The bill would have been the second of its kind in the nation, but the gap between the version supported by the tech industry, and the more stringent version favored by privacy groups, proved too big to close.
A large privacy bill in Washington state that had been expected to pass this session has failed to do so.
The Washington Privacy Act (WPA) would have been the second of its kind in the nation, a regulatory framework designed to tackle big tech and consumer issues like facial recognition software and consumer data.
A fraught legislative process saw it heralded as a bill made in the image of other major privacy bills — the EU’s General Data Protection Regulation or the California Consumer Privacy Act — while its detractors consistently argued it lacked proper consumer protections and was too influenced by lobbying efforts from tech companies.
After being introduced in January and passing overwhelmingly in the Senate two months later, the bill stalled in committee, failing to come to the House floor for a vote. While there is still technically an opportunity for the bill to advance, it is not expected to be discussed again this session, said Alex Alben, the state’s chief privacy officer.
The bill’s primary sponsor, Sen. Reuven Carlyle, D-Seattle, took to social media Thursday, saying that he was committed to seeing legislation passed next year.
“We built alignment that well-crafted, strong #dataprivacy is imperative to consumers and society. Unfortunately, House failed to pass privacy legislation this year. We're committed to 2020,” Carlyle tweeted.
Why the bill failed is a matter of who you ask. Proponents of the bill have said it was purely a matter of the House and Senate not being able to get on the same page, while privacy rights activists have laid blame for the irresolution on the tech industry and its resistance to certain consumer protections that some legislators wanted to include.
The WPA went through a large number of revisions since its introduction in January, with a flurry of amendments and adjustments taking place over the last few weeks of negotiations. Ultimately, a number of critical policy issues proved too contentious for consensus to emerge, said 11th District Rep. Zack Hudgins, who chairs the House’s Innovation, Technology and Economic Development committee, and was involved with the bill.
One of the most argued issues was the bill's approach to the regulation of facial recognition software, Hudgins said. Critics, many of which supported a total moratorium on the technology, have argued that face recording victimizes minority demographics, and presents a more generalized threat to civil liberties. Most versions of WPA allowed a looser approach to the technology, with proponents of more lax regulations — often industry groups — arguing the bill struck "the right balance" of permissiveness and restriction.
Meanwhile, enforcement proved another stumbling block. The Washington bill differed from the GDPR and the CPPA in that it did not allow for a private right of action — that is, the ability of individuals to sue companies if they infringed upon their rights. Instead, the WPA ceded the role of enforcement to the state's Attorney General’s Office, which would have acted parens patria — on behalf of a collective of people presumably affected by corporate malfeasance. The lack of private right of action within the bill was something that some legislators and activists consistently criticized.
Discussions also came to a head over the issue of basic definitions for bill terms, said Hudgins. Overly broad wording for certain key terms led to a fear that companies would be able to "put almost anything into a user agreement," he said. "That's where I thought the bill could have been better and stronger; there were some of these [rhetorical] loopholes in it."
Privacy rights activists have alleged that the state’s tech industry had a disproportionate influence in crafting the legislation.
Industry representatives from companies, including Microsoft, were consistently involved in the negotiations and had a visible presence at most public meetings associated with the bill, according to those knowledgable about the situation.
Furthermore, many of those same representatives publicly criticized another privacy bill with stronger consumer protections that was drafted by the ACLU and introduced in January, according to Shankar Narayan, the director of the organization's Washington chapter. When that bill floundered, industry figures then rallied around Carlyle's bill, which had looser regulation and fewer protections, he said.
"Overall, we really see this [bill] as big tech attempting to preempt meaningful regulation by seizing control of the process themselves, essentially writing a bill and putting a ton of resources and pressure on the legislature to pass it without a real public process,” said Narayan, in an interview with Government Technology.
Hudgins said he wasn’t sure it was fair to characterize tech companies’ influence as “disproportionate,” but said they were very involved in the process.
“I can tell you that the industry was spending a lot of time on the bill,” Hudgins said. “There were a lot of lobbyists. There was a lot of discussion. They were in the room. There were a lot of meetings. I don’t know if it was disproportionate or not, but they were very involved with the bill all the way through the process.”
Closed-door meetings hosted and facilitated by the governor’s office during the final stretch of negotiations saw invitations to a cadre of senators and representatives, as well as to officials from Amazon, Comcast, Microsoft, and the Association of Washington Business, emails provided by the ACLU show. However, other consumer interest groups were left out of the picture when they should have been included, said Narayan.
“There was a discussion about why there weren’t other voices in the room,” Hudgins said, of the closed-door meetings. “It certainly doesn’t look good when you’ve only got industry folks there and not consumer voices. Certainly the elected officials are there to help protect consumers.”
Even as Washington failed to pass the WPA, it seems clear that comprehensive privacy legislation is on the rise. Texas, Massachusetts, New York and other states have seen bills introduced this year that would seek to accomplish similar ends.
Looking to the future, Hudgins said it would be important to take the lessons learned from this session when legislators tried again next year.
There is discussion underway of allocating funds from the fiscal budget to put together a task force to study the issues under consideration in the bill, he added.
“The hope is that we’ve learned we need to have more voices in the room if we discuss these issues,” Hudgins said. “Especially around facial recognition, we need to make sure that the communities who are most affected by this technology are in the room. ...We need a broader and more robust discussion in order to find better agreement.”
Narayan, speaking for the ACLU, said in an email that he hopes next year the process is more inclusive. "We are hopeful that if the bill does not come back, a meaningful stakeholder process can begin in the legislative interim, with consumer rights and impacted community advocates at the table," he said.
Looking for the latest gov tech news as it happens? Subscribe to GT newsletters.