Privacy in Marketplace

Flawed Data-Privacy Bill Does Not Protect Consumers or Hold Companies Accountable

By: Jennifer Lee, American Civil Liberties Union; Susan Grant, Consumer Federation of America and Ed Mierzwinski, U.S. PIRG

Hardly a week goes by without disturbing news about another invasion of our privacy.

In the past six months alone consider: Facebook settling a $550 million lawsuit alleging that it collected facial recognition data of users without consent; location data companies tracking the precise movements of more than 12 million Americans via our cellphones; dating apps like Grindr and OKCupid sharing intimate information about users with advertising companies; and Google settling federal charges that it illegally collected personal information of children watching their YouTube videos.

The list goes on and on. It’s no wonder that people feel they lack control over their personal information and want government to stand with them against companies that willfully violate their privacy.

As threats to privacy proliferate, Washington legislators have a historic opportunity to enact a privacy law that will lead the way for other states. But significant changes are needed to the proposed Washington Privacy Act to set clear, fair and enforceable rules that will strengthen individuals’ control over their information and require businesses to treat consumers’ data appropriately and responsibly.

The test for this bill is not whether it is stronger in some respects than the California Consumer Privacy Act or the European Union’s General Data Protection Regulation. It is whether this bill, SB 6281, would provide meaningful, effective privacy protection for Washingtonians. Unfortunately, the bill that passed out of the Senate fails that test.

Here are some examples of how the Washington Privacy Act fails consumers and benefits companies:

  • It allows companies to collect, use and sell people’s data for almost any purpose, as long as they disclose that they are doing so in their privacy policies. We know that few people read these policies, and even fewer understand them. Companies should only be able to process people’s data to provide services they requested and fulfill strictly operational purposes unless those individuals explicitly agree to processing for other reasons.
  • Individuals only can opt out of having their data used for three things: targeted advertising, sale of personal data, or profiling to make decisions about them. Washingtonians should have the right to exert control over their personal information and avoid having their data used for any purposes that are not necessary to deliver what they want.
  • Personal data covered by some federal laws are exempted, weakening the privacy protections the bill ostensibly seeks to provide. There is no reason to exempt personal data when federal laws do not prevent states from providing stronger protections. Why should we have less power over the information that a mortgage lender collects about us than we do over the information a grocery store does?
  • The “data protection assessments” companies must do to evaluate their practices are secret. These self-issued report cards are not automatically available to anyone outside of the company; only the Attorney General can obtain them. This allows companies to hide information that people need to determine if their privacy is being threatened and allows the companies to claim they are strong on privacy without actually having to provide evidence. The public should have access to these assessments.
  • Companies are not responsible for the misdeeds of third parties with whom they share individuals’ personal data. They can pass on information and wash their hands of any privacy violations that happen as a result, as long as they don’t have “actual knowledge” that the recipients intended to commit a violation — a standard that is very difficult to enforce. This lets companies be lax about ensuring compliance with data-sharing agreements.
  • The bill facilitates the use of facial recognition technology that many studies have shown to have race and gender biases. There are also serious questions about how individuals can truly consent to its use, especially in public settings. Further study is needed; in the meantime, this bill should not allow for weak provisions that legitimize use of this problematic technology.
  • Individuals are prevented from taking companies to court for violating their privacy rights. The bill gives the state Attorney General exclusive enforcement authority, making it likely that only large patterns of violations would be punished. Many federal and state consumer-protection laws allow individuals to sue for violations, an essential tool to make sure companies follow the law. The Attorney General’s enforcement capability is hampered by the fact that the bill does not make violations subject to the Washington Consumer Protection Act.
  • The bill blocks local jurisdictions from passing stronger laws on data privacy and facial recognition, and would undermine existing privacy protections such as the city of Seattle’s broadband privacy rule. Local entities should be able to enact stronger privacy protections than those provided by state law.

Passing a weak bill that puts companies before individuals not only leaves us at the mercy of bad company behavior, it also sets a low standard for consumer protections. Legislators must stand strong and commit to protecting Washingtonians’ constitutional right to privacy. They should not settle for anything that falls short of that goal.