Notes from Washington Privacy Act Hearing

The Washington State Senate Committee on the Environment, Energy & Technology held a public hearing yesterday on SB 5376, the Washington Privacy Act, which was proposed in the Washington legislature last week. Senator Carlyle, the prime sponsor of the bill, is also the chair of this committee.

After a brief summary of the proposed privacy bill, there were a few different speakers that commented on the legislation. Here are the highlights:

Chief Privacy Officer for the State of Washington:

Very apparent that people are stressed and worried.
They feel like they have lost control of their data and they are frustrated.
No one says that they are so happy about how their data is being treated online.

The sky didn’t fall down after GDPR.
Some companies have already decided to extend the protections in European law to Americans.

In the absence of federal law, it is up to the states to protect their citizens.
They started to meet a year ago with stakeholders. Both on the consumer side and the industry side.
The goal is not to disrupt business. It is to allow business to operate as usual but with consumer protection.

Summary of the 4 Rights for Consumers in the SB 5376:
– Right of Access
– Right to Correct Information
– Right to Data Portability
– Right to Get Consent Before Your Data is Sold or for Direct Marketing

Believes can institute these consumer rights and in fact have a robust tech economy.

This is a complex piece of legislation and there is still work to do to make it a better piece of legislation. They are listening to any group that has thoughtful comments about how to improve the legislation.

In the long run, this is going to be good for business and good for consumers. For business, it creates predictability. It gives them a working model to give data to their consumer and that creates trust. In the long run, this will set the framework for a more robust and successful economy in Washington.

There are two provisions for facial recognition. There should be some basic guardrails around the use of the technology.

There is a companion bill for data held by state government – SB 5377.

Speaker from Microsoft:

This is a critical moment on the issue of privacy protection. We live in a time of remarkable technology change and disruption.

There is an urgent need for new privacy legislation.

Believes this bill takes the best parts of European law, California law and from some federal laws.

1. Provides new rights for consumers that guarantee strong control for them over their data.
2. Requires companies to assess risks to customer privacy before processing personal data. If the risks outweigh, they must obtain consent. This will encourage companies to be good stewards of personal data and be accountable for how they use data.
3. Sets new global standards through responsible regulation that addresses the legitimate concerns about facial recognition technology.
4. Good for business because it will help them meet global privacy standards and compete in international markets, as well as build consumer trust.

Facial Recognition Summary:

1. If facial recognition is provided on a commercial basis, need to provide a technological means for third party to test for accuracy.
2. If using in a public setting, there has to be notice to individuals.
3. For government, it will require a warrant if being used to surveil specific individuals on an ongoing basis.

Speaker from the Washington Tech Industry Association:

Industry recommendations will be submitted in writing.
Many small and midsized companies are blocking European customers. If the bill is too onerous this will happen to Washington.
This will be new for many small businesses and suggests additional time to comply.

Speaker from the Washington Retail Association:

Members are providing comments.
They would prefer a federal solution. Retailers want predictability and stability.
Agree that July 2021 would be much preferred since December is a busy season for retail.
Threshold of 100,000 is low and would prefer higher.
Appreciates no private right of action.
Happy to work on figuring out how to craft and implement notice requirements for facial recognition.

Speaker from Washington Bankers Association:

Members have said that this is a thoughtful approach to the issue.
Curious to know what financial frameworks are captured by the term data sets and intends to demonstrate conflicts in other laws to the prime sponsor of the bill.

Speaker from ACLU of Washington:

Supports stronger data privacy but feels there are flaws.
Wants real protection for consumers and thinks there need to be other elements from GDPR and California.

Speaker from Consumer Protection Division of Washington State Attorney General’s Office:

Asking for 2 Amendments
– Private Right of Action: Generally lead to better consumer protection. The bill is giving consumers rights and they should have the ability to enforce those rights without relying on any other entity. Consumers will need to enforce their rights on
– Attorney General Report to Legislature after one year so they can learn from the data generated.

Speaker from Association of Washington Business

Supports waiting for the federal government to avoid patchwork of regulations.
Appreciates removal of private right of action.
Concerned with 100,000 threshold. Believes most organizations have that amount.

Speaker from Washington Land Title Association

Organizations get title information from local governments and sell that information. Although they may not have that many customers, they do have information on hundreds of thousands.

Speaker from COMPTIA:

Believes it would be better to wait for federal solution.
Working on proposal draft with changes to avoid conflict with the CCPA.

Speaker from Lexis-Nexis (RELX):

Supports exemptions for Fair Credit Reporting Act, Driver’s Privacy Protection Act and public records. All are exemptions in the CCPA.

Speaker from Community Bankers of Washington:

Prefers an entity based exemption rather than the data set exemption because their businesses don’t have the compliance staff to figure out what is included and is looking for a clear brightline.

Speaker from Association of Washington Cities:

Still exploring how this impacts contracts with the private sector.
Also would like to take a closer look at the facial recognition section.

Speaker from Washington Hospitality Association:

100,000 Threshhold – Average neighborhood restaurant hits this for transactions and point of sale systems don’t have the ability to distinguish whether this is unique or not.

Speaker from Consumer Data Industry Association:

Concerns about the lack of exemption for the FCRA, etc.

Speaker from Washington Association of Sheriffs and Police Chiefs:

Inflammatory language around ongoing surveillance.
Ignores the litigation over what are reasonable expectations of privacy.
May prevent facial recognition use for no fly list.
Will present alternate language that will accomplish the intended result.

Questions from legislators:

– How are risk assessments used?
– Will this legislation put Washington on an island?
– How does this work with regard to facial recognition and criminal investigations?

Contact Clarip for CCPA and GDPR Software

The Clarip privacy management software is ready to help improve your organization’s privacy practices. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo with a member of the Clarip team.

If your immediate need is California Consumer Privacy Act compliance, take a look at our CCPA software. From consent management to powerful DSAR Software, Clarip offers enterprise privacy management at an affordable price.

Still working on GDPR compliance? We understand! Our GDPR software tools offer a range of options from data mapping software, DPIA automation, and cookie management for ePrivacy.

Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.