The illusion of protection and SB 5062 (the Bad Washington Privacy Act)

Last updated: March 11.

The weak, industry-backed Bad Washington Privacy Act (SB 5062) has passed the Senate, and is heading on to the House.   SB 5062’s January Senate hearing featured plenty of sharp criticism, including examples of how it would not help people and communities who are being harmed by data abuse.

Civil rights and community groups have given

The People’s Privacy Act, community-driven, people-centric alternative to the Bad Washington Privacy Act, takes a radically different approach.  The People’s Privacy Act gives rights to people, not just consumers.  It was designed from the ground up in collaboration with the civil liberties and community groups in the Tech Equity Coalition, focusing on protecting people who are harmed by data abuases.  It’s got a private right of action, and allows city and county attorneys to pursue claims against companies that harm Washingtonians.  

It would be great if the legislature simply adopted the People’s Privacy Act.  Rep. Shelley Kloba introduced it into the House as HB 1433, and it has bi-partisan co-sponsorship, but it has not yet gotten a hearing.  

So another path to strong privacy protection is to improve SB 5062.   Let’s face it, history is not encouraging here.  In 2019 and 2020, the Senate passed weak, corporate-friendly bill sponsored by Sen. Carlyle.  The House listened to privacy advocates and community groups, and passed a significantly stronger version to protect consumers. Negotiations between the chambers collapsed.  Our privacy as Washingtonians remained unprotected.

I’m sure I’m not the only person who will be really upset if that happens again.

Still, SB 5062 is the bill that’s on the table now.  So it’s worth a try.  Fortunately, the years of testimony and feedback from civil rights and consumer groups, and in some cases specific langauge from the People’s Privacy Act, highlight quite a few opportunities.  

Here are some possible improvements.   Some of these are very straightforward, others likely to be more controversial.    

Give rights to people, not just consumers, for example by reframing Section 103.

Remove loopholes and definitional problems.   For example:

• Replace the exemptions for student, financial, health care (the Section 102 (2), clauses a b c d e f g h i j k l m I talked about in my testimony) with language from HB 1433 Section 11 (2) and (3), which basically says this new legislation applies where it provides stronger privacy protections for individuals than existing law and the federal laws do not preempt state laws.  Also, I realize airlines just got added, but they could certainly be removed again!
• Include sites and apps like Google, Facebook, and Amazon within the definition of targeted advertising by removing Section 101 (33) (a).
• Remove the warrantless law enforcement exceptions in Sections 110 (c) and (g).
• Remove the right to cure in Section 112 (4), as California did in the recently-passed CPRA.  A right to cure drains AGO resources, and creates a perverse incentive for companies to ignore the law until they’re notified that they’re breaking it.
• Remove or at least tighten the five-year exemption for non-profits and institutions of higher education in Section 403.  As currently written, this exemption even applies to for-profit colleges, who as Tressie McMillan Cottom says “target and thrive off of inequality.”

Get rid of the confusing mix of opt-out and opt-in (a classic dark pattern!) and require that companies always get consent before using people’s data (Section 107 (8)).  Opt-in creates positive incentives for companies — they need to make it easy for users to understand the benefits and consent.  Opt-out, by contrast, gives companies incentives to make it hard for users to withdraw their consent.  Opt-out is especially problematic for disabled users (many websites do not work well for people using screenreaders or other assistive technology) and people who prefer languages other than English (most websites and apps only have English-language opt-out pages).

Add a private right of action, as the AGO and other groups have consistently requested, by removing section 111 and instead explicitly using language similar to the People’s Privacy Act Section 10 (1).

Allow city attorneys and county prosecutors to enforce the law by removing the word “solely” from Section 112 (1) and adding language from People’s Privacy Act Section 10 (3).

Allow for stronger local legislation, by removing the preemption clause (Section 114), and potentially replacing it with the People’s Privacy Act Section 11 (1).

Split out the timely and important topic of protecting Covid-19 related data (Parts 2 and 3) into a separate bill,  as several people suggested during the hearing .   New York’s Contact Tracing Privacy Bill: A Promising Model, from the Brennan Center, discusses this in more detail.

That’s a lot.  Still, politics is the art of the possible.   Last year, the House ITED committee strengthed the bad Senate bill substantially, and it was further strengthened on the House floor.  This year, its going to the House Civil Rights & Judiciary instead; hopefully, they’ll be even more attuned to the civil rights issues. The optimistic scenario is that SB 5062 is strengthened enough in the committee that it becomes the Pretty Good Washington Privacy Act, and then further strengthened on the floor to be the Pretty Good Washington Privacy Act.

Of course, tech companies will still be push back hard – and politically, it’s a lot easier for legislators to pass a bad bill and claim it’s better than it is.  So it’s hard to know how things will work out.  Will we get real privacy protection, the illusion of protection, or once again nothing at all?   Time will tell!

References

For more about SB 5062’s illusion of protection, see

• The video of the Senate hearing on SB 5062. If you only have 10-15 minutes, start watching at 59:50 for Brianna Coffrey of CAIR WA’s testimony, Cherie Kiesecker of Parent Coalition on Student Privacy, Emilie St-Pierre of Future Ada, Cynthia Spiess, and Susan Grant of Consumer Federation of America.  If you’ve got a few minutes more, follow up with the segment starting at 27:56 which has a range of perspectives.   If you prefer text, I live-tweeted the hearing and have a summary here … but it’s really worth watching at least the 10-15 minute video segment!  
• The Washington Privacy Act: Not a model for state privacy law by privacy standards expert (and former Microsoft employee) N. Gregg Brown
• Washington Privacy Bill needs stronger safeguards for consumers, by Maureen Mahoney of Consumer Reports in the Seattle Times.
• We Need Real Privacy Protection in the States, not the Washington Privacy Act’s Illusion of Privacy by Susan Grant of Consumer Federation of America.
• A bad day for a bad privacy bill, a good day for privacy discusses last year’s House hearing on the 2020 version of the Bad Washington Privacy Act (SB 6281), with testimony from  Stan Shikuma of the Japanese American Citizen League’s Seattle Chapter, Derek Lum of Interim CDA, Eli Goss of OneAmerica, and others including me.  Once again, it’s even better on video.
• The People’s Privacy Act, not the Washington Privacy Act, is the better bill to protect consumers’ civil rights and civil liberties by Jennifer Lee of ACLU of Washington.

Image credits

• Hearts of Four Colors, copyright Akiyoshi Kitaoka.
• Fraser Spiral Illusion, public domain, via Wikipedia
• Grid Illusion, Herrman or Hering grid, public domain, via Wikipedia
• Salaat First by Faisal Edroos/Middle East Eye, originally in Another Muslim prayer app found to be tracking users’ locations
• Rotating Wagishi Snakes, copyright Akiyoshi Kitaoka.
• Creating Movement with an unmovable object, by SABO123 , licensed under CC-BY-SA3.0, via Wikipedia
• Motion illusion in star arrangement, by Fiestoforo, licensed under CC-BY3.0, via Wikipedia

Edit history:

The initial version of this post, in late January focused primarily on the case study, focusing primarily on targeted advertising and marketing.  

In early February, in response to some very helpful feedback from Stacey Gray on Twitter (who disagreed with someof the original analysis) as well as several people pointing out that I had skipped some basics, I added the new section on loopholes, and reworked the analysis of the case study.  

On February 6-7, I added new sections on enforceability and “variations on a theme” … plus a couple more illusions!   And on February 9, I incorporated some of the fiscal analysis from the Ways & Means hearing.

In early March, I added a discussion of law enforcement exceptions, included a few ore exaples in the “variations on a theme” section, updated the bill’s status, and added the References section.