Communications Daily is a Warren News publication.
Bill in Flux

Privacy Groups Warn Washington State Not to Cede Control to Corporations

Privacy advocates said a Washington state law sought by Microsoft and other tech companies provides too little protection to consumers. The House and Senate privacy bills lack teeth and cede too much control to companies, American Civil Liberties Union and Consumer Reports officials said in interviews. State Sen. Reuven Carlyle (D) responded that his bill is “the strongest, meaningful privacy measure that is on the table.” House Innovation Committee Chair Zack Hudgins (D) has appeared more open to making changes in response to concerns, telling us his chamber’s bill is a “work in progress.”

Sign up for a free preview to unlock the rest of this article

Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!

Facing a Friday deadline to get bills out of fiscal committees, Washington lawmakers placed each privacy bill on Thursday schedules for executive action in the Senate Ways and Means Committee and the House Appropriations Committee. The meetings hadn't concluded by evening on the East Coast. Those panels heard testimony on each SB-5376 and HB-1854 at simultaneous hearings Wednesday.

It’s “extremely imperative” to bring core tenets of the EU general data protection regulation to the U.S., Carlyle said in an interview. As the home of Amazon, Microsoft and Starbucks, Washington state has a duty to write a “responsible and measured” bill that doesn’t create an inhibitive regulatory structure, he said. National legislation “would make sense at an academic, white-paper level, but we live in the real world,” said Carlyle, calling states laboratories of democracy. Until federal lawmakers “get their act together, we’re going to lead at the state level.” Last year’s California Consumer Protection Act (CCPA) was a “bold step forward,” but Washington’s bill gives “much more detail” on how to adapt GDPR for the U.S., he said.

Our committee is trying to find a realistic balance between the rights to data we want to establish in law, and practical implementation of those rights,” Hudgins emailed us, responding to privacy groups’ concerns. “We moved the bill out of our committee before policy cutoff as a ‘work in progress’ with substantial pieces of the bill missing in order to continue the dialog and discussion.” Committee members are working with Carlyle in the Senate, which is further along in work on the bill, he said.

The House tossed Carlyle’s measure and started fresh with principles that better stress consumer control of data, said ACLU-Washington Technology and Liberty Project Director Shankar Narayan. The ACLU doesn’t see “room” to improve the Senate version, he said. The privacy group, which slammed the Senate version in a Feb. 14 letter to Hudgins, wasn’t included in the stakeholder process to develop legislation, he said. The ACLU largely likes the House’s new direction and feels more involved in that chamber’s process, but the group will be closely watching how consent and other terms are defined, he said.

Privacy advocates are finding more sympathy for their concerns in the House, where the bill seems to be "in flux," said Consumers Union Director-Privacy and Technology Policy Justin Brookman. “There’s some potential there.” CU’s Consumer Reports opposed both bills in a Feb. 21 letter to Hudgins; Common Sense, Electronic Frontier Foundation and Privacy Rights Clearinghouse also signed.

Concerns

It’s misleading to refer to them as privacy bills because they are actually written by the tech industry,” namely Microsoft, Narayan said of the Washington legislation.

Proposed rules try to import GDPR but are “riddled with loopholes … such that the exceptions swallow the rule,” and unlike in Europe, there would be no strong regulator to enforce them, the ACLU official said. Merely requiring risk assessments “keeps the power in the hands of the vendors,” and the Senate bill’s proposed facial recognition rules are too permissive, he said.

Many of the proposed state rules rely on “corporate assessments about privacy risk,” giving companies more latitude to decide what is a privacy violation, said Brookman. While not perfectly written, California’s privacy law gives consumers more substantial protections than Washington proposed, he said. It’s fine for states to take different approaches but “dangerous” to set a precedent for allowing companies to decide what rights consumers should have, he said.

A risk assessment approach allows “companies to own the work of understanding how they manage their customers’ data in much more meaningful ways,” Carlyle responded. “Privacy advocates are simply not appreciating the constructive forcing function that risk assessments carry.” Carlyle believes the state AG should oversee privacy and doesn’t agree with privacy groups seeking a private right of action, he said.

Privacy risk assessments are “a central element of responsible data governance around the world,” emailed Future of Privacy Forum Policy Counsel Kelsey Finch. The nonprofit, which gets funding from big tech, internet and media companies, voiced neutrality on SB-5376 in a Wednesday letter to the Senate Ways and Means Committee. “We do recommend that Washington legislators take account of a growing technical and legal literature around data identifiability, and seek to provide incentives for companies to de-identify personal data,” Finch said. Lawmakers should take up facial recognition and other biometrics “in separate, future regulatory efforts,” she said.

Carlyle and state lawmakers are “developing a serious and thoughtful privacy bill that is meaningful and based on strong privacy principles and practices,” said Internet Association’s Rose Feliciano, associate director-state government affairs for the northwest.

Hearings

The Washington Senate bill would provide the “strongest privacy protections of any law in the United States,” incorporating the best parts of GDPR and CCPA, said Microsoft Director-State Affairs Ryan Harkins at the Senate Ways and Means hearing. The House version is “moving in the right direction,” he said at the House Appropriations hearing that day.

Microsoft disagrees with giving consumers a private right of action, which is in a recent draft of the House bill, Harkins said. The company also wants a more comprehensive definition of data than what’s now in HB-1854, he said. Harkins asked SB-5376 critics to give “substantive feedback” rather than “throw stones.”

The Senate bill “reflects a serious and practical approach to a very complicated set of problems,” said Alex Alben, chief privacy officer for Washington Gov. Jay Inslee (D). The state has a “rare window” to adapt GDPR for the U.S., he said.

Some witnesses appearing at both hearings sought exemptions for industries that they said are highly regulated, including banks, hospitals and children’s toys. Restricting law enforcement’s ability to use facial recognition in public places could hurt public safety, testified Washington Association of Sheriffs and Police Chiefs Policy Director James McMahan.

Multiple drafts of the House bill are floating as work continues, Hudgins told the Appropriations Committee. “It’s changing a lot.”