The Washington Privacy Act: Not a model for state privacy law.
The Tech industry supports the Washington Privacy Act (SB 5062) because it memorializes their current practices, because it starts with the assumption that they have the right to process people’s personal information as long as they meet minimal and specific legal requirements, and because it limits the prospect of enforcement. The WPA is carefully worded to preserve those goals, limit application, and to ensure that it places few, if any, new requirements for consumer privacy. As a result, the Washington Privacy Act promises more privacy protection than it delivers.
The Washington Privacy Act (WPA) is one version of a model state privacy bill promoted across the US. The WPA is nearly identical to Virginia HB 2307 that is currently on a path to adoption in Virginia, and to Minnesota HF 1492, a reintroduced version of HF3936 that did not advance in the Minnesota legislature in 2020.
Although these “sibling” bills have some positive provisions, including requirements to consider the risk of processing in a Data Protection Assessment and prohibitions against discrimination, in general, they presume the right of industry to process personal data, and are carefully tuned to the needs of Tech industry supporters. While these sibling bills are all backed by industry, the latest incarnation of the WPA has in several ways evolved to be even more favorable to industry.
The loopholes introduced in the WPA to gain industry support also mean they are less protective of people’s privacy in critical ways. The WPA and its sibling bills don’t represent an effective model for state legislation, or a good basis for national law. These bills should not pass without amendments to close the following loopholes:
· Only protecting the rights of consumers, and excluding the privacy rights of people acting in an employment or business context;
· Limiting people’s right to know about and access information companies collect about them;
· Allowing companies to collect, use, and sell people’s personal information without their consent;
· Stopping people and advocates from fighting for their privacy in the courts.
In contrast, the proposed People’s Privacy Act (HB 1433) starts with privacy rights (not consumer rights) for all residents, and a core concept that controllers (entities such as companies that decide how personal data is processed) must describe all processing and receive consent for that processing from the person it relates to. While these basic concepts will not be enough to handle all the privacy issues Washington State faces today and in the future, the conceptual clarity of the People’s Privacy Act is a much stronger basis for legislation. Unlike the WPA, the People’s Privacy Act supports controller transparency and access to the courts for affected individuals, providing the opportunity to evolve privacy protection in Washington as legislation and law.
The WPA limits people’s privacy to consumer privacy
The WPA limits the scope of who is protected to its definition of “consumer,” thereby excluding people acting in an employment or business context. This narrow scope of protection helps platforms like Uber and Amazon that engage individuals in a complex mix of employment, commercial activity and personal information. But it leaves a vulnerable group of contractors, gig workers and anyone using sales or services platforms unprotected — a consumer can walk away they sense a bad privacy trade-off, but employees or users of dominant or essential platforms likely cannot leave, and they receive zero protection under the WPA and similar bills.
The WPA also excludes from protection any processing that falls under eight state and federal privacy statutes as well as HIPPA and seven other health privacy laws. Multi-state and multi-national companies have invested in the patchwork of privacy regulation in the US and the GDPR in the European Union. Eliminating processing under existing laws from the jurisdictional scope ensures the WPA leaves that patchwork in place, cutting compliance costs for companies serving Washingtonians.
Unfortunately, leaving the patchwork in place also forces individuals to navigate it to understand and execute their rights. It also gives controllers a powerful tool in contesting people’s requests for redress: any complaint raised by a consumer will be vetted against the limitations to jurisdictional scope in the WPA and WPA-style bills before the controller even considers response.
The WPA should be amended to support the Privacy Rights of Washingtonians in all contexts, not just when they are consumers. The WPA should also be changed to remove exemptions for laws that do not provide Washingtonians the strongest privacy protections.
Under WPA, controllers don’t have to disclose all the personal data they process
The WPA gives consumers the right to see (access) the categories of personal data concerning the consumer held by a controller, but not the details about their personal information they didn’t provide — so the vast majority of the personal data the controller captures can be hidden from disclosure under the WPA. (The Virginia and Minnesota versions provide the right to access all personal data.) The controller can also hide personal information as “Pseudonymous data”, retrieving it for processing when they choose.
Of course, consumers can’t understand or ask for rights on data they can’t see, and the limitation to provided data in the WPA makes meaningful oversight by consumers virtually impossible. At best, under the WPA, a consumer can ask for erasure of categories of data or correction of data they provided. There is no possibility for a Washingtonian to correct inferences or mistaken location data, to say for example, “I’m not pregnant” or “I wasn’t there” because they cannot see all their personal information under the WPA.
Clearly, controllers prefer to keep track of the categories of personal data rather than tracking the specific data for each person. Categories of data change slowly and are easy to disclose; the specific data collected changes frequently. However, beyond cheaper implementation, reducing the required disclosure to categories of personal data shields controllers from investigation that is possible only by seeing the specific data held about a consumer and how it changes over time. Having the right to access the personal data a controller holds is one of the key ways consumers and advocates can gain insight into otherwise “black-box” processing of personal data. Providing simply the categories of data reduces oversight for controllers at the expense of transparency for people.
At a minimum, the WPA should be changed to allow consumers to access all of the personal data held by the controller, in line with the Virginia and defeated Minnesota proposals, and nonsensical allowances for pseudonymous data in Section 108(2) should be removed.
The WPA assumes industry has the right to process personal data without consent.
The WPA and the sibling bills assume that controllers can process personal data if they disclose the “purposes for which the categories of personal data are processed.” Controllers must be reasonable in their collection or processing of data to support those disclosed purposes, but otherwise processing has few additional restrictions. A defined set of “Sensitive data” may not be used to cause (already) unlawful discrimination and any other (nondiscriminatory) use of sensitive data requires the consumer’s consent. This broad ability to process data for disclosed purposes supports the current practice of the largest Tech companies.
The right to “opt-out” of processing is presented by supporters of the WPA as a key counterbalance to the broad rights provided to controllers to process people’s personal data. In truth, opt-out isn’t a sufficient framework to meaningfully empower people to exercise control over their data, and even if it was, the opt-out rights in the WPA are so nuanced that they do not provide that balance.
In the WPA and sibling bills, the right to opt-out of “Targeted Advertising” means to stop the display of advertisements based on personal data obtained over time and on non-affiliated (third-party) websites or applications. Data gathering, profiling and behavioral engineering needed to target the advertisement is not part of the definition and can continue after the consumer opts-out, allowing controllers to improve the overall advertising model while they convince the consumer to consent.
In addition, by definition in the WPA, consumers can only opt out from targeting based on information across non-affiliated third-party web or app networks. This means multi-site, multi-app platforms can target consumers without any ability to for them to opt-out. For example, consumers would not be able to stop targeted advertising based on personal data collected by Amazon.com plus Whole Foods plus Alexa, or from Facebook.com plus WhatsApp plus Instagram.
The definitions and allowances for opt-out are similarly nuanced for sale of personal data and profiling; the ability to opt out only for profiling with legal or similar effects is of questionable interest to consumer dealing with providers of goods and services under the other limitations and applicability clauses of the WPA.
It’s also likely to be exhausting to exercise any of the rights under the WPA and the sibling bills. People must parse through the same lengthy privacy policies controllers present today to understand how their data is processed and then navigate each controller’s unique process to exercise their rights. If the controller chooses to refuse the request, it can take 45 days for the consumer to find out and understand their right to appeal, and the first response to the consumer from that controller-defined appeal process can take up to an addition 90 days.
The WPA’s narrow definition of opt-out rights, its allowance of controllers to tune the process for opt-out and appeal, and its creation of long timelines for those interactions largely maintain the status quo where people don’t have meaningful privacy rights.
Though changing the core premise of the WPA in amendment is essentially impossible, there are some additions that can improve the WPA. If the WPA does not shift to an opt-in model where controllers must get permission to process people’s data, at a bare minimum the WPA should make required disclosure consistent and more transparent, and should allow Washingtonians to opt-out of any processing of their personal data as a fair way to balance their rights with the business interests of the controller. Additionally, the definition of targeted advertising and sale of data must be changed to match the promises the rights appear to make, and the timelines and processes for exercising privacy rights should be tightened.
The WPA does not allow consumers to enforce their rights directly
The WPA and sibling laws place sole authority for enforcement on the State Attorney General, who also has the sole right to review Data Protection Assessments and records of records of appeals by consumers. The WPA and sibling laws also require the Attorney General to issue warning letters to controllers with the specific provisions they may have violated, and allow the controller an opportunity to cure any violations before an action is taken. These bills ensure the Attorney General’s office becomes the key industry focus for political influence, budget reductions and regulatory capture.
Most importantly, a violation of the bills is prohibited from being the basis of a private right of action in the WPA and the sibling bills. Eliminating a person, a group, or a consumer advocate from suing the controller directly not only reduces the threat of enforcement for the controller, it also stops discovery of the data protection practices of the controller through the courts. Discovery through the courts is a proven way of understanding opaque business practices and the actual harm they represent, and is a key tool for advocates and the Attorney General’s office to gain transparency into processing of personal data.
The People’s Privacy Act is a better foundation for Washington privacy law
The People’s Privacy Act, introduced into the Washington legislature as HB 1433, focuses on the rights of Washingtonians first, and addresses the key limitations of HB 5062 and the nearly identical bills introduced in Minnesota and Virginia.
The People’s Privacy Act would apply to people, no matter how they interact with companies that process personal information. It makes it unlawful for companies and government agencies to use people’s personal information to discriminate against them and sets strict standards for use of biometric information by any entity that processes biometric data. Critically the PPA would apply whenever it provides stronger privacy protections for individuals.
The People’s Privacy Act requires companies to be specific about the “deal” they are making with customers during transactions through consistent and comprehensive notices, and requires controllers to get a new standard of affirmative consent for any processing. It would also require that people can remove consent as easily as they provided it.
The People’s Privacy Act provides individuals with a right access both the categories and all the specific information processed. This would help people understand the broad categories of personal data being processed, and provide the specific pieces of personal information needed to support privacy rights for correction and deletion. Most importantly, the People’s Privacy Act assumes people have the right to agree to use of their personal information before any processing begins and gives people the power to enforce their privacy rights.
The People’s Privacy Act gives people the right to:
· Know what personal information companies collect, access, use, retain, share, monetize, and analyze about people;
· Easily access and review free of charge all personal information held by a covered entity;
· Refuse consent for any processing that is not essential to a primary transaction that has been requested by a person;
· Correct any inaccurate personal information;
· Delete all captured information not needed for a specific transaction;
· Not be subject to secret surveillance via tools on personal devices including cameras and microphones;
· Enforce any violations of privacy rights in court.