Washington State Legislature Kicks off 2020 With New, Better Privacy Bill
This week, Washington legislators kicked off the 2020 session by introducing new comprehensive privacy legislation. The Washington Privacy Act — sponsored by the House and Senate Chairs of the relevant committees — is considered the lead legislative proposal for safeguarding the collection and use of data. The bill has to move quickly to be signed into law at the end of this 60-day legislative sprint, and is expected to be subject to substantial scrutiny and potential amendment. The bill has already been the subject of hearings and is scheduled for markup, meaning passage is not beyond the realm of possibility. After reviewing the January 20 draft bill, it’s clear it is better than last year’s iteration, but still needs more work. Here’s how we think it can be strengthened.
Scope of law, key definitions, and exceptions
The Washington Privacy Act creates individual rights and corporate responsibilities in the commercial collection, use, and sharing of personal information. In many ways, the definitions and exceptions to the bill have been improved over previous proposals. Most importantly, the bill now clarifies that if a company uses a statutory exception to deny someone their rights, the onus is on the company to demonstrate that the exception applies and that the exception is exercised in a way that is necessary, reasonable, and proportionate (Section 10(6)). We also commend the legislature for removing a previous “business purpose” catch all which could be used to override individual rights for any reason that could be snuck into a privacy policy. There are a few changes still necessary though to make sure the bill clearly applies to all the right information, actors, and behaviors.
- Definition of sale (Section 3(29)): This draft’s definition of sale makes important changes to clarify that data needs only to change hands one time to trigger a consumer’s right to opt out. But as we’ve learned from the early days of CCPA implementation, data doesn’t have to “change hands” for third parties to profile or advertise against it. Old school conceptions of “selling” information does not reflect how current data models work. Legislators should consider amendments that would focus on third party processing of data, not the “sale” of data to third parties.
- Definition of sensitive information (Section 3(31)): This draft also adds precise geolocation data to the list of sensitive information that receives heightened protection. This is a crucial addition. Location can reveal a person’s religion, health problems, political associations, and other intimate information. And reporting over the last year has confirmed that it is regularly and surreptitiously collected by apps and services that having absolutely no need for it. But Washington should go further and look to federal proposals like the discussion draft released by Chairman Roger Wicker (R-MS) or Ranking Member Maria Cantwell’s (D-WA) bill for a complete list of sensitive data.
- Exception for product development (Section 10(2)(a)): The new protections on the exercise of statutory exemptions are welcome as discussed above, but Washington consumers would be best served by striking the exception for the development of new products. To be clear, existing U.S. privacy laws often include certain exceptions to ensure that companies can 1) offer the service someone has requested, and 2) serve broader societal interests like responding to criminal or civil investigations or protecting the security of a system. But building a new product serves neither and is in no way a justification for overriding a person’s individual rights, and the breadth of this exception is incredible. Companies would be able to collect, use, share, and sell sensitive data without notifying an individual or obtaining his or her permission. The other provisions in 10(2(a) are less objectionable, and conducting internal research to improve or repair the products a consumer has chosen to use is reasonable.
- Application of data security standards: Data breaches affect consumers regardless of the size or business model of the company that holds their data. We recommend that the requirement in Section 8(5) apply to all Washington data holders, including those that are exempted from coverage of the bill per section 4(1). Because the reasonableness standard scales to the amount of data a company has and the purposes for which it is used, smaller data holders who are not pushing the processing envelope will have smaller obligations.
Corporate responsibility
A meaningful privacy law must impose new obligations on the companies that collect, use, and share our data. To successfully protect consumers in our always-on society, any legislation must put the burden of data protection on the actors who are designing products and systematically shaping this complicated and dynamic ecosystem.
The January 20 draft gets a number of things right. First, it requires covered entities to take reasonable steps to ensure the confidentiality, integrity, and accessibility of personal information (Section 8(5)). This draft also puts risk assessment language in a more reasonable context (Section 9(1)). Simply completing one will not assure liability protection, but companies will be required to balance the equities in, and show their work to, the Attorney General in the case of an investigation into their practices.
Additional changes are still necessary.
- Minimization, purpose, and secondary use limitations (Section 8): Washington is to be commended for considering principles like minimization, purpose limitations, and restrictions on the secondary use of data. When drafted properly, these can be affirmative privacy obligations that truly shift the burden of privacy management back to companies. Under the current draft, these principles are not objective goals to be met but instead are tied to representations of how a company describes its products. It is likely that companies will argue that these sections are essentially prohibitions on deceptive practices and only obligate them to the rules set out in their privacy policies. Rep. Smith’s HB 2364 offers an alternative here by taking a hard line on corporate obligations. A middle road would be to borrow Rep. Smith’s language — but only apply it to the processing of sensitive data.
- Third party responsibility (Section 10(4)): This section absolves a company from liability for sharing data with a third party as long as it does not have knowledge that the third party intended to violate the law at the time of contracting. This standard encourages bad behavior and is out of step with corporate responsibility standards in a post-Cambridge Analytica world. Companies should have an obligation to not only make good decisions in contracting with third parties, but also exercise reasonable efforts on an ongoing basis to ensure those contractual obligations are filled. That approach exists in FTC settlements, FTC best practices, and is included in both Republican and Democratic bills at the federal level.
Enforcement
- Additional resources: The Washington Privacy Act should include additional resources for the state attorney general. While we do not propose a specific dollar number, we encourage the legislature to provide a significant number of additional staff to ensure the law can be enforced in a meaningful way.
- Private right of action: We also endorse the idea of a limited private right of action. As the Washington Attorney General’s office testified last week, empowering consumers to defend their legal rights in court is a crucial component of a working state privacy law. As we testified before the U.S. Senate, we believe the right policy solution is to craft a middle ground where citizen litigation is directed towards the most important violations and subject to fair procedures. This is not to make light of how hard it will be to balance the equities, but to suggest negotiations start now over what sections should be enforceable by individual litigation, whether a right to cure is appropriate, what form of remedy should be provided (fines vs. injunctive relief), and what role the Attorney General should have in determining whether and how cases proceed.
Conclusion
Washington state has come a long way since its first proposal a year ago. We thank the bill’s sponsors for continuing to work with a host of interested parties, including those in the privacy community, to craft a comprehensive bill that provides meaningful protections for consumers. However, we strongly recommend the sponsors include the additional edits outlined above. Given the shortened time frame for this year’s legislative session, the time to act to continue to improve this bill is now.