OLYMPIA — State lawmakers want Washington to be the gold standard for regulating companies and governments that collect people’s digital data or use facial recognition programs.
It’s an ambitious goal for the home of Amazon and Microsoft, and one that legislators and others hope could become a national model.
But as they push forward — meeting with companies, lobbyists and community advocacy groups — lawmakers are divided on key aspects.
Legislators face tough philosophical questions, along with pressure from companies affected by regulations and community-advocacy groups skeptical those regulations won’t go far enough.
Front and center in that debate is Senate Bill 6281, which passed Friday out of that chamber.
Sponsored by Sen. Reuven Carlyle, D-Seattle, the bill uses as inspiration European data-privacy regulations and a California law.
Among other things, it would require companies to tell people whether their data is being used and provide that information back to them. If requested, companies would have to fix inaccurate data and delete personal information under certain circumstances.
The legislation makes the Attorney General’s Office the sole authority to enforce violations, each of which could amount to a civil penalty of up to $7,500. The money would go to help fund the existing state Office of Privacy and Data Protection.
Companies that could be affected by the bill range from global giants Microsoft, Amazon and Facebook, to retail stores and largely invisible data brokers. The bill would cover companies conducting business in the state or producing services or products that are targeted to Washington residents.
On the Senate floor, Carlyle described the proposal as an “important balance between our constitutional rights and the value to our economy and our civic society …”
With no action from Congress on data privacy, “It becomes more imperative than ever that we as a state move forward,” said Carlyle.
SB 6281 passed 46-1, though two Democrats expressed reservations about parts of it.
But the bill faces questions or skepticism by House Democrats and Republicans. There isn’t much time to resolve the issues before the legislative session ends March 12.
Rep. Norma Smith, R-Clinton, has criticized the bill as too “corporate-centric” and said she believes individuals, rather than just the Attorney General’s Office, should have a right to sue companies for violations.
“One of the issues with the Senate bill is that it grants rights and no access to justice,” said Smith.
Carlyle has defended using the Attorney General’s Office exclusively to enforce the law. The office would be well-equipped to pursue violations, he said, and more effective than what could be a flurry of private lawsuits if individuals were allowed to sue.
“If we’re just unloading the lawyers on Day 1 … I don’t think we’re recognizing what it takes to be the home not just of Microsoft, not just of Amazon, but Starbucks and Boeing and Expedia and F5 and some of the premier companies on this particular planet,” he said.
Carlyle said he has pledged to sponsor a bill to allow private lawsuits after the bill became law, if it were found that they were necessary.
Rep. Shelley Kloba, D-Kirkland, said she hopes the House and Senate can find middle ground on the issue of enforcement.
Kloba has questions about whether companies could get around the regulations in SB 6281 because of how it defines who is covered under it.
The Senate bill’s regulations would apply to entities conducting business in the state that process or control the data of at least 100,000 individuals. Also subject to the regulations would be businesses getting 50% or more of their gross revenue from the sale of personal data, and control or process information on 25,000 or more consumers.
In theory, people trying to avoid those regulations could do so by creating a series of smaller companies that don’t exceed those numbers, she said.
Kloba this year sponsored a companion bill to Carlyle’s version, which has what she calls a “consumer-focus” with “opportunity for enforcement.”
Meanwhile, lawmakers remain divided on how to regulate facial-recognition programs — or whether to put a moratorium on such programs for now.
Carlyle’s bill would regulate companies using facial recognition technology.
Facial-recognition programs have come under criticism, especially after a study released in December by the federal National Institute of Standards and Technology showed how they misidentified women, elderly people and especially people of color.
SB 6281 would require companies using facial-recognition programs to make them available for independent testing to see if they are accurate, according to a legislative analysis. And it would require companies to submit a plan to improve the programs if that testing found problems with how various populations were treated.
And it would put some regulations on how companies use those programs in public spaces, such as retail stores.
The lone vote against Carlyle’s bill on Friday came from Sen. Bob Hasegawa, a Democrat from Seattle who has sponsored legislation to put in place a moratorium on government facial-recognition programs.