Psycho-Babble Administration | about the operation of this site | Framed
This thread | Show all | Post follow-up | Start new thread | List of forums | Search | FAQ

Washington Privacy Act

Posted by ert on February 7, 2020, at 4:37:12

Washington Privacy Act welcomed by corporate and nonprofit actors

Posted: February 4, 2020 by David Ruiz

The steady parade of US data privacy legislation continued last month in Washington with the introduction of an improved bill that would grant state residents the rights to access, control, delete, and port their data, as well as opting out of data sales.

The bill, called the Washington Privacy Act, also improves upon its earlier 2019 version, providing stronger safeguards on the use of facial recognition technology. According to some analysts, when compared to its coastal neighbors data privacy lawthe California Consumer Privacy Act, which went into effect this yearthe Washington Privacy Act excels.

Future of Privacy Forum CEO Jules Polonetsky called the bill the most comprehensive state privacy legislation proposed to date.

It includes provisions on data minimization, purpose limitations, privacy risk assessments, anti-discrimination requirements, and limits on automated profiling that other state laws do not, Polonetsky said.

Introduced on January 20 by state Senator Reuven Carlyle, the Washington Privacy Act would create new responsibilities for companies that handle consumer data, including the implementation of data protection processes and the development and posting of privacy policies.

Already, the bill has gained warm reception from corporate and nonprofit actors. Washington-based tech giant Microsoft said it was encouraged, and Consumer Reports welcomed the thrust of the bill, while urging for even more improvements.

This new draft is definitely a step in the right direction toward protecting Washington residents personal data, said Consumer Reports Director of Consumer Privacy and Technology Policy Justin Brookman. We do hope to see further improvements to get rid of inadvertent loopholes that remain in the text.
What the Washington Privacy Act would do

Like the many US data privacy bills introduced in the past 18 months, the Washington Privacy Act approaches the problem of lacking data privacy with two prongsbetter rights for consumers, tighter restrictions for companies.

On the consumer side, the Washington Privacy Act would grant several new rights to Washington residents, including the rights to access, correct, delete, and port their data. Further, consumers would receive the right to opt out of having their personal data used in multiple, potentially invasive ways. Consumers could say no to having their data sold and to having their data used for targeted advertisingthe somewhat inescapable practice that results in advertisements for a pair of shoes, a fetching sweater, or an 4K TV following users around from device to device.

Consumers could exercise their rights with simple requests to the companies that handle their data. According to the bill, these requests would require a response within 45 days. If a company cannot meet that deadline, it can file for an extension, but it is required to notify the consumer about the extension and about why it could not meet the deadline.

Further, unfulfilled requests are not a dead end for consumerscompanies must also offer an appeals process to the consumers whose requests they deny or do not fulfil. Requests must also be responded to free of charge, up to two times a year per consumer.

Perhaps one of the most welcome provisions in the bill is its anti-discrimination rules. Companies cannot, the bill says, treat consumers differently because of their choices to exert their data privacy rights. On the surface, that makes dangerous ideas like pay-for-privacy schemes much harder to enact.

Concerning new business regulations, the Washington Privacy Act separates the types of companies it applies to into two categories: controllers and processors. The two terms, borrowed from the European Unions General Data Protection Regulation (GDPR), have simple meanings. Controllers are the types of entities that actually make the decisions about how consumer data is collected, shared, or used. So, a small business with just one employee who decides to sell data to third parties? Thats a controller. A big company that decides to collect data to send targeted ads? Thats a controller, too.

Processors, on the other hand, are akin to contractors and subcontractors that perform services for controllers. So, a payment processor that simply processes e-commerce transactions and nothing more? Thats a processor.

The Washington Privacy Acts new rules focus predominantly on controllersthe Facebooks, Amazons, Twitters, Googles, Airbnbs, and Oracles of the world.

Controllers would have to post privacy policies that are reasonably accessible, clear, and meaningful, and would include the following information:

The categories of personal data processed by the controller
The purposes for which the categories of personal data are processed
How and where consumers may exercise their rights
The categories of third parties, if any, with whom the controller shares personal data

If controllers sell personal data to third parties, or process it for targeted advertising, the bill requires those controllers to clearly disclose that activity, along with instructions about how consumers can opt out of those activities.

Separately, controllers would need to perform data protection assessments, in which the company looks at, documents, and considers the risks of any personal data processing that involves targeted advertising, sale, and profiling.

The regulation of profiling is new to data privacy bills. Its admirable.

According to the bill, profiling is any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable persons economic situation, health, personal preference, interests, reliability, behavior, location, or movements.

In todays increasingly invasive online advertising economy, profiling is omnipresent. Companies collect data and create profiles of consumers that, yes, may not include an exact name, but still include what are considered vital predictors about that consumers lifestyle and behavior.

These new regulations make the Washington Privacy Act stand out amongst its contemporaries, said Stacey Gray, senior counsel with Future of Privacy Forum.

The big picture of the bill is that includes the same individual rights as the California Consumer Privacy Actof access, sale, et ceteraand then more, Gray said. The right to correct your data, to opt out of targeted advertising, and out of profilingthat is further on the individual rights side.

Gray added that the bills business obligations also go further than those in the CCPA, naming the data risk assessments previously discussed.

The Washington Privacy Act includes several more business obligations, all of which add up to meaningful data protections for consumers. For instance, companies would need to commit to data minimization principles, only collecting consumers personal data that is necessary for expressed purposes. Companies would also need to obtain affirmative, opt-in consent from consumers before processing any sensitive data, which is any data that could reveal race, ethnicity, religion, mental or physical health conditions or diagnoses, sexual orientations, or citizenship and immigration statuses.

But perhaps most intriguing in the Washington Privacy Act is its regulation of facial recognition technology.
Facial recognition provisions

In 2019, Washington state lawmakers crafted a bill aimed at improving the data privacy protections of consumers. They called it the Washington Privacy Act. That original bill, which has now been substituted the 2020 version, included provisions on the commercial use of facial recognition.

On its face, the new rules looked good: Companies that used facial recognition tech for commercial purposes would have to obtain consent from consumers prior to deploying facial recognition services.

Unfortunately, the original bills very next sentence made that consent almost meaningless.

According to that bill, consumer consent could be obtained not by actually asking the consumer about whether they agreed to having their facial data recorded, but instead, by posting a sign on a companys premises.

As the bill stated:

The placement of conspicuous notice in physical premises or online that clearly conveys that facial recognition services are being used constitute a consumers consent to the use of such facial recognition services when that consumer enters those premises or proceeds to use the online services that have such notice, provided that there is a means by which the consumer may exercise choice as to facial recognition services.

The length of the explainer is as broad as the exception it allows.

This loophole upset several privacy rights advocates who, in February 2019, sent a letter to key Washington lawmakers.

[W]hile the bill purportedly requires consumer consent to the use of facial recognition technology, it actually allows companies to substitute notification for seeking consentleaving consumers without a real opportunity to exercise choice or control, the letter said. It was signed by Consumer Reports, Common Sense, Electronic Frontier Foundation, and Privacy Rights Clearinghouse.

The 2020 bill closes this loophole, instead requiring affirmative, opt-in consent for commercial facial recognition use, along with mandatory notificationssuch as signsin spaces that use facial recognition technology. The new bill also requires processors to open up their data-processing tools to outside investigation and testing, in an effort to root out what the bill calls unfair performance differences across distinct subpopulations, such as minorities, disabled individuals, and the elderly.
Moving the Washington Privacy Act forward

Despite the 2019 Washington Privacy Act gaining swift approval in the Senate two months after its January introduction, the bill ultimately failed to reach the House. Multiple factors led to the bills failure, including the bills definitions for certain terms, its approach to enforcement, and its treatment of facial recognition.

Some of those same obstacles could come up for the 2020 bill, Gray said.

If this bill does not pass this year, thats where we might see a source of conflictis either with the facial recognition provisions, or with enforcement, Gray said. For enforcement to take hold, Gray said the Attorney Generals officetasked with regulationwill need increased funding and staffing. Further, there will likely be opposition to the bills lack of private right of action, which means that consumers will not be able to individually file lawsuits against companies that they allege violated the law. This issue has been a sticking point for data privacy legislation for years.

Still, Gray said, the bill shows improvement from its 2019 version, which could help push it forward.

All things aside, Gray said, were more optimistic than last year about it passing.


Share
Tweet  

Thread

 

Post a new follow-up

Your message only Include above post


[1108365]

Notify the administrators

They will then review this post with the posting guidelines in mind.

To contact them about something other than this post, please use this form instead.

 

Start a new thread

 
Google
dr-bob.org www
Search options and examples
[amazon] for
in

This thread | Show all | Post follow-up | Start new thread | FAQ
Psycho-Babble Administration | Framed

poster:ert thread:1108365
URL: http://www.dr-bob.org/babble/admin/20191229/msgs/1108365.html