A much more favorable environment, but a lot of complexity: Washington state privacy legislation 2023 (UPDATED)
There's good reason for optimism!
Last updated February 4. See the update log below.
Washington is justifiably looked to as a tech-savvy state, and legislation that gets passed here will influence other states and the national debate.
– me in The stakes are high: Washington state privacy, facial recognition, and automated decision systems legislation 2021
The 2023 Washington state legislative session is already in high gear, and once again there's some significant privacy and automated decision systems legislation on the agenda. Even though none of the bills I was excited about in "The stakes are high" wound up passing, Washington state privacy and tech justice advocates have continued to build our power over the last two years. The environment in 2023 is much more favorable than it's ever been for strong privacy legislation – nationally, and in Olympia – so there's good reason for optimism.
One of the reasons the legislative environment is much more favorable in 2023 is that privacy threats have become a lot more real to many people in the aftermath of the Supreme Court's Dobbs decision overturning Roe. The increasing number of states criminalizing abortion – and allowing "civil enforcement", aka vigilantes and bounty hunters – highlights the urgency of new legislation like My Health My Data and the Shield Law as well as the broad protections of the People's Privacy Act.
Before we get to the specifics of this year's legislation, though, let's catch up on where we left off. If you want information about a particular bill, feel free to skip ahead!
What's past is prologue
If you're just tuning in, here's a quick overview on the multi-year legislative battle in Washington state.
The tech industry and their allies have spent the last several years trying but failing to pass the Bad Washington Privacy Act (Bad WPA). In 2019, the Senate almost-unanimously advanced it – only Sen. Bob Hasegawa (D-Seattle) voted no. The House had been working on a bill as well, but by the end of the session nothing made it to the House floor for a vote, so nothing passed. How lobbyists rewrote Washington state’s privacy law and Why Did Washington State’s Privacy Legislation Collapse? give an overview of the issues.
In 2020 once again the version the Senate advanced the Bad WPA overwhelmingly (only Sen. Hasegawa voting no). For calibration, this bill was literally unenforceable (at least according to the AG's Office, who were the only people allowed to enforce it) but everybody agreed that it was an improvement on the 2019 version. After a great hearing and outstanding floor debate, the House strengthened it significantly, and passed a version that was enforceable and included a private right of action – but the Bad WPA's sponsor (whose treasured friend, former Senate colleague is now an Amazon lobbyist) refused to compromise. A bad day for a bad privacy bill, a good day for privacy and Significant progress, although still a ways to go (SB 6280/SB 6281 update) have my pespectives on this and the facial recognition bill.
The People's Privacy Act – developed by the ACLU of Washington working with the community-based groups of the Tech Equity Coalition (TEC), and introduced by Rep. Shelley Kloba in January 2021 – transformed the legislative discussion even though it hasn't yet gotten a hearing. The state Senate once again passed a (slightly-improved) version Bad WPA overwhelmingly in 2021, with only Sen. Hasegawa voting no, but it died in committee in the House despite the sponsor's negotiating tactic of holding funding for eviction prevention hostage. Eli Sanders' reporting on this was excellent, in Inside One State’s Fierce Battle Over Online Privacy, Industry-backed digital privacy bill sees head-spinning changes in Washington state, and A Digital Privacy Bill Dies in Washington. The Clock Ticks Down on the Bad Washington Privacy Act has some of my perspectives near the end of the session.
In 2022, Reps. Vandana Slatter and April Berg introduced the Foundational Data Privacy Act (FDPA) in an attempt to make incremental progress, and the People's Privacy Act once again didn't get a hearing. The FDPA started with the BadWPA and the sponsors put a lot of effort in and appeared to have gotten industry to have made some concessions. Privacy advocates were willing to work with the sponsors Washington Tech Industry Association (WTIA) continued to back the Bad WPA (hilariously telling legislators to "stop looking to the past" and adopt a bill they had already rejected three times) and after some procedural shenanigans all the FDPA's improvements were removed and it was back to the Bad WPA which (surprise!) faild yet again after a last-minute attempt to sneak it through suffered another ignominious defeat.1
On the facial recognition front, Rep. Cindy Ryu' s proposal in 2019 for a moratorium on government use didn't garner enough support of move forward. Instead, a Microsoft-backed "compromise" bill with some basic guardrails passed in 2020. The bill that passed actually was a compromise: implementation was delayed a year to give time for a funded task force to report back to the legislature in time for the 2021 session and potentially make changes. Unfortuantely, Gov. Inslee line-item vetoed the task force. As a result, having legislation in place wound up being a barrier to progress on anything stronger in 2021 and 2022 – exactly as privacy advocates (including me!) had predicted in our testimony in 2020. Sen. Bob Hasegawa introduced a facial recognition moratorium bill in 2021, but it never got a hearing; neither did the People's Privacy Act, which also included a ban on facial recognition and AI profiling in places of public accommodation.
Of course there's a lot this quick summary leaves out, including all kinds of shenanigans by the tech industry (which has a lot of influence here in Washington) to try to sneak the Bad WPA through. In 2021, for example, the Bad WPA's sponsor reportedly threatened to hold eviction funding hostage unless his colleagues passed his bill. Good times! The references at the end have a long list of articles if you want to wallow in the details.
Despite their repeated failures here in Washington, big tech has been more successful at getting the Bad WPA adopted elsewhere; it's the basis for privacy laws Virginia, Colorado, and Connecticut. Todd Feathers and Alfred Ng's Tech Industry Groups Are Watering Down Attempts at Privacy Regulation, One State at a Time and Ben Brody's Quiet industry lobbyists are watering down state privacy laws look at industry's strategy in more detail.
Significant successes for Washington privacy advocates
As well as stopping the tech industry from passing the BadWPA, Washington privacy advocates also blocked an industry-backed digital identity bill in 2022, and supported the successful Silenced No More Act, protecting whistleblowers. Given the resources Microsoft, Amazon, WTIA, and the rest of the tech industry devote to lobbying here, that's pretty impressive. And there have also been some major successes at the local level:
- King County (home of Seattle, Amazon, and Microsoft) passed the county's first county-wide ban on government use of facial recognition technology in June 2021
- Bellingham passed initiatives banning government use of facial recognition and predictive policing in November 2021.
- Most recently, Seattle City Council nixed the mayor's request for $1M for the ShotSpotter gunshot detection system in November 2022.
2022 also featured involvement in federal privacy legislation debates by WA People's Privacy, Indivisible groups around the state, and grassroots privacy advocates (including me!), supporting the Fourth Amendment Is Not For Sale Act and My Body My Data, and pushing to strengthen the American Data Privacy Protection Act (ADPPA). And, several of us also spoke at the FTC's Public Forum on Commercial Surveillance or submitted formal comments – here's mine, focusing on Consent, Automated Systems, and Discrimination.
New in 2023: My Health My Data
"It's long overdue that we have increased data protections for our most sensitive health data, and it's taken on an increased urgency in a post-Dobbs world. This information, if it's bought or sold, can do real harm."
– State Representative Vandana Slatter, quoted in Jessica Lyons Hardcastle's Proposed Washington law puts period-tracking apps on notice in The Register
The My Health My Data Act (HB 1155 / SB 5351), which Rep. Slatter is sponsoring along with Sen. Manka Dhingra, responds to the Dobbs decision by providing strong protections for consumer health data. Shawna Mizelle's Washington state bill would make period-tracking apps follow privacy laws in reflection of post-Roe fears on CNN also discusses the bill – which covers a lot more than period-tracking apps!
Slatter and Dhingra worked with the Attorney General's office developing the bill, and there is a lot to like about it. Here's how the AG's press release in October describes its key features:
- Prohibits organizations from selling Washingtonians’ health data.
- Blocks apps and websites — like health tracking apps, search engines and advertisers — from collecting and sharing Washingtonians’ health data without their consent.
- Prohibits “geofences” from being used at reproductive and gender affirming health care facilities. Geofences are a virtual perimeter around a physical location that can be used to send messages to a person who enters a specific location.
Each of these would be significant advances over existing state privacy laws so there are going to be a lot of lobbyists pushing for weaker protections. That said, there's room for strengthening as well. For example, the bill currently exempts de-identified data, which Sen. Ron Wyden has warned could put people seeking reproductive health care at risk.
At the hearing and behind the scenes, expect the tech industry groups and lobbyists who water down state privacy laws to try to narrow the definitions of consumer health data, introduce more loopholes and exemptions, and weaken enforcement by claiming that holding companies accountable for the harms they cause by not protecting people's data will "harm innovation" or cause the sky to fall.
Microsoft is a wild card and it will be interesting to hear what they have to say. Many of their customers would benefit from a weaker bill, but strong legislation would be good for their business – and they'll face a lot of employee pressure if they aren't pushing for it.
UPDATE, January 28: A very encouraging first step summarizes the House Civil Rights & Judiciary (CR&J) hearing on My Health My Data; my live-tweeting has more details. There was great testimony supporting the bill from reproductive freedom, gender justice, health care provider and patient, immigrant, and tech perspectives – in fact there was so much support for the bill that Chair Hansen cut off testimony before WA People's Privacy and several grassroots activists with a technology background could testify which was really unfortunate.2 Meanhile industry did as expected: testified OTHER, supported the bill's goals, warned that it would cause the sky to fall, critiqued the bill in the ways I predicted as well as suggesting introducing a get-out-of-jail free card (the "right to cure"),3 removing the "per se" clause4 and allowing some geofencing as long as it wasn't "precise". Next step is a potential executive session on Wednesday February 1 where they will consider amendments and vote on whether to advance the bill.
UPDATE, February 4: CR&J advanced a weakened substitute version of the bill on a party-line vote (although one Democrat said she'd vote against it on the floor unless it were further weakened). A watered-down substitute advances discusses the changes in more detail.
The People's Privacy Act: closer to a hearing than it's ever been
The People's Privacy Act (HB 1616 / SB 5463), introduced by Rep. Shelley Kloba (with bipartisan co-sponsorship) and Sen. Bob Hasegawa, broadens My Health My Data's opt-in consent requirements to other personal data – and covers government agencies as well as the private sector.
In addition, the People's Privacy Act also
- makes it unlawful for companies and government agencies to use people’s personal information to discriminate
- bans facial recognition technology and AI-enabled profiling in any place of public accommodation (e.g., restaurants, hotels, theaters, pharmacies, parks, schools, and stores)
ACLU's Introducing the People’s Privacy Act: Real Privacy Protections for Everyone, from 2021, has more details of the previous version; I haven't looked in any detail yet at this year's version, but from my understanding it's mostly similar.
The tech industry really doesn't want discussion of bills like this – it highlights how weak bills like the Bad WPA are by comparison – and thus far has been successfully using its influence to block discussion. The People's Privacy Act didn't get a hearing in either of the last two years, which is kind of disappointing since it's had broad support from privacy, civil rights, immigrant rights, and civil liberties organizations ever since Rep. Shelley Kloba first introduced it in 2021.
Again, though, it's a more favorable environment in 2023. Since last session, dozens of civil rights, privacy, and public interest groups wrote to Congress and submitted FTC comments about the importance of anti-discrimination protections and privacy as a civil right that align very much with the People's Privacy Act – and it also aligns well with My Health My Data's emphasis on opt-in consent.
So hopefully third time's a charm and the People's Privacy Act will get a hearing this year. If and when that happens, expect tech industry to claim that it will cause the sky to fall and press to weaken it. Amidst the overwrought objections, there may also be some legitimate areas for improvement. Privacy advocates are likely to be supportive, and some may even push to strengthen it – for example introduce a duty of loyalty, or broaden it to include employee protections similar to the recently-introduced Massachusetts Data Privacy and Protection Act.
The Shield Law: "Concerning access to reproductive health care services and gender-affirming treatment in Washington state."
The Shield Law (SB 5489 / HR 1469), introduced by Sen. Yasmin Trudeau and Rep. Drew Hansen, would protect abortion providers, patients, and helpers in Washington state by putting up barriers to out-of-state investigations from states that criminalize providing or accessing abortion or gender-affirming care in Washington state.
Here's how Pro-Choice Washington describes it:
"With the loss of Roe v. Wade, patients from states with abortion bans now rely on states like Washington to provide the care they need. In fact, the Guttmacher Institute estimates that there will be 385% more out-of-state patients expected to seek abortions in Washington than before Roe was overturned. But providers and patients face frightening uncertainty about whether they could be criminalized for seeking or providing legal abortion care in Washington. By passing a shield law, Washington can provide lifesaving refuge to patients and protect the health care workers who provide these vital services.
Legal Voice and ACLU of Washington also support this bill. It had hearings on Tuesday, January 24 at 10:30 am in the Senate Law & Justice Committee and House Civil Rights & Judiciary Committee. Later that week, Senate Law & Justice advanced the original bill without amendments; House Civil Rights & Judiciary advanced a substitute with a fair number of changes.
Automated Decision Systems (ADS) Regulation
Also important from a privacy and tech justice perspective is Sen. Bob Hasegawa's Automated Decision Systems (ADS) Regulation, which establishes minimum standards for fairness, accountability, and transparency in government use of these systems. Tech Equity Coalition groups and other privacy advocates have supported this bill since it was first introduced in 2021; several, including me, worked with agency leads on the state Automated Decision Systems workgroup. In the video above, Washington State Chief Privacy Officer Katy Ruckle and I discuss the recommendations and the current work inventorying state ADS systems.
While state governemnt agencies agreed with the recommendations in the workgroup report, they pushed back on the 2022 version of the ADS bill, arguing that it would put the systems our state government depends on at risk. Sen. Hasegawa's made some revisions, hopefully addressing their concerns. And since the last session, a litany of stories of algorithmic abuses has kept the spotlight on the issue, and the White House Office of Science and Technology Policy's Draft AI Bill of Rights has provided strong recommendations for ADS regulation.
ADS Regulation has been assigned to the Senate Energy, Environment, and Technology committee, unlike last year when it went to State Government. ENET's chaired by Sen. Joe Nguyen, and it's not clear what he thinks of the bill. We'll see how things go.
Bills are supposed to advance through their initial committee by Friday, February 17, so the picture will start to come into focus fairly quickly (although there are ways for bills can stay alive even if they miss deadlines). This session ends on Wednesday April 23, and privacy legislation has gone down to the wire the last four years. It ain't over 'til it's over!
Right now, though, it's not even close to being over – in fact we've only just started. Stay tuned!
- It’s time for Washington to pass strong privacy legislation!
- WA Privacy Legislation Update – February 14 💘
- The situation is … fluid – March 4 (late-night update)
- It ain’t over till it’s over – March 7-10
Op-eds and open letters
- Tech Equity Coalition letter to the Washington state House of Representatives
- Indivisble privacy letter to CRJ committee, January 24
- Support legislation that enacts data privacy, Carollynn Zimmers, Kitsap Sun
- Data privacy bills favor tech companies over people, Naomi Dietrich, Everett Herald
- Tech Companies Want to Write Their Own Rules on Data Privacy. Don’t Let Them, Hillary Hayden and Brianna Auffray, South Seattle Emerald
- Fact Check: WA’s Leadership on Privacy Legislation, Jennifer Lee and Maya Morales
- A Deep Dive into the Affiliates Loophole
Federal privacy legislation
- Washington Indivisible groups' June 13 Letter to Sen. Cantwell and Rep. McMorris Rodgers on federal privacy legislation
- WA People's Privacy founder Maya Morales' Comments at California Privacy Protection Agency board meeting
- Washington Indivisible groups' September 14 Privacy one-pager
- Washington Indivisible groups November 28 letter: Please only advance ADPPA if it is strengthened significantly
- WA People's Privacy-led November 30 letter to Rep. Jayapal and the Progressive Caucus: Please Co-sponsor & Pass the Fourth Amendment Is Not For Sale Act
- WA People’s Privacy-led December 17 letter to Speaker Pelois: Request to block H.R. 8152, ADPPA, from a floor vote unless it is first strengthened in the specific ways enclosed
- Washington privacy advocates letter to the WA Congressional delegation: Thank you for not passing ADPPA this session – and we look forward to working with you on privacy in 2023
- The stakes are high: Washington state privacy, facial recognition, and automated decision making legislation 2021
- European-style data privacy bill returns (Joseph O’Sullivan, Seattle Times), discussing the Senate hearing
- Criticism and praise at the hearing for SB 5062 (the Bad Washington Privacy Act)
- Inside One State’s Fierce Battle Over Online Privacy (Eli Sanders, Wild West)
- Industry-backed digital privacy bill sees head-spinning changes in Washington state (Eli Sanders, GeekWire)
- The Clock Ticks Down on the Bad Washington Privacy Act
- Washington Privacy Act goes 0 for 3, perspectives from lobbyists Jim Halpert of DLA Piper and Samantha Kersul of TechNet
- A Digital Privacy Bill Dies in Washington (Eli Sanders, Wild West)
Op-eds and letters to the editor
- The People’s Privacy Act, not the Washington Privacy Act, is the better bill to protect consumers’ civil rights and civil liberties, Jennifer Lee of ACLU of Washington, Seattle Times
- Real Electronic Data Protection Is Opt In , Brandy Donaghy, Demcast
- The Washington Privacy Act: Insufficient for the immigrant, refugee communities we serve, Derek Lum of Interim CDA in the International Examiner
- Silence is Not Consent by Emilie St. Pierre of Future Ada
- The Bad Washington Privacy Act: An Illusion of Rights And As Cher Would Say, “What a Monet” Deborah Pierce
- The illusion of protection and SB 5062 (the Bad Washington Privacy Act)
- The Washington Privacy Act: Not a model for state privacy law, N. Gregg Brown
- Data Privacy Unlocked, A Conversation with Representative Shelley Kloba of Washington State, a podcast on JD Supra, July 2021
- A bad day for a bad privacy bill, a good day for privacy : the House Civil Rights and Judiciary Committee hearing on the Bad Washington Privacy Act
- Significant progress, although still a ways to go (SB 6280/SB 6281 update)
- Washington Privacy Act fails for second time, with perspectives from Sen Carlyle and Republican Rep. Norma Smith (R-10, long-time privacy champion who retired after the session).
Industry lobbying strategy
- How Big Tech is quietly pushing for watered-down state privacy laws(Benjamin Powers on Grid)
- Tech Industry Groups Are Watering Down Attempts at Privacy Regulation, One State at a Time (Todd Feathers and Alfred Ng on The Markup)
- The Amazon lobbyists who kill U.S. consumer privacy protections(Jeffrey Dastin, Chris Kirkham, Aditya Kalra on Reuters)
- Big Tech Is Pushing States to Pass Privacy Laws, and Yes, You Should Be Suspicious (Todd Feathers on The Markup)
1 although the Bad WPA has been more successful elsewhere – it's the basis for Virginia's, Colorado's, and Connecticut's privacy bills).
2 Just as Chair Hansen did at Civil Rights & Judiciary committee hearing on the Bad Washington Privacy Act two years ago ... hey wait a second, I'm noticing a pattern here!
3 Consmer Reports used the "get-out-of-jail free card" analogy in their 2021 letter, and AG Ferguson has previously described the right-to-cure as "anti-consumer". But industry insists on having this fight every year.
4 They never give up, do they? 2020's A bad day for a bad privacy bill, a good day for privacy includes an excerpt of Andrea Alegrett's testimony on why the Bad Washingtonn Privacy Act's lack of a "per se" clause made it unenforceable. Industry conceded on this in 2021 and that year's version of Bad Washington Privacy Act included a per se clause so it is disappointing that they had their fingers crossed ... although not surprising. Footnote 2 in The elephant and the lame duck: ADPPA after the midterms (a federal privacy legislation update) discusses how the per se issue came up last summer (and will probably come back up again soon) in the proposed American Data Privacy Protection Act.
January 11 . Originally published as "A much more favorable environment," before several of the bills had officially been introduced
January 12-20 typo fixes
January 22-23: Revised as "A much more favorable environment, but a lot of complexity"
January 28: Updated baed on My Health My Data and Shield Law hearings
February 4: Mention that My Health My Data advanced, Add ADS section. I had originally written this when I first published the article but the ADS bill's prospects were so uncertain, that I took it out. Now that the bill's likely to get a hearing, I put it back.