As Washington state’s legislative session opened Monday, lawmakers resumed their talks about creating a comprehensive consumer-privacy law for their residents on par with a landmark measure that just went into effect in California.
At a press conference Monday, Democratic State Sen. Reuven Carlyle said his new bill — an update of one he introduced last year — is based on the best practices taken from the European Union’s General Data Protection Regulation and the new California Consumer Privacy Act.
“It goes further than California’s legislative initiative in many ways,” Carlyle said. “This year, after months of months of extraordinary stakeholder work, relationships, extensive conversations, iterations of various versions of the bill, we have overwhelming consensus that we need to move forward. We have, I’d say, 95 percent agreement in principle on core elements of the bill.”
Though Washington’s previous run at such law fizzled in the state House of Representatives last spring after passing the Senate 46-1, Carlyle has a new ally this year in Katy Ruckle, the state’s newly appointed chief privacy officer.
Ruckle, who had led the Washington Department of Social and Health Services’ privacy operations since 2006, developing policy for hospitals on records management and compliance, joined Washington Technology Solutions as the statewide privacy chief on Jan. 2. In her new role, much of Ruckle’s work will overlap with that of Chief Information Security Officer Vinod Brahmapuram, conducting annual privacy reviews, training agency staff and evaluating data-collection and retention practices when a state agency launches a new IT project.
But for the next 60 days, Ruckle’s will focus mainly on helping pass the Washington Privacy Act, she told StateScoop.
“It contained strong language about recognizing that the people of Washington regard their privacy as a fundamental right,” Ruckle said of the previous version of Carlyle’s bill. “And I think Washington residents have a right to expect that entities handle their personal information securely and responsibly.”
In his press conference Monday, Carlyle’s said his new bill will cover what he called privacy’s “basic core rights.”
“We as individuals have a fundamental right to know how our data is being used,” he said. “We have a right to access that data, we have a right to correct that data if it’s inaccurate. We should have a right to delete that data and we should have a right to portability, to transfer that data among providers. And finally, we should have the right to opt out from targeted ads and from the sale of data and from profiling.”
California’s law, which provides expansive consumer protections including granting residents the right to know what information companies are collecting on them, the right to have that information deleted, instating restrictions on discrimination based on information collected and giving people new rights to sue companies that mismanage and subsequently leak their data. The CCPA owes its landmark status to its breadth and being the first of its kind in the United States. Since its passage, other states, including Texas, Massachusetts, New York and Washington have strived to emulate it.
Washington’s failed privacy bill last year was notable for allowing consumers to opt out of data collection, along with a host of other rights that would have made industry data-collection — particularly that involving facial-recognition systems — more transparent, but it wasn’t as broad as CCPA. After the bill failed last year, closed-door discussions commenced between legislators and the tech industry, including Microsoft — which supported the bill — as well as Amazon, Comcast and the Association of Washington Business.
Carlyle said Monday that regulation of facial-recognition technology will be divided between government use, which will remain in his bill, and private-sector use in a separate bill.
Ruckle said the legislation couldn’t come soon enough.
“The lack of legislation has come in the era of digital information and the handling of that really got out ahead of us in terms of the technology that’s out there,” Ruckle said. “In states, at least, we just relied on self-regulation and now I think everybody’s realizing there needs to be guardrails.”
Ruckle said she’s hopeful the bill will pass, providing a legal foundation for rights that some state governments are just starting to codify, and as federal data-privacy legislation remains elusive.
“One of the things that I like the most about privacy is the fact that privacy is something everyone understands regardless of their education or background, and so they might not always have all the right words to use in terms of talking about it, but they definitely know something is wrong when someone knows something about them that they didn’t share or didn’t intend to find out,” she said.
Between facial-recognition systems — which are becoming more widely adopted by law enforcement agencies all the time, despite San Diego’s recent abandonment of the technology — bots that scrape social media platforms for constituent sentiment analysis, and web and mobile tracking software feeding into a growing network of data analytics that’s up for sale to the highest bidder, the opportunities for misuse of the public’s personal information abound. Ruckle pointed to the growing use of connected devices in homes, such as smart speakers and baby monitors, that may or may not allow strangers to watch and listen to what they say.
“People know that that’s wrong on a very cellular level,” Ruckle said.