Chief Privacy Officer Alex Alben testified in support of Senate Bill 5376 yesterday as it was considered and approved by the Ways and Means Committee.
Senate Ways and Means Committee Hearing February 27, 2019
Testimony by Alex Alben, Chief Privacy Officer for the State of Washington
Dear Members of the Committee:
I appreciate the opportunity to come here today and share my perspective on SB 5376, The Washington Privacy Act. This proposal, if adopted by the legislature, would represent a landmark in privacy protection for the residents of Washington State. It would cover any corporation that has collected data on more than 100,000 Washington residents, no matter where that corporation is located. The law would apply broadly to the telecommunications industry, data brokers, national retailers and social media platforms. The law came about as a result of the convergence of three global trends:
First, consumers are upset about data practices. After years of online profiling and targeted advertising, people realize that their personal information has become “productized,” shared and sold without their consent. The WPA addresses and contains these practices.
Second, consumers are upset by rampant data breach. Hundreds of millions of Americans have been outraged to receive data breach notices about the theft or unauthorized disclosure of their most personal information. The WPA addresses this by reducing the flow of data to third parties and giving consumers a voice to stop the sale of their personal information.
Third, many major corporations have invested the time and money to become compliant with the new European Privacy Law—known as the GDPR—which went into effect at the end of May of 2018. Because companies such as Amazon, Microsoft and Uber can extend core privacy protections to residents of the European Union, the GDPR has paved the way for application of these protections to people in the United States. SB 5376 leverages this tremendous investment and paves the way for all large companies that handle user data to come up to this high standard.
This draft law reflects the input of scores of organizations, companies and privacy experts. Over a year ago, Senator Carlyle and I began outreach to stakeholders and we heard a range of opinions about the merits of various privacy laws, including the newly passed California privacy act, and the option to simply do nothing and to wait for Federal action. We decided not to wait for a Federal law that may never come or that may fail to accord substantial data protection rights. Privacy protection is critical for the people of Washington state today and we have this rare window in which to draw upon the strong measures of the European Law, tailored to the American consumer protection principles.
This law addresses four areas:
1. It gives consumers the right to access the personal data that an organization has collected and kept about them. This right is very similar to the California law.
2. It gives consumers the right to delete certain types of data, if they no longer want to organization to retain it. This is also similar to the California law, although the WPA creates a mechanism to retain data to serve consumer needs, such as product recalls or sending them refunds or legally required information.
3. The WPA gives people the right to object to the processing of their data for targeted advertising or the outright sale of data to third parties without their consent. California has a parallel “opt out” provision.
4. The WPA begins the regulation of Facial Recognition technology, both in the public and private sector. The bill requires notice when Facial Recognition surveillance is deployed on physical premises. While physical notice does not "solve" the FR problem, it will raise public awareness and encourage companies to explain their use of this technology.
Second, it requires "meaningful human review" of Facial Recogniton data, before a decision is made that has legal consequences for an individual. Therefore, the WPA would ban "automated" decisions using FR in the context of employment, housing and other key decisions that affect people's lives. This represents a new and important legal change for the benefit Washingtonians.
Third, the mandatory disclosure of the software programs utilizing FR technology will encourage third party independent testing of FR and weed out programs which have high error rates." The WPA will accelerate better technology through market forces, as opposed to an outright ban.
Finally, Law enforcement will be required to have a court order or warrant before deploying FR for continuous surveillance. This represents a substantial first step toward FR regulation, while allowing FR deployments for security and prosecution of crimes.
My office endorses the Washington Privacy Act, because it reflects a serious and practical approach to address a complicated set of problems. It is not a perfect proposal and can still be improved by thoughtful and constructive amendment. We welcome serious and constructive engagement. As a privacy advocate and as someone who has experienced breach of personal data, I believe that this is the right law at the right time for the State of Washington and millions of people who are calling for meaningful action to protect their personal data and their privacy. Let’s not lose this opportunity to act for the public good.
Ryan Harkins of Microsoft (Support) -- Video
Eric Monsado of ACLU (Oppose) -- video
Jevin Hudson of UW Law School Student body (Opposed) -- video
Cliff Webster for the Consumer Data Industry Association (Opposed) -- video
Brad Tower for the Toy Association (Opposed) -- video
Law enforcement panel - video
- Michael Transue of Axon Enterprises (Opposed)
- James McMahan of WASPC (Opposed)
- Cody Arlidge for Motorola (Opposed)