This past legislative session, we supported efforts by the Washington legislature to pass Senate Bill 5376, the Washington Privacy Act (WPA). This landmark legislation would have provided consumers in Washington state with the strongest set of privacy protections in the United States. It ensured that consumers, and not businesses, retain control over their personal information online. It gave consumers the right to opt out so that their personal data is not sold, shared or used for advertising, while also holding businesses responsible for safeguarding personal information. It authorized Washington state’s attorney general to prosecute businesses for privacy violations and impose civil penalties.
The bill was an ambitious and bold proposal; for the first time, it would have provided U.S. consumers with consumer rights and held companies accountable for their data practices – provisions that were inspired by the European Union’s General Data Protection Regulation (GDPR), which is widely hailed as the strongest privacy law in the world. After passing out of the Senate with a broad, bipartisan vote of 46-1, the House failed to act before the session ended. While we are disappointed and believe this was a missed opportunity, we remain committed to working with all stakeholders to bring broad, robust privacy protections to life in the United States, including in Washington state.
We believe privacy is a fundamental human right. As people live more of their lives online and depend more on technology to operate their businesses, engage with friends and family, pursue opportunities, and manage their health and finances, the protection of this right is becoming more important and urgent than ever.
Privacy is also the foundation for trust, and we know that people will only use technology when they trust it. Ultimately, trust is created when people are confident that their personal data is safe, and they have a clear understanding of how and why it is used. This means companies like ours have a huge responsibility to safeguard the privacy of the personal data we collect and the data we manage for our commercial customers.
We’ve long supported strong privacy laws. We’ve been advocating for national privacy legislation in the United States since 2005, and we were one of the early supporters of the European Union’s landmark privacy law, the General Data Protection Regulation (GDPR). In May 2018 we announced that we were voluntarily extending the rights that are at the heart of GDPR to all of our consumer customers worldwide. Known as Data Subject Rights, they include the right to know what data we collect about you, to correct that data, to delete it, and even to take it somewhere else.
We need strong consumer privacy legislation in the United States
Much of the rest of the world has moved to enact stronger privacy protections, but in the United States, efforts to pass a federal privacy bill have long been stalled. While Microsoft remains a strong supporter of federal laws, it is clear that the states — the laboratories of democracy — have an important role to play and currently are leading the charge to enact consumer privacy laws. Last summer, California passed the first comprehensive privacy law in United States history, the California Consumer Privacy Act (CCPA). While the CCPA remains a work in progress, it was an important milestone worth celebrating. It will provide one out of every eight Americans with important new privacy rights.
In January, our home state of Washington turned its attention to this critical issue, with the introduction of the Washington Privacy Act.
The Washington Privacy Act was a landmark piece of legislation
We strongly supported the WPA upon its introduction in the Washington state Senate in January. In our view, the bill built on the important progress made by the CCPA and GDPR, and would have advanced the ball even further. And we have been public about our support; I submitted written testimony and testified in person in support of the bill.
The WPA set out an appropriately broad definition of personal data, borrowed from the GDPR and CCPA, to ensure that the Washington law would apply not only to data that directly identifies consumers, but also to modern personal data sets that identify consumers indirectly, such as targeted advertising profiles that are associated with online or other hashed identifiers.
It also would have made Washington law interoperable with the growing, heightened standards around the globe for privacy based on GDPR. There are clear economic benefits to this. It allows companies to make a single investment in the infrastructure to comply with the laws, rather than building unnecessarily duplicative and complex systems to comply with different requirements in different jurisdictions.
But more importantly, the WPA would have provided important protections for the consumers of Washington state, including all of the key elements at the heart of the GDPR — elements that, in our view, are essential for strong consumer privacy laws:
- Individual empowerment. The bill empowered Washington consumers with new privacy rights necessary to control their personal data. This included all of the rights that the CCPA provides to Californians — the right to access and delete your personal data, the right to transparent information about what companies do with your personal data, the right to take your data to another company. It also included additional consumer rights from the GDPR, such as the right to correct your personal data, the right not to be subject to profiling, and the right to restrict or limit a company’s ability to use your data. Perhaps most importantly, the bill would have granted a much broader right to opt out of the use of your personal data, including not only the CCPA’s right to opt out of data sales to third parties, but also the right to opt out of the use of your data for any purposes, including marketing or advertising, that is conducted by the company itself.
- Transparency: The bill required robust disclosures, including in privacy statements, user experiences and contracts that would have provided individuals with the critical information that they need to exercise effective control over their personal data.
- Corporate accountability. The bill placed affirmative obligations on companies to act as responsible stewards of consumers’ personal data by requiring companies to undertake risk assessments, where they must carefully weigh the benefits that may flow from data processing against the risk of processing to the individual whose data is being processed, and to get robust consent, according to the high standard for consent set by the GDPR, for practices that present high risks to consumers.
We view the risk assessment requirement as truly innovative in the United States, as it creates an additional layer of protection to consumers beyond consumer control. Consumer control tools are a critically important aspect of privacy protection but have proven to be insufficient by themselves to protect consumers. As Cameron Kerry of the Brookings Institution explained in a recent op-ed, relying solely on an “opt in/opt out” approach “is becoming a mirage as the amount and pace of data collection keeps expanding.” Individuals cannot and should not have to shoulder all of the work to ensure their information is protected. We need to place more of that burden and responsibility on companies.
That is why Microsoft believes the risk assessment concept is an effective approach, and why we have implemented it across all our businesses in all geographies.
Many others agree with the importance of including measures like risk assessments to hold companies accountable for their data processing. In a letter to the Washington legislature last month, the Future of Privacy Forum (FPF) identified the privacy risk assessment requirements in the bill as “a defining feature” that distinguishes the WPA from other proposed privacy legislation at the state and federal level. FPF went on to say this feature “benefits consumers, as without risks assessments as a core underlying practice, a company cannot claim to be meaningfully aware of the potential privacy concerns that may be created by its processing of data.”
- Robust enforcement. Any law is only as strong as its enforcement. Senate Bill 5376 gave the state attorney general the authority and tools to enforce the law, with penalties of $2,500 to $7,500 per violation, in-line with the CCPA. This means penalties under the law could, in some cases, have reached billions of dollars.
- Steps to address concerns about facial recognition. The WPA was groundbreaking in another way. It took an important first step toward addressing serious concerns about facial recognition technology. This technology has advanced dramatically in recent years, and its use has become increasingly widespread.We share the concerns that consumer advocates and others have raised about inaccuracies, biases, and discrimination in how the technology can be deployed, particularly with respect to communities of color and women. Some uses of facial recognition technology are controversial and deserve a deeper discussion with stakeholders. We also feel strongly that we cannot wait for those conversations to conclude before taking action to put basic safeguards in place. Just as no person should be above the law, no technology – including facial recognition – should be above the law either. The makers of cars, aircraft, and food and drug products all must make their products available for safety tests, and in our view, the WPA would have improved the status quo by also requiring companies who provide facial recognition technology to open their technology to tests by independent third parties for inaccuracies, discrimination, and unfair bias. The WPA did not address every issue around facial recognition, but it advanced these critical issues in meaningful ways.
The amended Washington Privacy Act was a positive step forward
As anyone who has worked on legislation knows, bills change as they move through the process to address concerns raised by a diverse range of stakeholders. That is a normal part of passing legislation, which requires negotiation and reasonable compromise to bring a bill across the finish line.
As the WPA moved through the legislature, various changes were made in response to feedback from different groups. In some cases, we argued against changes when we believed they weakened consumer protections. In other instances, we viewed the amendments as reasonable suggestions. At the end of the day, we concluded that the amended version of the WPA that passed the Senate was a strong bill that would have provided Washington consumers meaningful rights to control the use of their data, and would have increased corporate accountability to ensure good data practices.
There were also subsequent efforts by the Washington state House of Representatives to take up alternate forms of legislation in response to the Senate bill. These efforts focused much attention on facial recognition technology and included provisions that would have effectively banned its use in many circumstances, even including efforts to respond to an imminent terrorist threat without the luxury of time to obtain a court order. While we were supportive of the House’s efforts to move the bill forward, significant changes were made in the House committee that resulted in stakeholders from all sides of the debate cautioning against deviating so far from the Senate bill. Ultimately the House chose not to bring the Senate bill to the floor for a vote, denying privacy protection rights to Washington consumers
We appreciate the need for continued discussion, debate and diverse proposals on this important issue. But we also believe that we need to act, and that the best approach, given how quickly technology is advancing, is to set a floor to provide Washington state consumers with new privacy protections now — protections that consumers in other countries around the world are already enjoying — and then build on that floor by strengthening the law over time. Washington consumers would be better off today had the Washington Privacy Act passed, with the opportunity to address additional privacy concerns in future legislatures, than they are now with no broad-based privacy protection here in Washington state.
Microsoft led private sector participation to support the original version of the WPA — and we were open to ideas on how to strengthen its consumer protections further to address any concerns that consumer advocates, lawmakers or others may have had. Like many others, we were disappointed that the House failed to act. While we think this was a missed opportunity to do something important in Washington state, we are ready for next steps.
Where do we go from here?
It is past time for the U.S. to pass meaningful privacy laws. We are committed to learn from our experience in Olympia, partner with all stakeholders – lawmakers, consumer advocates, industry, government, academics and others – and move forward to modernize privacy law in Washington state and in the United States. We encourage others to join us in passing meaningful privacy protection. This is an issue worth fighting for.