Although Washington’s Legislature won’t convene until January, progress is already happening on a much needed state privacy law.
State Sen. Reuven Carlyle, D-Seattle, spent months gathering feedback from privacy experts, industry and others on a new version of the privacy act that nearly passed during the last session.
A formal draft should be done in a few weeks, and Carlyle, chair of the Senate’s Environment, Energy & Technology Committee, plans to hold a hearing in January.
Legislators and Attorney General Bob Ferguson should collaborate with Carlyle to finally get this legislation enacted in early 2021.
The goal is to give Washingtonians more privacy and control over personal data handled by companies and government. It would enable people to access, correct and delete personal data and opt out of having their data sold or used for targeted advertising.
Companies would be required to protect personal data and be clear about how they use it.
This is especially important as contact-tracing apps are rolled out by government agencies. Carlyle updated his proposal to also provide privacy protections for people using these apps.
The response to COVID-19 illustrates the need for policies that protect individual privacy while fostering technological innovation, Carlyle notes in his draft bill.
The policy builds on the reality that the public has widely embraced the exchange of personal information for online services such as free search, mapping and social networks.
What’s needed are policies that give people more control, set standards for companies handling personal information and give authorities enforcement power. Other nations have such policies, but Congress has lagged. States are filling the void, led by California and potentially next by Washington.
Where it gets tricky is deciding how to enforce state privacy laws. They can’t be toothless, but also shouldn’t be a bonanza for lawyers, such as those swarming to exploit California’s privacy law.
Since California’s law took effect Jan. 1, with a provision allowing for enforcement by private lawsuits, more than 50 suits have been filed, including class actions seeking millions.
That should be a cautionary tale for Washington legislators. They can create a strong, enforceable law to protect consumers without creating a policy that mostly enriches opportunistic law firms.
Besides, Washingtonians shouldn’t have to hire lawyers to enforce privacy violations when they’re already paying for a state law firm, the Attorney General’s Office, that’s supposed to protect consumers.
Carlyle’s proposal finds the right balance by increasing the Attorney General’s authority and directing civil penalties to a fund covering enforcement costs. It rightly precludes a private right of action, preventing the law from being exploited, weaponized and clogging courts.
Ferguson insisted on a private right of action when Carlyle introduced the bill last session; it passed the Senate 46-1 but didn’t pass the House.
Asked last week if his position has changed, Ferguson’s office said no and pointed to California’s law and its private right of action. He should reconsider given the flood of lawsuits there, and the cost and uncertainty that has created for all manner of businesses.
Washington can and should do better. It needs a strong privacy law that empowers residents, informs them of data sharing arrangements and requires clear, easy ways to opt out.
Washington should also use the power of the state to hold companies accountable by directing its consumer-protection authorities to enforce the law and penalize those who don’t comply.
Carlyle’s approach — and his persistence in seeking an effective and workable solution to benefit everyone in Washington — is the right way to get this done.