A year ago, Washington tried — but failed — to pass an online privacy law.
To say a lot has happened in the past year would be an understatement.
Twelve months of living with a pandemic has us relying even more on the computers, smartphones and other digital tools we use every day. Millions of us are online from the time we wake up until we go to bed — for work, for school, health care, shopping for essentials, and staying connected to people.
So while we’re online more than ever, most online companies still don’t have rules of the road for what they do with all of our personal information, at least not in Washington. That puts your privacy at serious risk. According to Consumer Reports survey data from 2020, 85% of Americans are concerned about the amount of data that online platforms are collecting and storing about them.
California and Virginia have paved the way for meaningful privacy legislation. Now lawmakers in Olympia are back at work, trying to advance a bill to help people control and protect their own data.
Privacy is a constitutional right in Washington state. The problem is, people don’t have the tools to exercise the right. The proposed Washington Privacy Act could help fix that. But it needs to be stronger.
Let’s start with the good news: The bill would guarantee you the right to know the information companies have collected about you. You’d have the right to delete that information, and the right to stop the disclosure of certain information to third parties, with more protections for your most sensitive data.
Here’s where it’s lacking: The way the bill is currently written, the burden is on you to take the time to opt out of data sharing at hundreds, if not thousands, of different companies. A recent study by Consumer Reports has found that opt-out processes can be incredibly complicated.
There are ways to make opting out simpler for people. Take the California privacy law. It allows people to send a universal message, like a signal from their internet browser, to opt out of information sharing, and companies are required to accept it. Plus, the California law lets people use an “authorized agent” — a third party, like an app provider, that will perform data requests on their behalf. We looked at how authorized agents are performing in California, and we found they would make it much easier for people to manage their data.
The lessons we are learning in California should be applied in Washington. The Washington Privacy Act should be improved with provisions for global opt-outs and authorized agents, so you can stop the sale of your information with a single step. Opting out of every website one by one is just not workable.
Washington should also take heed of the playbook that companies used when Europe’s privacy regulations went into effect in 2018. The new rules lacked meaningful enforcement, so companies operating in Europe have avoided meaningful compliance in many cases. Regulators have struggled to hold them accountable. That’s why Washington lawmakers should remove a troublesome “right to cure” provision from their bill, because it could allow companies to avoid punishment for breaking the law. In addition, consumers should be able to hold companies accountable in some way for violating their rights — there should be some form of a private right of action.
And there’s one more thing. The bill’s opt-out rights should include all data sharing, and make sure targeted advertising is adequately covered. In California, many companies tried to avoid the law by claiming that most online data sharing is not technically a “sale.” To address this problem, California voters just approved a ballot initiative to expand the scope of their opt-out rights to include data sharing, and targeted ads are clearly covered when you opt out.
The Washington Privacy Act does aim to let you opt out of targeted ads, but it’s ambiguous and could allow big-tech companies to serve targeted ads based on their own vast data stores on other websites.
Ideally, a privacy law would set strong limits on the data that companies can collect and share in the first place. You should be able to use an online service or app safely without having to take any action, opting in or opting out, as we recommend in our model bill. Still, with an opt-out based bill like Washington’s, we believe the adjustments we recommend would help ensure that the measure is workable for consumers.
Tech companies have a huge footprint in Washington state. Two of the world’s biggest tech giants are headquartered in Seattle and Redmond. People here understand emerging technologies and the need for greater online privacy protections. While more remains to be done to strengthen the Washington Privacy Act, legislators have done tremendous work. They have a great opportunity to protect the privacy rights of their citizens, and provide a model for states and the U.S. Congress to follow.