By: Stacey Gray and Gabriela Zanfir-Fortuna *
We wrote last week that Washington State seems poised to become the second US state to pass a major comprehensive privacy bill. The proposed Washington Privacy Act (WPA) would be mostly aligned with the EU’s GDPR, the global gold standard for data protection (although there are still some significant differences). Read our full comparison of the WPA with GDPR and other privacy laws. At a minimum, the WPA goes much further than the California Consumer Privacy Act (CCPA). Perhaps the most significant difference between the WPA and CCPA is that the WPA would require companies and even non-profits to obtain affirmative (“opt in”) consent for the collection of sensitive data, including biometric data and geolocation data.
Despite this, some lawmakers in Olympia have expressed skepticism over a bill that contains a variety of potential weaknesses, wondering if it might be worse than no bill at all. This is surprising given the overall strength of the proposed WPA compared to anything that has come before it in the United States. Are Washington policymakers letting the perfect be the enemy of the good?
We offer a few observations on the process unfolding in Washington:
- The Overton window for privacy law in the United States has shifted dramatically. Even two years ago, it would have been considered impossible to advance a US privacy law that defined personal data and processing as broadly as WPA, promoted fair information practice principles, or created such a robust set of rights for data subjects. In contrast, WPA — while by no means perfect — would begin to give Washingtonians comparable rights to those enjoyed in the EU, and non-EU countries following the same comprehensive privacy protection model, such as South Korea, Japan, or Brazil.
- Enforcement of a comprehensive law, even if only by the Attorney General, could immediately change (and halt) current business models that pose serious privacy risks. Currently, there are no comprehensive rules in place restricting the collection and use of personal information about Washingtonians (aside from basic state consumer protections against unfair and deceptive practices). Looking seriously at the proposed WPA’s provisions for affirmative consent for “sensitive data” (Section 3(34) and Section 8(7)), the law could be implemented right away to stop mobile apps from sharing location data without consent; to stop companies like Clearview AI from creating facial recognition tools to identify users based on their facial features without consent; and to stop use or sale of genetic data beyond the purposes to which individuals consented. Furthermore, the potential fines could be remarkably high — at $7500 per violation (the same as under the CCPA for intentional breaches of the law), multiplied by the number of consumers affected by a violation (easily scalable to large numbers when device data or large platforms are involved), a fine under the WPA could easily meet or exceed the EU’s total cap of 4% of global revenue.
- Lawmakers have a range of options for meaningful enforcement — and context matters. The Washington Senate chose to exclude a private right of action from the WPA, a decision met with criticism by others who prefer strong judicial remedies. Without individual enforcement, the WPA’s enforcement framework would be significantly different from the GDPR, which provides very strong mechanisms for individuals to enforce their own rights. Yet the context of this US-EU distinction is critical: lawmakers must consider the unique role of contingency-based class actions in the United States, combined with the nascency of the law. Enforcement rights under the GDPR are very strong — individuals have the right to sue in court, to file complaints with their regulator (Data Protection Authorities or DPAs), and in some cases to be represented by non-profit organizations (NGOs). However, the legal culture and procedural norms for large, contingency-based multi-district lawsuits are simply not a current feature of EU law. While there are benefits to class action litigation facilitated by private rights of actions, Washington lawmakers have expressed sincere concerns about the potential impact on legitimate business models under a comprehensive law that would govern the entire digital economy, and concerns over potential limitations of even very large financial settlements to meaningfully compensate consumers. Furthermore, companies in the EU have been required to comply with comprehensive EU-level privacy and data protection rules since the 1995 Data Protection Directive. By the time the GDPR took effect in 2018 (with the potential for 4% fines), the EU had a longstanding history of privacy and data protection legal compliance and guidance, which makes a significant difference when it comes to being ready for strong enforcement. Washington could follow this path in the future, or consider a range of other options for compromise.
- Once adopted, the WPA could be updated and improved over time. It is important to craft a clear, consistent, thoughtful privacy law that strikes the right balances, especially if it will serve as a model for other states. This is even more important when one considers that the WPA, along with the CCPA and possibly other state models, is likely to influence the debates over a federal law. We saw a similar process after the CCPA was passed by the California Assembly: it was amended at least eight times within months after being adopted and continues to be modified through Attorney General rulemaking. It is also likely to be significantly expanded by a new 2020 ballot initiative that would add substantive new protections for Californians. Similarly, lawmakers in Washington can return to revise and update the law over time, taking into account realities on the ground. Continuing feedback from advocates, companies, the state’s Chief Privacy Officer, and the Attorney General, will be crucial to a well-functioning law over the long run. In the meantime, though, Washingtonians would already enjoy a set of privacy protections not yet available anywhere in the United States.
If Washington lawmakers choose not to pass a comprehensive privacy law in 2020, they may miss an important opportunity to lead the nation and establish privacy protections for Washington residents. In the absence of a baseline national consumer privacy law, however, we expect debates to continue as state legislators across the United States continue to tackle these important questions.
* Stacey Gray is a Senior Counsel leading FPF’s US federal and state legislative analysis, outreach, and policymaker education ([email protected]). Gabriela Zanfir-Fortuna is an EU Senior Counsel, leading FPF’s EU and global privacy efforts, and formerly worked for the European Data Protection Supervisor in Brussels ([email protected]).