Washington legislators are introducing bills to allow people to correct or delete personal information held by companies, restrict the use of facial recognition and force data brokers to register with the state.

Share story

OLYMPIA — Washington lawmakers have introduced a series of bills that would bring European-style privacy and transparency regulations to how personal data is collected, analyzed or sold by companies and the government.

Last year, legislators passed a net-neutrality law in the face of the federal government’s rollback of rules to protect customers from changes by broadband companies offering internet service. Washington became the first state to approve such a law.

But when it comes to the collection and use of personal data, Washington — and the United States — remains as ungoverned as the Wild West.

“America, you know, is behind the rest of the world in terms of privacy protections for consumers,” said Alex Alben, the state’s chief privacy officer. “It’s not a secret that people are really upset when they see their data used in ways they didn’t intend.”

The misuse of data, by one metric at least, is daunting: In a recent 12-month period, breaches in personal data affected nearly 3.4 million Washingtonians, according to a report by the state Attorney General’s Office. That’s more than half the state population.

Legislators this week held a hearing on a bill by Sen. Reuven Carlyle, D-Seattle, that would allow citizens to know what data companies are collecting on them. It also would restrict some uses of facial-recognition programs.

Meanwhile, a bill by Rep. Norma Smith, R-Clinton, would require data brokers to register with the state and divulge what type of data they are collecting and whether they have experienced security breaches.

Industry organizations have raised concerns about Carlyle’s proposal, while the ACLU of Washington has argued that it doesn’t go far enough.

Carlyle, Smith and others say that Washington — the land of Amazon and Microsoft — could be the best place to lead on regulations that could eventually be adopted around the nation.

The European Union last year adopted what’s called the General Data Protection Regulation that, among other things, spells out individual rights for citizens whose data is being collected and requires companies to ask permission before gathering such information.

That law made news this week when France’s privacy watchdog used it to fine Google $57 million for “lack of transparency, inadequate information and lack of valid consent” over the way it personalized ads for customers.

Only one state — California — has passed a data-privacy law similar to the European standard, according to the National Conference of State Legislatures, although New Jersey, New Mexico and New York are considering proposals.

Carlyle described his proposal, Senate Bill 5376, as a more limited version of General Data Protection Regulation.

With it, “you have the right as an individual consumer to access, review and modify and question and challenge and act on how companies are using your own data,” Carlyle said. “It’s about action.”

SB 5376 would apply to organizations that conduct business in the state and process or control the data of 100,000 or more consumers, according to a legislative analysis. Businesses that get 50 percent or more of gross revenue from the sale of personal information, and process or control information on 25,000 or more customers, also would fall under the regulations.

Those companies could range from big, well-known firms like Microsoft and Facebook, to largely behind-the-scenes data brokers and retail stores.

If asked, the companies and organizations would have to divulge if the requester’s data is being used, and provide that data. They would have to correct inaccurate data if asked to, and delete personal information under certain circumstances, such as if it were no longer necessary.

The legislation would also regulate the use of facial-recognition programs by companies, such as requiring organizations to get consent from consumers before using the software.

Carlyle’s bill would also block the use of facial-recognition programs by state and local governments in “ongoing surveillance of specified individuals in public spaces” unless it is used in support of law enforcement due to a court order or an emergency.

The regulations would be enforced under the state Consumer Protection Act. It would make a data-gathering entity liable to a civil penalty of up to $2,500 per violation or $7,500 for every intentional violation.

Julie Brill, a vice president and deputy general counsel for Microsoft, testified during the hearing in favor of the bill, saying “there is an urgent need for new privacy laws that provide strong protections for consumers … but also enable innovation to thrive.”

Mark Johnson of the Washington Retail Association cautioned that the rules could apply to smaller businesses that don’t have the staff or capacity to adapt to them.

Johnson, who said he doesn’t oppose the bill but in the hearing raised issues about it, said he would prefer a federal solution rather than different laws in different states.

“My members are looking for stability, predictably and consistency, so that they can comply,” said Johnson, who described his association as businesses with predominantly 50 or fewer employers.

On the other side the divide, Shankar Narayan of the ACLU of Washington said Carlyle’s bill doesn’t go far enough.

Large companies like Microsoft, Amazon, Google, Apple and Facebook could be helping to enact a law in order to set a less-stringent standard than the European regulations, said Narayan, director of the advocacy organization’s Technology and Liberty Project.

The five corporations are “openly strategizing” around proposals that are weaker than Europe’s or California’s privacy laws, said Narayan, adding: “A cynic’s view would be that this isn’t real privacy, but sort of a larger strategy.”

On facial recognition, Narayan said lawmakers should consider Seattle Democratic Sen. Bob Hasegawa’s bill, SB 5528, which would put a moratorium on the use of software by state and local governments.

That moratorium would be lifted after a series of conditions are met, such as verifying that the programs are accurate, especially as they apply to people of different ethnicities, races, ages or genders.

Smith’s bill, HB 1503, would require data brokers to register with the state’s chief privacy officer, pay an annual fee of $250 and disclose details about what they are collecting.

Smith said her legislation compliments Carlyle’s and would help Washington residents have a better idea of what information companies are gathering on citizens — and whether any are operating unethically.

“Until we know who’s operating in that space, it’s very difficult to determine what next steps are,” Smith said.

[Related: EU’s antitrust cop lays groundwork for tougher scrutiny — and it may not bode well for U.S. tech giants]