Washington Senate passes personal data-privacy bill

By Joseph O’Sullivan

The Seattle Times

OLYMPIA — State lawmakers want Washington to be the gold standard for regulating companies and governments that collect people’s digital data or use facial recognition programs.

It’s an ambitious goal for the home of Amazon and Microsoft, and one that legislators and others hope could become a national model.

But as they push forward — meeting with companies, lobbyists and community advocacy groups — lawmakers are divided on key aspects.

Legislators face tough philosophical questions, along with pressure from companies affected by regulations and community-advocacy groups skeptical those regulations won’t go far enough.

Front and center in that debate is Senate Bill 6281, which passed Friday out of that chamber.

Sponsored by Sen. Reuven Carlyle, D-Seattle, the bill uses as inspiration European data-privacy regulations and a California law.

Among other things, it would require companies to tell people whether their data is being used and provide that information back to them. If requested, companies would have to fix inaccurate data and delete personal information under certain circumstances.

The legislation makes the Attorney General’s Office the sole authority to enforce violations, each of which could amount to a civil penalty of up to $7,500. The money would go to help fund the existing state Office of Privacy and Data Protection.

Companies that could be affected by the bill range from global giants Microsoft, Amazon and Facebook, to retail stores and largely invisible data brokers. The bill would cover companies conducting business in the state or producing services or products that are targeted to Washington residents.

On the Senate floor, Carlyle described the proposal as an “important balance between our constitutional rights and the value to our economy and our civic society …”

With no action from Congress on data privacy, “It becomes more imperative than ever that we as a state move forward,” said Carlyle.

SB 6281 passed 46-1, though two Democrats expressed reservations about parts of it.

But the bill faces questions or skepticism by House Democrats and Republicans. There isn’t much time to resolve the issues before the legislative session ends March 12.

Rep. Norma Smith, R-Clinton, has criticized the bill as too “corporate-centric” and said she believes individuals, rather than just the Attorney General’s Office, should have a right to sue companies for violations.

“One of the issues with the Senate bill is that it grants rights and no access to justice,” said Smith.

Rep. Shelley Kloba, D-Kirkland, said she hopes the House and Senate can find middle ground on the issue of enforcement.

Kloba has questions about whether companies could get around the regulations in SB 6281 because of how it defines who is covered under it.

The Senate bill’s regulations would apply to entities conducting business in the state that process or control the data of at least 100,000 individuals. Also subject to the regulations would be businesses getting 50% or more of their gross revenue from the sale of personal data, and control or process information on 25,000 or more consumers.

In theory, people trying to avoid those regulations could do so by creating a series of smaller companies that don’t exceed those numbers, she said.