Consumer Federation of America strongly supports states’ efforts to protect their residents’ privacy. Unfortunately, we find ourselves once again opposing the Washington Privacy Act (SB 5062), a bill supported by major tech companies such as Microsoft, Amazon and Google. It’s based on the outdated “notice and opt-out” framework that underpins the current system of commercial surveillance and thus fails to provide consumers with meaningful control over their personal information.
Instead of requiring companies to get people’s permission before using their data, the Washington Privacy Act places the burden on consumers to navigate today’s incredibly complex data ecosystem. Under this weak bill, consumers must take steps to opt-out of unwanted uses of their information (to the limited extent they are allowed to do so), Making “opt-out” the default disempowers consumers and poses equity concerns; consumers with less time and resources to figure out how their data is being used and how to opt-out will inevitably be subject to more privacy violations. Where the default lies matters, as marketers well-know. It’s time to change the default to “opt-in.”
That’s not the only concern we have about the WPA.
- It gives consumers no rights concerning the personal data that may be gleaned from social media and other “channels of mass media” if they didn’t adequately restrict access to that information.
- It gives consumers no control over businesses selling their personal information to affiliated companies.
- It requires opt-in for processing consumers’ “sensitive data” but not for uses of their personal information that may be sensitive.
- It allows consumers to opt-out of seeing targeted advertising based on tracking their activities over time on multiple websites and apps and profiling them, but that opt-out does not stop the tracking and profiling from occurring.
- It does not apply to advertising based on tracking consumer’s activities over time on the company’s own website or app and profiling them – the business model of Google and Facebook, which profit from profiling and targeting consumers on behalf of other businesses.
- It only gives consumers the right to opt-out of profiling when it is used “in furtherance to decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer.” There is no overall right to stop being tracked and profiled.
- It does not apply to consumers’ personal information when it is in the hands of financial services companies or other businesses that are covered by other laws, even if the privacy protections of those laws are much weaker.
- It limits consumers’ rights to see the data that has been collected about them to the personal information they provided to the business; they have no right to see the information the business has obtained about them from other sources or gleaned through tracking them.
- It allows parents and legal guardians to exercise consumer’s rights but does not enable consumers to designate others to act on their behalf, as California’s privacy law does.
- It lets the companies that hold and process consumers’ personal data avoid any responsibility when third parties to which they disclose the data violate the law unless they knew those parties intended to violate the law. (So Facebook would have no liability for what Cambridge Analytica did with users’ personal information).
- It prevents consumers from taking legal action to enforce their rights.
- It creates a “right to cure” that hampers the attorney general’s ability to take action to stop bad practices and obtain remedies for consumers. California eliminated this from its privacy law.
There are additional concerns as well, which we detail in an analysis available on our website. And it’s not just this bill that worries us – the WPA is being promoted as a model for other states. A bill that mirrors it went through the Virginia Senate and House in less than a month and is awaiting final action. Consumer groups have asked for some changes to be considered before this is a done deal. These are, in my view, very modest suggestions.
What should be enacted in Washington is the People’s Privacy Act. As a fact sheet from ACLU Washington explains, it takes an opt-in approach for use of consumers’ personal data beyond what is necessary to do something they have requested, such as to make a transaction. It also provides more protection from discrimination, gives consumers the right to avoid being surveilled, clamps down on the use of facial recognition and other biometric data, and empowers consumers to enforce their rights. This is a model to replicate in other states.
Shamefully, the People’s Privacy Act has been denied even a hearing. That is anti-consumer and anti-democratic. It’s also short-sighted. Businesses’ data practices are going to have to change much more significantly than the WPA would require when consumers – and legislators – realize that laws such as this don’t provide the real privacy protections they expected.