A bad day for a bad privacy bill, a good day for privacy

State lawmakers in Washington want the state to be the gold standard for regulating companies and governments that collect people’s digital data or use facial recognition programs.

— Joseph O’Sullivan, Washington Passes Data Privacy Bill as Questions Remain, February 19

It’s a great goal. Alas, SB 6281 — the version of the Washington Privacy Act that passed the Senate last week — is actually a very bad bill. Privacy advocates killed a similar bad “privacy” bill in last year’s session, so tech companies like Microsoft and Amazon have spent a lot of time, energy, and money lobbying for SB 6281— and proposing it to other states as a model. After the Washington State Senate passed it 46–1 last week, with only Bob Hasegawa voting no, it seemed like their investment might be paying off.

But Friday’s hearing at the House Innovation, Technology & Economic Development (ITED) Committee may well change the momentum, and put us on a path to legislation that would truly protect Washingtonians’ privacy.

Andrea Alegrett of the Attorney General’s Office (AGO) Consumer Protection Division dropped the biggest bombshell:

While we support the passing of privacy legislation in Washington, we are unable to effectively enforce this bill as currently written.

The AGO’s analysis is straightforward:

• SB 6821 does not include a “per se” clause, saying that any violation of the WPA is also a violation of the Consumer Protection Act. As a result, “the AGO’s enforcement and investigative authority is severely limited.”
• The AGO is also concerned that the “broad exceptions that would permit industry to sidestep the very consumer rights and obligations created by this bill” limit their enforcement ability

There are a lot of other problems with the bill as well, including a very bad section on facial recognition and the absence of a “private right of action”. SB 6281 currently says that only the AG is allowed to enforce the law; people who are harmed can’t launch lawsuits themselves. The AGO has strong things to say about that as well:

Finally, as we have stated before, we believe that a Private Right of Action, along with AGO enforcement is the best policy for consumers.

Black Lives Matter Seattle-King County board member’s Livio De La Cruz also testified about why a private right of action is so important:

We know what it’s like to have our rights ignored. We want to have the power in our hands. We want the people to have that power.

As Jennifer Lee of ACLU-WA highlighted in her testimony, organizations representing immigrant communities, people of color, and LGBTQ+ people are consistently opposing the bill. A couple more examples from the hearing:

• Stan Shikuma of the Japanese American Citizen League’s Seattle Chapter reminded us of the role data abuse played in the the mass incarceration of Japanese Americans and observed “never again is now.”
• Derek Lum of Interim CDA (an organization focusing on social justice and equity for low income, Asian and Pacific Islanders, immigrant, and refugee communities) similarly said “history shows this will be abused”, citing over-policing of Black communities and post-9/11 targeting of Muslims as well as Japanese internment.
• Eli Goss of OneAmerica (the largest immigrant and refugee advocacy organization in Washington State) discussed the bills pre-emption of local laws and the extremely low limits on fines — a maximum of $7500 per violation.

I also testified, discussing Microsoft Researcher Luke Stark’s analogy that facial recognition is like plutonium: something so toxic to society’s health that it needs to be strictly regulated. Following up on Eli’s comments about pre-emption, I also discussed the wave of cities and counties limiting and even banning facial recognition — including San Francisco, Somerville, and Oakland. As written, SB 6821 would prohibit these local ordinances in Washington State, as well as rolling back current protections like Seattle’s Broadband Privacy Rule.

It’s clear that the bill in its current form isn’t anywhere close to a gold standard. As privacy advocate Deborah Pierce (former Executive Director of PrivacyActivism) said during the hearing, right now, it’s more like window dressing. The quick descriptions here only scratches the surface of all the bill’s problems. The two-page fact sheet from Consumer Federation of America, Privacy Rights Clearinghouse, EPIC Privacy, EFF, and ACLU-WA has more details, and it’s really worth watching the video of the hearing.

And a bad bill is worse than no bill. It’s hard to fix things after the fact when legislators say it’s already a gold standard; and a bad bill also gives more ammunition to the big tech companies who advocate using these unenforceable regulations as a model for other states.

Fortunately, bills can still get changed even after they pass the Senate. I was really impressed by the ITED Committee. This was one of the best hearings I’ve been to since I can’t remember when, with excellent questions from legislators. The very solid “side-by-side” comparison presented by staffer Yelena Baker, highlighted the much stronger regulations the committee had considered in their own earlier work. With luck, we could still emerge from this with a strong privacy bill that passes the House.

UPDATE, March 3: An amendment from Chairman Hudgins improved some of the worst features of the bill. A couple of examples:

• adding a “per se” clause. This was enough to get the Attorney General to say that his office can now enforce the bill (as opposed to the bill coming from the Senate, which he described as unenforceable).
• narrowing the pre-emption clause by excluding facial recognition and grandfathering in existing legislation (so Seattle’s Broadband Privacy Rule remains)
• including a private right of action.

On the one hand, it’s progress; on the other hand, there’s still a long way to go. Meanwhile, Microsoft is so upset that the bill might be enforceable that they’ve switched their position to “other”.

UPDATE, March 7: The House passed a version of SB 6281incorporating all of Hudgins’ amendments improvements, dropping the facial recognition section (although similar language was added to SB 6280), and incorporating several more improvements moved by Ranking Member Norma Smith. It’s a much stronger bill going back to the Senate, although as members on both sides of the excellent debate on the House floor agreed, there’s still a lot work to be done.

Continued in Significant progress, although still a ways to go: privacy and facial recognition legislation advances in Washington State

Originally published at A Change Is Coming.