As the United States federal government continues the slow process of hashing out a viable national privacy bill, state governments are creating and passing their own legislation. The state of Washington is close to passing one such bill, the Washington Privacy Act. This new bill is noteworthy due to the strength of its terms, which compare favorably to the California Consumer Privacy Act (CCPA). The Washington Privacy Act goes farther in certain areas, however; ability to control personal data, opt-out rights and requirements of explicit consent in the use of facial recognition technology.
How does the Washington privacy act stack up?
A side-by-side analysis provided by the Future of Privacy Forum compares the Washington Privacy Act’s terms to both the CCPA and the European Union’s General Data Protection Regulation (GDPR). Though the protections are not at the same overall level of the GDPR’s terms, the bill is a step forward relative to the CCPA in a number of areas.
One of the main highlights is the way in which the Washington Privacy Act handles facial recognition technology. The bill has provisions directly addressing biometric facial recognition data, something that the CCPA entirely lacks and the GDPR only addresses through indirect measures. The key feature is a requirement of explicit, opt-in consent in order for private companies to collect and use facial recognition data. Businesses that collect such data would also be subject to special handling rules and would be subject to third-party auditing.
The terms of the Washington Privacy Act are limited to non-government entities that conduct business in the state. This definition would include non-profit agencies, a group that is not subject to the CCPA’s terms. As with the CCPA, the Washington Privacy Act has revenue and customer count cutoffs that would make it applicable only to medium-to-large businesses. The bill applies to companies with information on over 100,000 consumers in any given year, or those with information on at least 25,000 consumers that derive over 50% of their annual revenue from the sale of personal data.
The bill also improves consumer visibility and access to data. The CCPA includes rights to access, delete and port data from one service to another, but the Washington Privacy Act adds the right to make corrections. Washington residents would also have improved opt-in and opt-out rights with any company that processes personal data; the ability to fully opt out of targeted advertising and profiling, and opt-in policies covering the collection of sensitive categories of personal information.
Other provisions unique to the Washington Privacy Act (among extant examples of US state law) include a category of “high risk activities” (e.g. medical and financial data) that would trigger a special assessment, data minimization and purpose limitation requirements, and a duty to avoid secondary use.
Will the bill pass?
The bill has cleared the first step in the state legislature, passing out of the Senate Ways & Means Committee. It now goes before the state Senate and House.
The Senate is favorable to the bill, but there is some question as to its ability to clear the House given that a very similar bill suffered a narrow defeat last year. The resistance in 2019 mostly came from privacy rights groups, such as the state’s branch of the ACLU; the stronger terms in the more recent bill are in no small part due to those concerns. One of the main issues expressed by these groups was a lack of provision for regulating facial recognition technology, something that lawmakers went out of their way to address in this second attempt. The bill would thus appear to have a good chance of passing this time.
The importance of facial recognition technology regulation
The Washington Privacy Act dovetails with a broader movement to limit the implementation of facial recognition technology in public places in the US.
At the federal level, the House Oversight and Reform Committee announced that it is working on facial recognition technology regulations that will debut in coming months. There is considerable bipartisan support for these sorts of regulations after a series of hearings in 2019 established the potential dangers of letting both the private sector and law enforcement agencies have a free hand with the technology. This follows an announcement by the EU that there may be a five-year moratorium on the deployment of facial recognition technology by any government agency as safety measures are studied and implemented.
As with data privacy bills, some states and municipalities are not waiting on the federal government to address this issue. Cities around the country have already passed laws prohibiting local law enforcement from using facial recognition technology: San Francisco, Oakland, Berkeley and the Boston suburb of Somerville among them. Aside from Washington, 10 state legislatures have introduced and are currently considering similar bills.
Some feel that the Washington Privacy Act could be the nudge that the federal government needs to finally settle on and mobilize a national standard for regulation of both data handling and facial recognition technology. According to the Future of Privacy Forum’s Stacey Gray: “If WPA passes, it would likely raise the bar not only for other states, but more importantly for a federal law that would be expected to be at least as strong, if not stronger, than California and Washington in its provisions governing commercial uses of data, including biometric data.”