model of the bill is not consumer protective and basically allows companies to say they are considering consumers’ privacy and generate reports about privacy but [it does] not actually provide meaningful protections of privacy.”
One way to rectify this issue, Tsukayama said, is to include a broad private right of action option that would allow consumers to sue companies that violate their privacy.
“People can sue companies for product defects or breach of contracts,” she said, “why is this any different? I think privacy harm should be included in that.”