Drivers and passengers expect cars to be safe, comfortable, and trustworthy. Individuals often consider the details of their travels—and the vehicles that take them between their home, the office, a hospital, their place of worship, or their child’s school—to be sensitive, personal data.
The newest cars contain numerous sensors, from cameras and GPS to accelerometers and event data recorders. Carmakers, rideshare services, tech companies, and others are increasingly using data about cars to reduce emissions, manage traffic, avoid crashes, and more. The benefits of connected vehicles for individuals, communities, and society are clear. So are the privacy risks posed by increased collection, use, and sharing of personal information about drivers, passengers, cyclists, and pedestrians.
It is crucial that companies, advocates, academics, technical experts, and policymakers craft creative solutions that promote the benefits of connected vehicles while mitigating the privacy risks. Global legal frameworks have a role to play in assuring meaningful data protection and promoting trust, as do voluntary, enforceable codes of conduct and technical standards.
However, it is plain that entities must look beyond legal obligations and consider how they will earn and maintain consumer trust. With this white paper, Otonomo has taken an important step to advance the dialogue on connected car data privacy.
Originally released in October 2019, Otonomo’s Privacy Playbook for Connected Car Data presents nine plays for putting privacy at the center of your data business practices.
Award-Winning Paper: "Privacy Attitudes of Smart Speaker Users"
For the tenth year, FPF’s annual Privacy Papers for Policymakers program is presenting to lawmakers and regulators award-winning research representing a diversity of perspectives, including those from students and academics. Among the papers to be honored at an event at the Hart Senate Office Building on February 6, 2020 is Privacy Attitudes of Smart Speaker Users by Nathan Malkin, PhD student in computer science at University of California, Berkeley, and his coauthors. The study surveys privacy attitudes of smart speaker users and presents an evaluation of users’ comprehension and use of existing privacy settings and controls.
In Privacy Attitudes of Smart Speaker Users, study authors Nathan Malkin, Joe Deatrick, Allen Tong, Primal Wijesekera, Serge Egelman, and David Wagner surveyed 116 owners of Amazon and Google smart speakers.
In an effort to understand whether smart speaker users are making informed decisions about the privacy consequences and controls offered by smart speakers, the authors used recordings of real interactions between the study participants and their devices. The authors found that “almost half did not know that their recordings were being permanently stored and that they could review them; only a quarter reported reviewing interactions, and very few had ever deleted any.” The authors found that the way smart speakers default to permanent storage of interactions with users places an “undue burden” on the user, and “is almost certain to result in most interactions going unreviewed.” However, the authors observe that, after the conclusion of the study, both Google and Amazon updated their voice assistants to allow for automatic data deletion after three or 18 months (Google) or the deletion of a day’s worth of recorded interactions (Amazon).
While more than 71% of smart speaker users had not raised privacy concerns related to their device in the past, the authors are careful to state that people are not “apathetic” about their privacy. Instead, people’s acceptance of smart speakers is tied closely to what is happening with their data, as well as the specific subjects in the speaker’s recordings. According to the study, more than 72% of users found recordings reviewed by a computer to be acceptable, while users were more likely to view human review of recordings as unacceptable. Additionally, users found certain interactions with smart speakers more sensitive than others. Recordings of children, financial information, sexual or medical topics, locations, and personally identifying information were viewed as particularly sensitive.
The authors conclude that privacy controls on smart speakers are underutilized. Based on the views of study participants, the authors suggest that voice assistants adopt shorter retention periods, despite the fact that users did not feel that their stored recordings presented a grave privacy danger. The authors may have revealed an important insight about individual perspectives on privacy: “people seem more protective of the privacy of others” than their own privacy.
If you’re interested in reading more about the attitudes of smart speaker users toward privacy, you’ll want to check out the full paper.
The Privacy Papers for Policymakers project’s goal is to put diverse academic perspectives in front of policymakers to inform the development of privacy legislation. You can view all of this year’s award-winning papers on the FPF website.
The Future Is Now: FPF at CPDP2020
Computers, Privacy and Data Protection (CPDP) Conference 2020 commences next week in Brussels, bringing together academics, data protection authorities, policymakers, data scientists, and civil society to network, exchange ideas, and talk over the latest trends. Check out the panels and events FPF will be participating in below.
Algorithmic Regulation of Transportation
Wednesday, January 22 at 11:45, Petite Halle
We are bringing together experts across the privacy, mobility, and civic space to discuss the challenges of transforming—and enforcing—transportation regulations through the use of code and algorithms. This panel aims to build upon the issue as framed by the ITIF report released earlier this year, which introduced multiple potential frameworks for integrating automated enforcement mechanisms in the transportation industry. At CPDP, we hope to reexamine this issue with the specific lens of privacy and data protection and ultimately, identify concrete steps cities and mobility operators can take to share data responsibly. Specific questions we hope to address in this panel:
What is the proper role of governments in regulating mobility companies, and further, individual users of those companies?
What obligations do cities have under the GDPR in the context of collecting data from the private sector? What does this mean in practice?
Where does automated regulation meet surveillance? Does one enable the other? Is one a use case of the other? What are the ethical considerations?
How can cities demonstrate preparedness to ingest large volumes of data? How do we develop privacy and security standards that can be feasibly adopted by both the public and private sector?
The speakers are Simon Hania, Uber; Ger Baron, City of Amsterdam; Karen Vancluysen, Polis; and Kara Selke, Streetlight Data. The panel is moderated by Rob van Eijk, FPF.
The Future Is Now: Autonomous Vehicles, Trolley Problem(s) and How to Deal with Them
Wednesday, January 22 at 14:15, Petite Halle
Autonomous and highly automated vehicles are likely the first product that will bring AI to the masses in a life-changing way. They rely on AI for a variety of uses: from mapping, perception and prediction, to self-driving technologies. Their promise is great: increasing the safety and convenience of our cities and roads. But so are the challenges that come with it, from solving life and death questions to putting in place a framework that works for the protection of fundamental rights of drivers, passengers and everyone physically around them. This panel proposes a EU-US comparative perspective to discuss essential questions. Are existing legal frameworks well-equipped to deal with these challenges? How much data and what type of data runs through all systems of an autonomous vehicle? What rights are affected? What ethical considerations might play into decision-making algorithms around accidents?
How are highly automated and autonomous vehicles using AI?
How are regulators around the world managing the data and AI used in highly automated and autonomous vehicles?
What are the benefits of autonomous vehicles and what are the risks to individual rights? How can they be balanced?
What lessons might be learned from this space for other applications of AI? (regulatory or otherwise)
Moderated by IAPP’s Trevor Hughes, the panel includes speakers Sophie Nerbonne, Director of Economic Co-Regulation, CNIL; Andreea Lisievici, Volvo Cars; Chelsey Colbert, FPF; and Mikko Niva, Vodafone.
Turning the Tables: Academics in the Hot Seat
Wednesday, January 22 at 16:00, Grande Halle
In numerous privacy and data protection conferences and workshops, academics moderate discussions between policymakers, regulators and industry players. Academics are tough inquisitors and harsh critics, pointing out the shortcomings of legislation, the slow turn of the wheels of justice, the practical challenges of enforcement and the tangled web of interests
of businesses. In this session we turn the tables. Helen Dixon, Data Protection Commissioner for Ireland, will be asking the questions. The academics will be in the hot seat providing direct and complete answers. Are their theories sound and coherent? Do they influence the world outside the ivory tower? Did their writings withstand the test of time?
The gap between the theory and practice of privacy and data protection
The role for higher education in developing a privacy and data protection workforce
The implications of privacy as a fundamental right, as trust and as a techno-social safety valve
Differences and similarities between privacy and data protection scholarship in the US and EU
Speakers include Franziska Boehm, Karlsruhe Institute of Technology; Neil Richards, Washington University School of Law; Omer Tene, IAPP; Gabriela Zanfir-Fortuna, Future of Privacy Forum. The session will be moderated by Helen Dixon, Data Protection Commissioner for Ireland.
SIDE EVENT
Masterclass: Understanding Machine Learning
Thursday, January 23 from 16:00-18:00, Area 42, 46 Rue des Palais, 1030 Bruxelles, Belgium
This Masterclass is aimed at policymakers, law scholars, social scientists and others who want to more deeply understand the data driven technologies that are front of mind for data protection discussions. Structured as an interactive lesson, technology experts will present a training session focused on Artificial Intelligence and Machine Learning.
Attendees will be provided with a copy of “The Privacy Expert’s Guide to Machine Learning” and will join leading machine learning experts for a presentation geared at bringing the details of the technology to an audience without an in depth computer science background. In addition to a primer on the basics of the field, issues of particular consequence to policymakers such as fairness, bias, and data minimization will be examined.
Expert Speakers:
Reuben Binns – Postdoctoral researcher in Computer Science at the University of Oxford
Richard Tomsett – IBM Emerging Technology; Emerging Technology Specialist
Nicholas Schmidt – Partner, BLDS LLC; Head of the AI/ML Practice
If you would like to discuss FPF’s expanding activities in Europe, please contact us at [email protected].
FPF Welcomes New Staff to Focus on Artificial Intelligence and Mobility
FPF is pleased to announce the addition of two new members to its team, Dr. Sara Jordan and Chelsey Colbert.
As individuals’ personal data is increasingly used by algorithmic systems that employ machine learning and artificial intelligence technologies, the benefits to consumers, businesses and society are evident, but so are the privacy risks. In her role as policy counsel, Sara will lead FPF’s efforts to create an ethical review process that can provide trusted vetting of research projects. She will also support the organization’s work on artificial intelligence and machine learning and emerging ethical questions relating to privacy and data protection.
Her profile includes privacy implications of data sharing, data and AI review boards, privacy analysis of AI and Machine Learning (AI/ML) technologies, and analysis of the ethics challenges of AI/ ML. Sara is an active member of the IEEE Global Initiative on Ethics for Autonomous and Intelligent Systems. Prior to working at FPF, Sara was faculty in the Center for Public Administration and Policy at Virginia Tech (2014-2020) and in the Department of Politics and Public Administration at the University of Hong Kong (2007- 2013).
Similarly, individuals’ geolocation data is increasingly collected, used, and shared as part of businesses ranging from connected cars and scooter rentals to mobile apps and online advertising. While FPF recognizes the benefits of geolocation data that lead to the development of safer vehicles and more personalized services, we acknowledge the privacy risks associated with sensitive data use. Chelsey will serve as policy counsel, leading FPF’s portfolio on mobility and location data, including connected cars, autonomous vehicles, ride-sharing, micro-mobility, drones, and robotics.
Prior to FPF, Chelsey was an associate at an international business law firm in Canada and was seconded as in-house privacy and data governance counsel to Sidewalk Labs, an Alphabet company that designs and builds urban innovations to help cities meet their biggest challenges. Chelsey holds a J.D. with a major in technology law and policy from the University of Ottawa.
FPF to Present First-Ever Research Data Stewardship Award
Nominations Requested by March 12, 2020
Today, the Future of Privacy Forum (FPF) is announcing a first-of-its-kind award recognizing privacy protective research collaboration between a company and academic researchers. When privately held data is responsibly shared with academic researchers, it can support significant progress in medicine, public health, education, social science, and other fields.
With this in mind, FPF is requesting nominations for its Award for Research Data Stewardship. The goal is to promote the safe use and transfer of privately held company data to academic institutions for study and analysis. The award is supported by the Alfred P. Sloan Foundation, a not-for-profit grantmaking institution that supports high-quality, impartial scientific research and institutions.
“Increasingly, the challenges facing our society – health, transportation, education – are being addressed by independent research on consumer data collected by private companies,” said Jules Polonetsky, CEO of the Future of Privacy Forum. “This award recognizes projects that minimize potential privacy risks while helping academics access corporate data for research that benefits society.”
Academics and their corporate partners are invited to nominate a successful data-sharing project that reflects privacy protective approaches to data protection and ethical data sharing. Nominations will be reviewed and selected by an Award Committee comprised of representatives from FPF, leading foundations, academics, and industry leaders. Nominated projects will be judged based on several factors, including their adherence to privacy protection in the sharing process, the quality of the data handling process, and the company’s commitment to supporting the academic research. The award winner will be notified by Monday, March 16, 2020.
FPF will present the award at an April 6, 2020 gala in Washington, DC to a member of the academic research team and a senior executive at the company that provided the data. Applicants should apply by filling out the corporate and academic nomination forms by Thursday, March 12, 2020. Self-nominations and nominations from the public are welcome. Read more about the award, event, and more in the call for nominations, and email Kelsey Finch, FPF Senior Counsel, at [email protected] with any questions.
FPF Director of AI & Ethics Testifies Before Congress on Facial Recognition
WASHINGTON, D.C. – In a hearing today before the House Committee on Oversight and Reform, Future of Privacy Forum (FPF) Senior Counsel and Director of AI and Ethics Brenda Leongtestified on the privacy and ethical implications of the commercial use of facial recognition technology.
“Technology has only accelerated the practice of identification and tracking of people’s movements, whether by governments, commercial businesses, or some combination thereof, leading to the real concerns about an ultimate state of ubiquitous surveillance,” wrote Leong. “How our society faces these challenges will determine how we move further into the conveniences of a digital world, while continuing to embrace our fundamental ideals of personal liberty and freedom.”
In her testimony, Leong emphasized that not every camera-based system is a facial recognition system,” and that the term facial recognition is often broadly and confusingly used in reference to other image-based technology that does not necessarily involve individual identification.
“Understanding how particular image-analysis technology systems work is a critical foundation for effectively understanding and evaluating the risks of facial recognition,” Leong noted in her written testimony. To help educate policymakers, consumers, and others about the varying levels of facial image software and associated benefits and risks, and privacy implications of each, FPF created the infographic, Understanding Facial Detection, Characterization, and Recognition Technologies.
Leong outlined a set of privacy principles created by FPF that should be considered as the foundation of any facial recognition-specific legislation, writing, “consent remains the critical factor, and should be tiered based on the level of personal identification collected or linked, and the associated increasing risk levels.” Leong highlighted that the default standard for consent should be “an “opt-in” or “affirmative consent” model consistent with existing FTC guidelines.
As educational institutions across the country, including collegesand public school districts, consider the use of facial recognition technology on campus, Leong pointed to guidance in the privacy principles that calls for policymakers to: “Give special consideration to the age, sophistication, or degree of vulnerability of those individuals, such as children, in light of the purposes for which facial recognition technology is used, including whether additional levels of transparency, choice, and data security are required.” She also testified that “there is no good justification for the use of facial recognition in a K-12 school.”
In 2019, FPF held a webinarabout facial recognition in schools and wrote to the New York State Legislature in support of a well-crafted moratorium on facial recognition systems for security uses in public schools, while cautioning against overly broad bans or language that might have unintended consequences on other security programs.
In her written testimony, Leong cited controversial developments surrounding the implementation of passports and the requirement that they include a photo, resistance to calls for a federally issued national ID card, and REAL ID requirements for state licensing as precedent for policymakers seeking to balance individual rights and freedoms with efficiencies and security.
“These historical discussions reflect the ongoing need to determine the appropriate balance of technological, legal and policy standards and protections, along with the underlying threshold question of whether some systems are simply too high risk to implement regardless of perceived benefits,” wrote Leong.
Award-Winning Paper: "The Many Revolutions of Carpenter"
For the tenth year, FPF’s annual Privacy Papers for Policymakers program is presenting to lawmakers and regulators award-winning research representing a diversity of perspectives. Among the papers to be honored at an eventat the Hart Senate Office Building on February 6, 2020 is The Many Revolutions of Carpenter by Paul Ohm of Georgetown University Law Center. The paper’s detailed assessment of the 2018 Supreme Court opinion in Carpenter v. United States is an essential read for those interested in the changing conception of privacy in the criminal justice system.
The Supreme Court’s 2018 majority opinion in Carpenter v. United States, the author argues, is the most important Fourth Amendment opinion in decades. The opinion requires the police to obtain a warrant to access an individual’s historical whereabouts from the records of a cell phone provider.
Ohm states that Carpenter represents a new approach to the “reasonable expectation of privacy” test: “Until now, the Supreme Court has tended to pay more attention to the nature of the police intrusion required to obtain information than to the nature of the information obtained.” In Carpenter, the justices argued that individuals have a “reasonable expectation of privacy in the whole of their physical movements,” suggesting that data tracking those movements should be considered private and subject to warrant requirements.
Ohm notes that the Carpenter opinion serves as the death of the “third party doctrine” – an idea that holds that information a person voluntarily discloses to a third party is not protected by a reasonable expectation of privacy. The justices write: “the fact that the Government obtained the information from a third party does not overcome Carpenter’s claim to Fourth Amendment protection.” Ohm points out that the justices focused on the nature of the information rather than the structure of the database or its relation to the individual, likely ensuring that this opinion will apply to other massive collections of historical geolocation information.
Finally, Carpenter creates a previously unrecognized rule of “technological equivalence.” Ohm explains: “If a technology, or a near-future improvement, gives police the power to gather information that is the ‘modern-day equivalent’ of activity that has been held to be a Fourth Amendment search, the use of that technology is also a search.” The justices acknowledge that information technology is exceptional – different in kind, not merely in degree, from what has come before.
If you’re interested in reading more about how Carpenter v. United States represents an inflection point in Fourth Amendment court cases concerning privacy, you’ll want to check out the full paper.
The Privacy Papers for Policymakers project’s goal is to put diverse academic perspectives in front of policymakers to inform the development of privacy legislation. You can view all of this year’s award-winning papers on the FPF website.
Future of Privacy Forum Releases Analysis of Washington Privacy Act
FPF CEO: “Most comprehensive state privacy legislation proposed to date”
WASHINGTON, DC – January 13, 2020 – The Future of Privacy Forum today released an in-depth analysis of the Washington Privacy Act (Washington State Senate Bill 6281), as well as the following statement by Future of Privacy Forum CEO Jules Polonetsky about the bill:
“The Washington Privacy Act is the most comprehensive state privacy legislation proposed to date. The bill addresses concerns raised last year and proposes strong consumer protections that go beyond the California Consumer Privacy Act. It includes provisions on data minimization, purpose limitations, privacy risk assessments, anti-discrimination requirements, and limits on automated profiling that other state laws do not.”
According to the FPF analysis, the Act would be a holistic, GDPR-like comprehensive law that: (1) provides protections for residents of Washington State; (2) grants individuals core rights to access, correct, delete, and port data; (3) creates rights to opt out of sale, profiling, and targeted advertising; (4) imposes obligations to perform risk assessments; (5) requires opt-in consent for the processing of sensitive data; and (6) creates collection and use limitations. In addition, the Act contains provisions for controllers and processors utilizing facial recognition services.
It’s Raining Privacy Bills: An Overview of the Washington State Privacy Act and other Introduced Bills
By Pollyanna Sanderson (Policy Counsel), Katelyn Ringrose (Christopher Wolf Diversity Law Fellow) & Stacey Gray (Senior Policy Counsel)
Today, on the first day of a rapid-fire 2020 legislative session in the state of Washington, State Senator Carlyle has introduced a new version of the Washington Privacy Act (WPA). Legislators revealed the Act during a live press conference on January 13, 2020 at 2:00pm PST. Meanwhile, nine other privacy-related bills were introduced into the House today by Representative Hudgins and Representative Smith.
If passed, the Washington Privacy Act would enact a comprehensive data protection framework for Washington residents that includes individual rights that mirror and go beyond the rights in the California Consumer Privacy Act (CCPA), as well as a range of other obligations on businesses that do not yet exist in any U.S. privacy law.
“The Washington Privacy Act is the most comprehensive state privacy legislation proposed to date,” said Jules Polonetsky, CEO of the Future of Privacy Forum. “The bill addresses concerns raised last year and proposes strong consumer protections that go beyond the California Consumer Privacy Act. It includes provisions on data minimization, purpose limitations, privacy risk assessments, anti-discrimination requirements, and limits on automated profiling that other state laws do not.”
Earlier Senate and House versions of the Washington Privacy Act narrowly failed to pass last year in the 2019 legislative session. Read FPF’s comments on last year’s proposal. The version introduced today contains strong provisions that largely align with the EU’s General Data Protection Regulation (GDPR), and commercial facial recognition provisions that start with a legal default of affirmative consent. Nonetheless, legislators must work within a remarkably short time-frame to pass a law that can be embraced by both House and Senate within the next six weeks of Washington’s legislative session.
Below, FPF summarizes the core provisions of the bill, which if passed would go into effect on July 31, 2021. The Act would be a holistic, GDPR-like comprehensive law that: (1) provides protections for residents of Washington State; (2) grants individuals core rights to access, correct, delete, and port data; (3) creates rights to opt out of sale, profiling, and targeted advertising; (4) creates a nuanced approach to pseudonymised data; (5) imposes obligations on processors and controllers to perform risk assessments; (6) creates collection, processing, and use obligations; and (7) requires opt-in consent for the processing of sensitive data. In addition, the Act contains provisions for controllers and processors utilizing facial recognition services.
Read the Bill Text HERE. Read the 9 other bills introduced today at the end of this blog post (Below).
Update (1/21/20): A substitute bill was released on January 20 by Senator Carlyle and cosponsors (see PSSB 6281). At 10:00am on January 23, the Senate committee on Environment, Energy & Technology will hold a hearing on this and other bills.
1. Jurisdictional and Material Scope
The Act would provide comprehensive data protections to Washington State residents, and would apply to entities that 1) conduct business in Washington or 2) produce products or services targeted to Washington residents. Such entities must control or process data of at least 100,000 consumers; or derive 50% of gross revenue from the sale of personal data and process or control personal data of at least 25,000 consumers (with “consumers” defined as natural persons who are Washington residents, acting in an individual or household context). The Act would not apply to state and local governments or municipal corporations.
The Act would regulate companies that process “personal data,” defined broadly as “any information that is linked or reasonably linkable to an identified or identifiable natural person” (not including de-identified data or publicly available information “information that is lawfully made available from federal, state, or local government records”), with specific provisions for pseudonymous data (see below, Core consumer rights).
2. Individual Rights to Access, Correct, Delete, Port, and Opt-Out of Data Processing
The Act would require companies to comply with basic individual rights to request access to their data, correct or amend that data, delete their data, and access it in portable format (“portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data… without hindrance, where the processing is carried out by automated means”). These rights would not be permitted to be waived in contracts or terms of service, and would be subject to certain limitations (for example, retaining data for anti-fraud or security purposes).
Along with these core rights, the Act would also grant consumers the right to explicitly opt out of the processing of their personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal, or similarly significant, effects. Such effects include the denial of financial and lending services, housing, insurance, education enrollment, employment opportunities, health care services, and more. Unlike the CCPA, the Act would not prescribe specific opt out methods (like a “Do Not Sell My Information” button on websites), but instead require that opt-out methods be “clear and conspicuous.” It would also commission a government study on the development of technology, such as a browser setting, browser extension, or global device setting, for consumers to express their intent to opt out.
For all of these individual rights, companies are required to take action free of charge, up to twice per year, within 45-90 days (except in cases where requests cannot be authenticated or are “manifestly unfounded or excessive”). Importantly, the law would also require that companies establish a “conspicuously available” and “easy to use” internal appeals process for refusals to take action. With the consumer’s consent, the company must submit the appeal and an explanation of the outcome to the Washington Attorney General, whether any action has been taken, and a written explanation. The Attorney General must make such information publicly available on its website. When consumers make correction, deletion, or opt out requests, the Act would oblige controllers to take “reasonable steps” to notify third parties to whom they have disclosed the personal data within the preceding year.
Finally, the Act would prohibit companies from discriminating against consumers for exercising these individual rights. Such discrimination could include the denial of goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services.
3. Obligations for De-identified and Pseudonymous Data
Under the Act, companies processing “pseudonymous data” would not be required to comply with the bulk of the core individual rights (access, correction, deletion, and portability) when they are “not in a position” to identify the consumer, subject to reasonable oversight. Notably, the Act defines pseudonymous data consistently with the GDPR’s definition of pseudonymization, as “personal data that cannot be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures to [protect against identification].” This is also consistent with the Future of Privacy Forum’s Guide to Practical Data De-Identification. Pseudonymous data is often harder to authenticate or link to individuals, and can carry lessened privacy risks. For example, unique pseudonyms are frequently used in scientific research (e.g., in a HIPAA Limited Dataset, John Doe = 5L7T LX619Z).
In addition, companies may refuse to comply with requests to access, correct, delete, or port data if the company: (A) is not reasonably capable of associating the request with the personal data, or it would be unreasonably burdensome to associate the request with the personal data; (B) does not use the personal data to recognize or respond to the data subject, or associate the personal data with other data about the same specific consumer; and (C) does not sell personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor (service provider).
Importantly, other requirements of the overall bill, including Data Protection Assessments (below), and the right to Opt Out of data processing for targeted advertising, sale, and profiling (above) would still be operational for pseudonymous data.
Finally, the Act would not apply to de-identified data, defined as “data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable natural person, or a device linked to such person,” subject to taking reasonable measures to protect against re-identification, including contractual and public commitments. This definition aligns with the FTC’s longstanding approach to de-identification.
Legislators revealing the Act during a live press conference on January 13, 2020 at 2:00pm PST.
4. Obligations of Processors (Service Providers)
In a structure that parallels the GDPR, the Act distinguishes between data “controllers” and data “processors,” establishing different obligations for each. Almost all of the provisions of the Act involve obligations that adhere to a controller, defined as “natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
Data processors, on the other hand, “natural or legal person who processes personal data on behalf of a controller,” must adhere (as service providers) to controllers’ instructions and help them meet their obligations. Notwithstanding controller instructions, processors must maintain security procedures that take into account the context in which personal data is processed; ensure that individual processors understand their duty of confidentiality, and may only engage a subcontractor once the controller has had the chance to object. At the request of the controller, processors must delete or return personal data. Processors must also aid in the creation of data protection assessments.
5. Transparency (Privacy Policies)
The Act would require companies to provide a Privacy Policy to consumers that is “reasonably accessible, clear, and meaningful,” including making the following disclosures:
(i) the categories of personal data processed by the controller;
(ii) the purposes for which the categories of personal data are processed;
(iii) how and where consumers may exercise their rights;
(iv) the categories of personal data that the controller shares with third parties; and
(v) the categories of third parties with whom the controller shares personal data.
Additionally, if a controller sells personal data to third parties or processes data for certain purposes (i.e. targeted advertising), they would be required to clearly and conspicuously disclose such processing, as well as how consumers may exercise their right to opt out of such processing.
6. Data Protection Assessments
Companies would be required under the Act to conduct confidential Data Protection Assessments for all processing activities involving personal data, and again any time there are processing changes that materially increase risks to consumers. In contrast, the GDPR requires Data Protection Impact Assessments only when profiling leads to automated decision-making having a legal or significant effect upon an individual (such as credit approval), when profiling is used for evaluation or scoring based on aspects concerning an individual’s economic situation, health, personal preferences or interests, reliability or behavior, location or movements, or when it is conducted at large-scale on datasets containing sensitive personal data.
Under the WPA, in weighing benefits against the risks, controllers must take into account factors such as reasonable consumer expectations, whether data is deidentified, the context of the processing, and the relationship between the controller and the consumer. If the potential risks of privacy harm to consumers are substantial and outweigh other interests, then the controller would only be able to engage in processing with the affirmative consent of the consumer (unless another exemption applies, such as anti-fraud measures and research).
7. Sensitive Data
Companies must obtain affirmative, opt-in consent to process any “sensitive” personal data, defined as personal data revealing:
racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status;
genetic or biometric data for the purpose of uniquely identifying a natural person;
personal data from a known child; or
specific geolocation data (defined as “information that directly identifies the specific location of a natural person with the precision and accuracy below 1750 ft.”)
Although the Act requires consent to process data from a “known child,” an undefined term, it notably also exempts data covered by the Family Educational Rights and Privacy Act (FERPA) and entities that are compliant with the Children’s Online Privacy Protection Act (COPPA). The Act defines a child as a natural person under age thirteen, meaning it does not follow the approach of CCPA and other bills around the country that extend child privacy protections to teenagers.
8. Collection, Processing, and Use Limitations
In addition to consumer controls and individual rights, the Act would create additional obligations on companies that align with the GDPR:
Data Minimization & Purpose Specification – Controller’s collection of personal data must be “adequate, relevant, and limited” to what is necessary in relation to the specified and express purposes for which they are processed.
Reasonable Security – Appropriate to the volume and nature of the personal data at issue, controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
Use Limitations – The Act would also create a duty to avoid secondary uses of data, absent consent, unless that processing is necessary or compatible with the specified or express purposes for which the data was initially gathered.
The obligations imposed by the Act would not restrict processing personal data for a number of specified purposes. Those exemptions include cooperating with law enforcement agencies, performing contracts, providing requested products or services to consumers, processing personal data for research, consumer protection purposes, and more. If processing falls within an enumerated exception, that processing must be “necessary, reasonable, and proportionate” in relation to a specified purpose. Controllers and processors are also not restricted from collecting, using, or retaining data for specific purposes such as conducting internal product research, improving product and service functionality, or performing internal operations reasonably aligned with consumer expectations.
9. Enforcement
The Act would not grant consumers a private right of action. Instead, it would give the Attorney General exclusive authority to enforce the Act. The Act would cap civil penalties for controllers and processors in violation of the Act at $7,500 per violation. A “Consumer Privacy Account,” in the state treasury, would contain funds received from the imposition of civil penalties. Those funds would be used for the sole purpose of the office of privacy and data protection. The Attorney General would also be tasked with compiling a report evaluating the effectiveness of enforcement actions, and any recommendations for changes.
10. Commercial Facial Recognition
In addition to its baseline requirements, the Act contains provisions specifically regulating commercial uses of facial recognition. The Act would require affirmative, opt in consent as a default requirement, and place heightened obligations on both controllers and processors of commercial facial recognition services, particularly with respect to accuracy and auditing, with a focus on preventing unfair performance impacts. A limited exception is provided for using this technology for uses such as to track the unique number of users in a space, when data is not maintained for more than 48 hours and users are not explicitly identified.
Definitions
The Act provides a number of core definitions that are relevant only to the facial recognition provisions (Section 18, the final section of the bill). Given the standalone nature of this section of the overall bill, the definitions can be very impactful. The term “facial recognition service” is defined as technology that analyzes facial features and is used for identification, verification, or persistent tracking of consumers in still or video images.
Additional definitions are as follows:
“Facial template” is the machine-extracted image from such a service.
“Facial recognition” encompasses both verification and identification.
“Verification” is matching a specific consumer previously enrolled (also known as one-to-one matching), and
“Identification” is seeking to identify an unknown consumer based on searching for a match in a gallery of enrolled images (also known as one-to-many matching).
“Enrollment” is the process of creating a facial template (or taking an existing one) and adding it into a gallery.
“Persistent tracking” is the use of a facial recognition service to track consumer movements without recognizing that consumer. Such tracking becomes “persistent” as soon as either: the facial template is subject to a facial recognition service for more than forty-eight hours; or the data created by the facial recognition service is linked to any other data making the consumer identified or identifiable.
Additional Duties on “Processors” and “Controllers” of Facial Recognition Services
The Act would place affirmative duties on processors, or service providers (see above for definitions of controller and processor under the Act), when they provide facial recognition services. Those duties include enforcing current provisions against illegal discrimination, as well as providing an API or other means for controllers and third parties to conduct fairness and accuracy tests. If such tests reveal unfair performance differences (e.g. bias based on a protected characteristic), the processor must develop and implement a plan to address those differences.
Controllers must also take affirmative steps to post notice in public spaces where facial recognition services are deployed; obtain consent from consumers prior to enrollment in a service operating in physical premises open to the public; ensure meaningful review for potentially harmful uses of the service; test the service and take reasonable steps to ensure quality standards; and engage in staff training. Conspicuous public notice includes, at a minimum, the purpose for which the technology is deployed and information about where consumers can obtain additional information (e.g. a link for consumers to exercise their rights).
Consent would not be required for enrolling images for security or safety purposes, but the consumer must have engaged in or be suspected of engaging in criminal activity (e.g. shoplifting); the controller must review the safety/security database no less than biannually and remove templates from individuals no longer under suspicion or who have been in the database for more than three years; and, finally, the controller must have an internal process whereby a consumer may correct or challenge enrollment. Furthermore, controllers must ensure that decisions which could pose legal or significant harms (e.g. the loss of employment opportunities, housing, etc.) are subject to meaningful human review.
Finally, the Act would prohibit controllers from disclosing personal data obtained from a facial recognition service to law enforcement, unless: required by law in response to a warrant, subpoena or legal order; when necessary to prevent or respond to an emergency involving danger of death or serious physical injury to any person, upon a good faith belief by the controller; or to send information to the national center for missing and exploited children. In addition to these duties, controllers must also comply with consumer requests outlined elsewhere in the Act.
Insight: Senator Nguyen (jointly with Senator Carlyle and others) have introduced a separate bill regulating state and local government agency uses of facial recognition technologies. In a recent news article, he stated that he did so in order to avoid getting “caught up in any potential political fight.”
OTHER WASHINGTON STATE HOUSE BILLS INTRODUCED TODAY
Washington legislators have been busy drafting a number of other consumer privacy bills. The following nine House Bills, filed by Representatives Smith (D) and Hudgins (D) were also introduced on January 13, 2020 and are intended to accompany the WPA. These bills would:
grant individuals exclusive property rights in their own biometric identifiers (including any biological, physiological, or behavioral traits that are uniquely attributable to a single individual). (House Bill 2363)
expand consumer rights and corporate responsibilities, in the name of “consumer empowerment,” and would enforce penalties of up to $10,000 (plus attorney’s fees) for civil violations. (House Bill 2364)
require all connected devices to have a consumer friendly sticker informing consumers (including children) of the device’s ability to transmit user’s data to the device manufacturer or any separate business entity. (House Bill 2365)
make the Washington State chief privacy officer an elected position, and task the CPO with educating consumers, researching best practices, providing privacy training for state agencies, and consulting with stakeholders. (House Bill 2366)
prohibit the use of deceptive bots for commercial purposes, making the use of such bots a per se violation of the Washington Privacy Act. (House Bill 2396) (Rep. Hudgins only)
prohibit posting statements online of financial affairs filed by a professional staff member of the legislature. (House Bill 2398)
require controllers to achieve written consent from consumers prior to retaining voice information, and require all voice recognition feature manufacturers to prominently inform users that their devices may process or collect personal data. (House Bill 2399)
require the office of privacy and data protection to conduct annual privacy reviews of state agencies. (House Bill 2400)
require employers that utilize AI in hiring decisions to inform potential applicants of those technologies and obtain consent. (House Bill 2401)
Did we miss anything? Let us know at [email protected] as we continue tracking developments in Washington State.
Statement by Future of Privacy Forum CEO Jules Polonetsky on the Washington Privacy Act
WASHINGTON, DC – January 13, 2020 – Statement by Future of Privacy Forum CEO Jules Polonetsky regarding the introduction of the Washington Privacy Act (Washington State Senate Bill 6281):
“The Washington Privacy Act is the most comprehensive state privacy legislation proposed to date. The bill addresses concerns raised last year and proposes strong consumer protections that go beyond the California Consumer Privacy Act. It includes provisions on data minimization, purpose limitations, privacy risk assessments, anti-discrimination requirements, and limits on automated profiling that other state laws do not.”
