The steady parade of US data privacy legislation continued last month in Washington with the introduction of an improved bill that would grant state residents the rights to access, control, delete, and port their data, as well as opting out of data sales.
The bill, called the Washington Privacy Act, also improves upon its earlier 2019 version, providing stronger safeguards on the use of facial recognition technology. According to some analysts, when compared to its coastal neighbor’s data privacy law—the California Consumer Privacy Act, which went into effect this year—the Washington Privacy Act excels.
Future of Privacy Forum CEO Jules Polonetsky called the bill
“the most comprehensive state privacy legislation proposed to date.”
“It includes provisions on data minimization, purpose limitations, privacy risk assessments, anti-discrimination requirements, and limits on automated profiling that other state laws do not,” Polonetsky said.
Introduced on
January 20 by state Senator Reuven Carlyle, the Washington Privacy Act would create
new responsibilities for companies that handle consumer data, including the implementation
of data protection processes and the development and posting of privacy policies.
Already, the bill has gained warm reception from corporate and nonprofit actors. Washington-based tech giant Microsoft said it was encouraged, and Consumer Reports welcomed the thrust of the bill, while urging for even more improvements.
“This new draft is definitely a step in the right direction
toward protecting Washington residents’ personal data,” said Consumer Reports
Director of Consumer Privacy and Technology Policy Justin Brookman. “We do hope
to see further improvements to get rid of inadvertent loopholes that remain in
the text.”
What the Washington Privacy Act would do
Like the many US data privacy bills introduced in the past
18 months, the Washington Privacy Act approaches the problem of lacking data
privacy with two prongs—better rights for consumers, tighter restrictions for
companies.
On the consumer side, the Washington Privacy Act would grant several new rights to Washington residents, including the rights to access, correct, delete, and port their data. Further, consumers would receive the right to “opt out” of having their personal data used in multiple, potentially invasive ways. Consumers could say no to having their data sold and to having their data used for “targeted advertising”—the somewhat inescapable practice that results in advertisements for a pair of shoes, a fetching sweater, or an 4K TV following users around from device to device.
Consumers could exercise their rights with simple requests to the companies that handle their data. According to the bill, these requests would require a response within 45 days. If a company cannot meet that deadline, it can file for an extension, but it is required to notify the consumer about the extension and about why it could not meet the deadline.
Further, unfulfilled requests are not a dead end for
consumers—companies must also offer an appeals process to the consumers whose
requests they deny or do not fulfil. Requests must also be responded to free of
charge, up to two times a year per consumer.
Perhaps one of the most welcome provisions in the bill is its anti-discrimination rules. Companies cannot, the bill says, treat consumers differently because of their choices to exert their data privacy rights. On the surface, that makes dangerous ideas like “pay-for-privacy” schemes much harder to enact.
Concerning new business regulations, the Washington Privacy Act separates the types of companies it applies to into two categories: “controllers” and “processors.” The two terms, borrowed from the European Union’s General Data Protection Regulation (GDPR), have simple meanings. “Controllers” are the types of entities that actually make the decisions about how consumer data is collected, shared, or used. So, a small business with just one employee who decides to sell data to third parties? That’s a controller. A big company that decides to collect data to send targeted ads? That’s a controller, too.
Processors, on the other hand, are akin to contractors and
subcontractors that perform services for controllers. So, a payment processor
that simply processes e-commerce transactions and nothing more? That’s a processor.
The Washington Privacy Act’s new rules focus predominantly
on “controllers”—the Facebooks, Amazons, Twitters, Googles, Airbnbs, and
Oracles of the world.
Controllers would have to post privacy policies that are “reasonably
accessible, clear, and meaningful,” and would include the following
information:
- The categories of personal data processed by the controller
- The purposes for which the categories of personal data are processed
- How and where consumers may exercise their rights
- The categories of third parties, if any, with whom the controller shares personal data
If controllers sell personal data to third parties, or
process it for targeted advertising, the bill requires those controllers to
clearly disclose that activity, along with instructions about how consumers can
opt out of those activities.
Separately, controllers would need to perform “data
protection assessments,” in which the company looks at, documents, and
considers the risks of any personal data processing that involves targeted
advertising, sale, and “profiling.”
The regulation of “profiling” is new to data privacy bills.
It’s admirable.
According to the bill, “profiling” is any form of automated
processing of personal data to “evaluate, analyze, or predict personal aspects
concerning an identified or identifiable person’s economic situation, health,
personal preference, interests, reliability, behavior, location, or movements.”
In today’s increasingly invasive online advertising economy,
profiling is omnipresent. Companies collect data and create “profiles” of
consumers that, yes, may not include an exact name, but still include what are
considered vital predictors about that consumer’s lifestyle and behavior.
These new regulations make the Washington Privacy Act stand
out amongst its contemporaries, said Stacey Gray, senior counsel with Future of
Privacy Forum.
“The big picture of the bill is that includes the same
individual rights as the California Consumer Privacy Act—of access, sale, et
cetera—and then more,” Gray said. “The right to correct your data, to opt out
of targeted advertising, and out of profiling—that is further on the individual
rights side.”
Gray added that the bill’s business obligations also go further than those in the CCPA, naming the data risk assessments previously discussed.
The Washington Privacy Act includes several more business
obligations, all of which add up to meaningful data protections for consumers.
For instance, companies would need to commit to data minimization principles,
only collecting consumers’ personal data that is necessary for expressed
purposes. Companies would also need to obtain affirmative, opt-in consent from
consumers before processing any “sensitive data,” which is any data that could
reveal race, ethnicity, religion, mental or physical health conditions or
diagnoses, sexual orientations, or citizenship and immigration statuses.
But perhaps most intriguing in the Washington Privacy Act is
its regulation of facial recognition technology.
Facial recognition provisions
In 2019, Washington state lawmakers crafted a bill aimed at improving the data privacy protections of consumers. They called it… the Washington Privacy Act. That original bill, which has now been substituted the 2020 version, included provisions on the commercial use of facial recognition.
On its face, the new rules looked good: Companies that used
facial recognition tech for commercial purposes would have to obtain consent
from consumers “prior to
deploying facial recognition services.”
Unfortunately,
the original bill’s very next sentence made that consent almost meaningless.
According to that
bill, consumer “consent” could be obtained not by actually asking the consumer
about whether they agreed to having their facial data recorded, but instead, by
posting a sign on a company’s premises.
As the bill
stated:
“The placement of
conspicuous notice in physical premises or online that clearly conveys that
facial recognition services are being used constitute a consumer’s consent to
the use of such facial recognition services when that consumer enters those
premises or proceeds to use the online services that have such notice, provided
that there is a means by which the consumer may exercise choice as to facial
recognition services.”
The length of the
explainer is as broad as the exception it allows.
This loophole upset
several privacy rights advocates who, in February 2019, sent a letter to key
Washington lawmakers.
“[W]hile the bill purportedly requires consumer consent to the use of facial recognition technology, it actually allows companies to substitute notification for seeking consent—leaving consumers without a real opportunity to exercise choice or control,” the letter said. It was signed by Consumer Reports, Common Sense, Electronic Frontier Foundation, and Privacy Rights Clearinghouse.
The 2020 bill closes this loophole, instead requiring
affirmative, opt-in consent for commercial facial recognition use, along with
mandatory notifications—such as signs—in spaces that use facial recognition
technology. The new bill also requires processors to open up their
data-processing tools to outside investigation and testing, in an effort to
root out what the bill calls “unfair performance differences across distinct
subpopulations,” such as minorities, disabled individuals, and the elderly.
Moving the
Washington Privacy Act forward
Despite the 2019
Washington Privacy Act gaining swift approval in the Senate two months after
its January introduction, the bill ultimately failed to reach the House.
Multiple factors led to the bill’s failure, including the bill’s definitions
for certain terms, its approach to enforcement, and its treatment of facial
recognition.
Some of those
same obstacles could come up for the 2020 bill, Gray said.
“If this bill does not pass this year, that’s where we might see a source of conflict—is either with the facial recognition provisions, or with enforcement,” Gray said. For enforcement to take hold, Gray said the Attorney General’s office—tasked with regulation—will need increased funding and staffing. Further, there will likely be opposition to the bill’s lack of “private right of action,” which means that consumers will not be able to individually file lawsuits against companies that they allege violated the law. This issue has been a sticking point for data privacy legislation for years.
Still, Gray said, the bill shows improvement from its 2019 version, which could help push it forward.
“All things
aside,” Gray said, “we’re more optimistic than last year about it passing.”
The post Washington Privacy Act welcomed by corporate and nonprofit actors appeared first on Malwarebytes Labs.