A series of privacy bills have been introduced in Washington state, but they present conflicting regulatory visions and their sponsors don't necessarily see eye-to-eye.
After what was designed to be the state's landmark privacy law failed to materialize last year, its primary sponsor, Sen. Reuven Carlyle, D-Seattle, has introduced Senate Bill 6281, which he hopes will be able to appeal to a diversity of stakeholders in its pursuit of an overarching policy framework.
The bill, whose stipulations apply to companies with 100,000 customers or more, set out a framework in which consumers have "data rights of access, correction, deletion, data portability and opt out of the processing." However, the bill has also left out several consumer privileges long sought by privacy rights activists, like a private right action provision, which would allow individuals to sue technology companies for abuses and leaves enforcement authority instead to the state's attorney general.
"When the previous bill didn't pass the House, we spent an incredibly robust six-plus months since the last session working with stakeholders, working with consumer privacy groups and advocates [and the House] ... in a thorough, expansive effort to reach consensus so that we can move forward," Carlyle said, speaking with Government Technology.
Those stakeholders included powerful technology lobby groups like CompTIA, TechNet, and the Internet Association. Carlyle said he also took input from consumer and civil rights groups like Consumer Reports and the American Civil Liberties Union (ACLU), which he said were sometimes involved in negotiations over bill language with industry representatives.
But some of those rights groups have actually lined up behind several opposing pieces of legislation introduced by Rep. Norma Smith, R-Clinton. Smith, who is the ranking member of the state's House Innovation, Technology and Economic Development Committee, has worked together with the ACLU and other consumer groups to craft five bills that would create consumer rights over a person’s data and biometric identifiers.
Smith's legislation would do a number of things to expand consumer rights. They include creating a charter of consumer data rights around which companies would have to structure their data policies as well as transforming the office of the state's chief privacy officer from an appointed one to an elected one, making it more accountable to the public. It would also provide for a private right of action and force data brokers to register with the state, among other things.
Smith said that Carlyle's legislation leaves numerous loopholes that will allow companies to take get away with privacy abuses.
"It is a very corporate-centric bill," she said. "You [should] start with a consumer focus. You build a bill that really empowers consumers, that provides clear direction as regards to the corporate responsibility ... and then [provide] strong enforcement mechanisms."
Smith also provided GT with copies of letters from the Consumer Federation of America, a consumer lobbying group, which were submitted to the Senate and House that argue Carlyle's legislation would "do little to change business practices built on exploiting individuals’ personal information for profit or provide meaningful privacy protections for Washingtonians," and were overly influenced by "Big Tech."
"I just have a different policy view," Carlyle said, responding to Smith's criticism. "Her work is very thoughtful ... I think her policy position is just as legitimate as the approach I'm taking on."
Carlyle said that his bill, which is built to take on the abuses of large companies, has been instructed by large privacy bills that came before it and that the law, should it pass, would continue to evolve and be adapted to improve consumer rights.
"What we learned from GDPR and from California is that [it's important to] get the larger entities data right relative to the consumer's right to opt out, delete and correct, [which] then allows us to learn and bring smaller businesses onboard down the road as we fine tune, rather than thrusting this obligation on every single industry in every single sector," he said.
"I don't think that we're ever going to be done dealing with the regulatory framework of consumer data and the issue of privacy. We're living in a new era," he said.