A stakeholder in the Washington state House of Representatives has unveiled her privacy bill, which may serve as the template for the House’s ultimate position on a number of privacy issues. If so, once again the House and Senate will be at odds over significant provisions, for the Senate’s bill largely tracks with previously enacted bills. Therefore it is possible that once again privacy legislation will fail to reach the Governor for the third year in a row.
Representative Shelley Kloba (D) and her cosponsors introduced the “People’s Privacy Act” (HB 1433), and Kloba is the Vice Chair of the Innovation, Technology, and Economic Development Committee, one of the committees privacy legislation will need to move through. The American Civil Liberties Union of Washington described its role in the drafting of the bill and its supporters:
The People’s Privacy Act was created by the ACLU of Washington with input and support from the Tech Equity Coalition, a group of civil liberties and civil rights-focused organizations and individuals working to hold technology accountable and lift the voices of historically marginalized communities in decisions about technology and its use by government and corporate interests. The bill provides a strong people-focused alternative to SB 5062 (Sen. Reuven Carlyle, D – LD 36), which allows companies to override people’s decisions about if and how their information is collected, used, and shared. Unlike SB 5062, the People’s Privacy Act is enforceable through a private right of action, meaning that individuals would be able to sue covered entities that violate the Act.
The People’s Privacy Act is among the strongest privacy bills introduced in the United States (U.S.). It requires opt-in consent for collection and processing of personal data, allows consumers to sue for up to $10,000 in damages per violation, allows the state attorney general to sue for damages of $25,000 per violation or 4% of annual revenue, whichever figure is higher. It bars the sue of facial recognition technology and artificial intelligence-enabled profiling. And, because it is such a strong bill from a privacy perspective, it will almost certainly not get enacted as currently written.
Before we turn to the details of HB 1433, a brief recap of the bill moving through the Senate. Last September, Washington State Senator Reuven Carlyle (D-Seattle) released a discussion draft that tracked fairly closely to the last bill the Senate passed before the legislature adjourned (see here for analysis). Big picture, the bill still uses the concepts of data controllers and processors most famously enshrined in the European Union’s (EU) General Data Protection Regulation (GDPR). Like other privacy bills, generally, people in Washington State would not need to consent before an entity could collect and process its information. People would be able to opt out of some activities, but most could data collection and processing could still occur as it presently does. Earlier this month, Carlyle and cosponsors revised and then introduce their bill, the Washington Privacy Act (SB 5062) that tracks closely with the two bills produced by the Washington Senate and House last year lawmakers could not ultimately reconcile. (see here for analysis.) However, there are no provisions on facial recognition technology, which was largely responsible for sinking a privacy bill in Washington State two years ago. The sponsors have also taken the unusual step of appending language covering the collection and processing of personal data to combat infectious diseases like COVID-19.
The Washington State Senate Environment, Energy & Technology Committee held a mid-January hearing on SB 5062 and made available a number of materials, including an overview of SB 5062 and a comparison between it and the “California Privacy Rights Act.” A week later, the committee marked up the bill, adopted a substitute version, and then sent the bill to another committee. In the bill report, staff summarized public testimony on the bill into three groups:
- PRO: Consumers only have rights that are granted to them by businesses. The bill provides new rights and gives consumers more control over the handling of their data. By providing a regulatory framework for the processing of data, consumers are provided data protections, businesses may advance services and operate with increased predictability, and public confidence and trust will be fostered. Contact tracing provisions are needed to build public confidence in using tools to help stop the spread of COVID-19.
- CON: This bill does not provide meaningful consumer protection regulations. People need to be able to bring a private right of action, which this bill explicitly prohibits, in order to protect their privacy rights and hold businesses accountable. This approach protects businesses rather than consumers by providing several exemptions. Financial information should be included. This bill fails to protect sensitive data shared by children in schools. The bill should include protections for teenagers. Contact tracing provisions should be addressed in a separate bill. An opt-in framework provides better protections than the opt-in provisions of the bill. Major platforms are carved out of the bill. Local jurisdictions should be able to enact stronger privacy laws.
- OTHER: This bill reflects all of the hard work that has gone into this issue over several years and represents a compromise amongst various stakeholders. We are concerned that the definition of targeted advertising is confusing. We recommend a couple of measures that will help consumers exercise their rights such as recognizing global opt out mechanisms and authorizing delegated authority. With regards to enforcement, we have concerns with the cure period. This bill provides tools needed for enforcement. Compliance is burdensome; nonprofits should be exempt from these requirements just as they are in California. We have concerns that the provisions regarding loyalty programs might invalidate some partnerships.
From the outset, in the legislative findings section of the People’s Privacy Act, it is clear the sponsors are viewing privacy and possible harms much more widely than other stakeholders, for among the reasons listed for the legislation are:
- Privacy violations and misuse of personal information in the digital age can lead to a range of harms, including discrimination in employment, health care, housing, access to credit, and other areas; unfair price discrimination; domestic violence; abuse; stalking; harassment; entrapment; and financial, emotional, and reputational harms.
- Privacy harms disproportionately affect low-income people and people of color.
- Privacy violations not only threaten the fundamental rights and privileges of Washingtonians, but they also menace the foundation and supporting institutions of a free democratic state.
As is to be expected, many of the definitions are written broadly. In what is perhaps some wordsmithing, a new term is used extensively in the bill to describe the information covered entities are collecting and processing. This bill deems that information “captured personal information,” a phrase that embodies the view of the sponsors on the data practices of businesses. The bill defines this term as:
personal information about a Washington resident that is captured in an interaction in which a covered entity directly or indirectly makes available information, products, or services to an individual or household. Covered interactions include but are not limited to posting of information, offering of a product or service, the placement of targeted advertisements, or offering a membership or other ongoing relationship with an entity. For the purposes of this chapter, “captured personal information” includes biometric information, regardless of how captured.
“Personal information” is also defined as
any information that directly or indirectly identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to a particular individual, household, or device. Information is reasonably linkable to an individual, household, or device if it can be used on its own or in combination with other information to identify an individual, household, or device.
The definition of covered entity (CE) is among the broadest yet encountered:
- Those entities which have earned $10 million or more in 300 or more transactions in the previous year; or
- An entity maintaining or processing the captured personal information (CPI) of 1,000 or more Washington state residents
Clearly, this would encompass almost every business in the state of Washington save for the very smallest or those that do not maintain or process CPI.
Also of note, the definition of harm is very wide, which matters because suits will be brought on the basis of harm. Therefore, it is worth quoting in whole despite its length, and so, harm is defined as:
- potential or realized adverse consequences to an individual or to society, including but not limited to:
- Direct or indirect financial harm;
- Physical harm or threats to individuals or property, including but not limited to bias-related crimes and threats, harassment, and sexual harassment;
- Discrimination in products, services, or economic opportunity, such as housing, employment, credit, insurance, education, or health care, on the basis of an individual or class of individuals’ actual or perceived age, race, national origin, sex, sexual orientation, gender identity, disability, and/or membership in another protected class, except as specifically authorized by law;
- Interference with or surveillance of First Amendment protected activities by state actors, except as specifically authorized by law;
- Interference with the right to vote or with free and fair elections;
- Violation of individuals’ rights to due process or equal protection under the law;
- Loss of individual control over captured personal information via nonconsensual sharing of private information, data breach, or other actions that violate the rights listed in section 4 of this act;
- The nonconsensual capture of information or communications within an individual’s home or where an individual is entitled to have a reasonable expectation of privacy or access control; and
- Other effects on an individual that may not be reasonably foreseeable to, contemplated by, or expected by the individual to whom the captured personal information relates, that are nevertheless reasonably foreseeable, contemplated by, or expected by the covered entity that alter or limit that individual’s choices or predetermines results.
Moreover, there is room for this list of types of harm to grow for the first clause in the definition makes clear the list is not exhaustive. How these harms would be determined is an unanswered question. Perhaps the sponsors see fit to leave this to Washington state courts.
The sponsors include an incentive to push CEs to encrypt CPI. The definition of “process” includes this clause: “a person or entity that operates on CPI that is encrypted or otherwise in a format that makes it not accessible or susceptible to being made accessible to such person or entity in any comprehensible form shall not be deemed to be processing such CPI.” This exception of the definition of process will allow CEs to sidestep some of the responsibilities if they encrypt CPI.
The residents of Washington state would have the following rights:
- The right to access the personal information a CE is holding, including both the categories of information and the specific information
- The right to correct inaccurate or incomplete information
- The right to obtain personal information in a machine readable format
- The right to refuse the processing of CPI above and beyond the primary transaction
- The right to demand and obtain the deletion of CPI except if the CE is required by law to hold the data or another exception applies.
- The right not to be subjected to surreptitious surveillance
CEs generally have 30 days to respond to verifiable requests with some exceptions, of course. CEs may ask for more information if they are unable to verify the identity of the requester or there is reasonable doubt about the identity of the requester. With respect to requests to correct inaccurate or incomplete information, CEs must provide reasonable means to do so.
HB 1433 is perhaps strongest on the issue of consent. Nothing less than knowing, affirmative, unambiguous consent works, and there is even language making clear that visiting a website or opening an app would suffice to function as consent. Additionally, people in Washington must opt-in to processing whereas most bills have opt-out as the default. CEs must make it easily understood in a prominent fashion that people may decline consent and may withdraw consent at any time after granting it. If a person decides against opting in, the CE has the responsibility to delete any data that may have been collected. Moreover, in the event a person declines to consent, CEs can collect only the data necessary to determine whether a person will consent and nothing more.
Under the People’s Privacy Act, 13 is the age at which a person may utilize and enjoy all the rights in the bill. Anyone under this age would be covered by the “Children’s Online Privacy Protection Act of 1998” (COPPA) (P.L. 105-277).
The People’s Privacy Act largely bars different pricing or diminished service or products for those who decline to let their CPI be processed. There is, however, language that would allow for loyalty and rewards programs with the sizeable caveat that any CPI collected and processed must only be for those programs. The Washington Department of Commerce must study and report on the most effective ways of getting knowing, unambiguous consent. The Washington Department of Commerce must also promulgate regulations specifying how:
- CEs must notify individuals of their rights under this chapter and obtain individuals’ freely given, specific, informed, and unambiguous opt-in consent for each use model of captured personal information processing; and
- CEs must notify individuals of their right to withdraw their consent at any time and how the right may be exercised.
There must also be regulations “grouping different types of processing of captured personal information by use model and permitting a covered entity to simultaneously obtain freely given, specific, informed, and unambiguous opt-in consent from an individual for multiple transactions of the same use model.”
HB 1433 borrows from the field of tort law to set some of the security standards CEs will need to meet. For some CES, they must meet the reasonable standard of care in their field with respect to the storing, using, and transmitting CPI. The Washington Department of Commerce is given the authority to promulgate, if it wishes, reasonable standards that would preempt any lower standards.
CEs are only permitted to disclose CPI to third parties under contracts that bind them to the same security and privacy obligations. CEs must oversee such third parties and conduct audits at least annually to ensure compliance with the contract. Likewise, CEs must enter into contracts with data processors before disclosing CPI that limit the latter’s processing to the purposes for which consent was originally granted. If a CE knows that another entity to whom they disclosed information is violating HB 1433, then the CE must limit access to data and press the other party to delete the data. Additionally, CEs must also obtain consent from people before they may process their personal information obtained from a third party. Finally, CEs may not remotely turn on or access a camera or microphone without opt-in consent, which will only be effective for 90 days.
Biometric information would be subject to a higher level of protection that would bind CE and also Washington governmental entities (WGE). For example, these entities would not be able to hold biometric information for more than a year after the last time a person interacted with the entity. Likewise, the consent for the processing of biometric information is only good for one year, and the consent automatically expires, requiring the entity to permanently delete this information. Written notice must be provided to a person and consent obtained before this class of personal information may be processed.
There are strong protections against the use of CPI to discriminate in a number of ways. For example, CPI cannot be used for targeted advertising for a range of services, including “employment, finance, health care, credit, insurance, housing, or education opportunities” in discriminatory ways. CPI cannot be used to discriminate in public accommodations, sales, and targeted advertising. There is a bar on the use of facial recognition technology or artificial intelligence-enabled profiling by CEs and WGEs.
Invariably, privacy bills contain exceptions to the requirement that consent must be granted before certain information can be processed. The People’s Privacy Act is no different except that the exceptions are narrower and lesser in number. And so, the consent requirement is not necessary if a CE or WGE is responding to an emergency posing danger to a person. However, the entity will need to contemporaneously document the rationale for skipping the consent and then notify the person after the fact. There are exceptions for warrants, subpoenas, and for federal and state requirements. Finally, the processing of de-identified information does not require the consent of a person. Notably, there are no exceptions for security or to improve products or services like there are in most bills.
Unlike the Washington Senate’s bill, HB 1433 includes a private right of action that includes a rebuttable presumption of harm if there is a violation of this act. People can seek $10,000 in damages per violation or actual damages, whichever is higher, and any other relief the court thinks appropriate. The state attorney general is also empowered to bring enforcement actions and seek up to $25,000 per violation or 4% of the previous year’s revenue, whichever is higher. The attorney general may also seek restitution and any other equitable relief a court sees fit to provide. Finally, a new wrinkle for privacy bills. City and county prosecutors may bring actions in the same way the attorney general may, and this would provide a backstop if there is a lack of enforcement at the state level. It will be interesting to see if this provision migrates to other privacy bills. Interestingly, the bill states the statute of limitations to sue starts running when a violation or injury is found and not within an arbitrary, defined timeframe (e.g., five years.)
Finally, the bill preempts city and county privacy laws only to the extent they are weaker. And, interestingly, the People’s Privacy Act lacks the by now customary provisions exempting entities in compliance with other state or federal privacy regimes (e.g., Gramm-Leach-Bliley for financial services entities) and makes clear these entities will be required to comply with any requirements in this act that are above those imposed by another privacy framework.
And it must be mentioned, two of the Congressional stakeholders on privacy and data security hail from Washington state, and consideration and possible passage of a state law may limit their latitude on a federal bill they could support. Senator Maria Cantwell (D-WA) and Representative Cathy McMorris Rodgers (R-WA), who are the chair of the Senate Commerce, Science, and Transportation Committee and ranking member of the House Energy and Commerce Committee respectively, are expected to be involved in drafting their committee’s privacy bills, and a Washington state statute may affect their positions in much the same way as the “California Consumer Privacy Act” (CCPA) (AB 375) has informed a number of California Members’ position on privacy legislation, especially with respect to bills being seen as weaker than the CCPA.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.