This month, a bipartisan group of legislators in Washington state presented new legislation that could soon become the most comprehensive privacy law in the country. The centerpiece of this legislation, the Washington Privacy Act as substituted, goes further than the landmark bill California recently enacted and builds on the law Europeans have enjoyed for the past year and a half.
As Microsoft President Brad Smith shared in his blog post about our priorities for the state of Washington’s current legislative session, we believe it is important to enact strong data privacy protections to demonstrate our state’s leadership on what we believe will be one of the defining issues of our generation. People will only trust technology if they know their data is private and under their control, and new laws like these will help provide that assurance. We’re encouraged that privacy legislation in Washington has been welcomed by privacy advocates such as Consumer Reports and the Future of Privacy Forum.
To date, the U.S. has taken the approach of enacting privacy law in just a few key areas, such as financial services, children and some health data. However, on average, people today produce 25 times the online data they did in 2010, and this data no longer just records our medical checkups or banking activities but just about every aspect of our lives. The Washington Privacy Act addresses these significant gaps by creating comprehensive baseline protections. As the United States Congress continues to work on these safeguards, states such as Washington have the opportunity to move faster and give people the protections they deserve.
Washington came close to passing a good bill last year. As I wrote in April 2019, every year we kick the can down the road is another year we’ll spend searching for the perfect legislation rather than starting to provide people with needed protection, and then building on a strong foundation. And people are overwhelmingly voicing their support for the legislature to take action now. In a Crosscut/Elway poll conducted in December 2019, 84% of Washington respondents supported “strengthening consumer protections for personal data online” and placed privacy above issues such as carbon emissions and rent control.
Why the Washington Privacy Act is strong
The Washington Privacy Act, introduced by Senator Reuven Carlyle, has four core components that we believe are critical in any comprehensive privacy bill.
Corporate responsibility: First, it holds companies responsible for ensuring they only use data for the reason they collect it and with the permission of their customers. If a company collects someone’s phone number for the purpose of two-factor authentication, they shouldn’t then be permitted to use that information for targeted ad or search purposes.
Consumer empowerment: Second, it gives people the ability to control their data by providing rights to access, correct, delete and relocate their data, and to limit a company’s ability to use their data.
Transparency: Third, it requires companies to be clear about their intentions for collecting people’s personal data in a way that is easy to understand.
Strong enforcement: Fourth, it enables the state attorney general to ensure companies comply with the law. The state attorney general can take legal action with penalties up to $7,500 per violation, meaning total penalties for a non-compliant company could – depending on the number of people affected – amount to hundreds of millions of dollars. In addition to attorney general enforcement, the Washington Privacy Act requires companies to be responsive to consumer requests for information about what data of theirs companies have and how that data is used.
This year’s bill has significant improvements over last year’s legislation. For example, it now requires companies to tell people why their data is being collected and to use it only for that purpose, ensures companies only collect the minimum data needed for that purpose, and prohibits companies from using data in new ways that are different and distinct from the reasons they collected the information in the first place.
Prevent a “race to the bottom” with facial recognition
In addition to addressing the four privacy principles, the Washington Privacy Act sets standards for how and when companies can use facial recognition technology. This portion of the bill includes a range of steps to protect people from this largely unregulated technology, and we think four are particularly worth discussing.
Fairness: First, suppliers of facial recognition technology must build their technology so that third-party research organizations can test its accuracy and examine it for bias. When undisclosed problems with the technology are discovered, suppliers must take action.
Consent: Second, the default rule is that people must give permission for companies to add their image to a facial recognition database and this consent must be meaningful, not just a footnote buried in legal jargon.
Notification: Third, in any public place where facial recognition technology is used, companies must post clear notice.
Human Review: Fourth, results of facial recognition must be verified when critical decisions such as mortgage approvals or employment considerations are being made, and humans have to be involved in the decision-making process.
The Washington Legislature will also consider an important proposal to regulate the use of facial recognition by government. A bill proposed by Senator Joe Nguyen contains many of the safeguards the Washington Privacy Act applies to corporate use as well as new rules to be applied to governmental scenarios. For example, the technology can only be used in public places to address serious crimes when a search warrant has been issued or when there’s a genuine emergency such as a terrorist threat or a kidnapped child. Law enforcement must disclose to defendants when facial recognition is being used in a legal case against them.
As Brad Smith has outlined, if we don’t act, we risk waking up five years from now (or even sooner) to find that facial recognition services have spread in ways that exacerbate societal issues. By setting boundaries before, during and after deployment of facial recognition, we hope that these regulations offer the public more opportunity to be involved in the decisions regarding the acceptable use of the technology by commercial actors as well as state and local authorities. Neither the Washington Privacy Act nor the Nguyen bill provide all the answers to the challenges that will arise with this technology, but both bills provide strong baseline standards that will give people meaningful protections for the first time. Passing these bills in this session will allow the legislature to focus future sessions on building and improving upon them.
Open public dialogue
We believe advocating for laws like these are good for our customers and important for holding the industry to higher standards than the law does today. Microsoft has been engaged along with dozens of entities including companies, privacy experts, advocacy groups and legislators invited to comment on early draft proposals leading up to this session. We are committed to working with lawmakers and stakeholders to ensure the final bill provides comprehensive privacy protection for all Washingtonians. You can learn more about our efforts from last week’s testimony.