Washington state legislators will push for new regulations governing data privacy and facial recognition next year, and a draft bill obtained by GeekWire provides a glimpse into what they have in store.
The new legislation builds on a bill that passed the Senate before dying in the House last session. The bill’s sponsors say they are taking lessons from that experience, though several of the sticking points that contributed to the last bill’s demise remain.
In their second attempt, Washington Democrats hope to give consumers new rights to ownership over their data, establish new transparency requirements for companies that process consumer data, and implement new safeguards for facial recognition technology.
“The guiding principles are very similar but I made a real effort to listen to some of the concerns about the need for tighter definitions, the need for clearer lines around enforcement,” said Sen. Reuven Carlyle, the bill’s sponsor. He said the new version more clearly “articulates the fundamental right of consumers to access their data, to correct their data, to delete their data.”
If the bill is enacted, Washington will follow California and the European Union, both of which have established their own privacy regulations. Washington would be a pioneer in regulating facial recognition, as the controversial technology is not explicitly covered by California or the EU’s laws. As home to two of the most powerful technology companies in the world, Amazon and Microsoft, Washington’s new regulations could have implications that extend far beyond the state’s borders.
Here’s a rundown of some of the key provisions in the draft bill:
- Consumers have the right to access, delete, correct, and move their data.
- Consumers can opt-out of data collection.
- Companies that control consumer data must be transparent about the information’s use, minimize its collection, and specify the purpose for collecting it.
- Companies that control consumer data must conduct regular risk assessments.
- State and local government agencies are prohibited from using facial recognition for ongoing surveillance without a warrant or threat of imminent danger.
- Companies that make facial recognition software must allow third-party testing for accuracy and bias.
- Institutions using facial recognition in public spaces must obtain consent.
- Government agencies in the state that want to use facial recognition must publish accountability reports and establish data management policies.
- The governor’s office can create a task force to report on potential abuses and threats of facial recognition technology.
- The attorney general has the authority to sue companies that violate this bill but individual consumers do not.
Microsoft was a key player in the effort to enact privacy regulations in Washington state last session. The Redmond, Wash., software giant is a vocal advocate for data privacy laws and facial recognition in Washington and beyond. Microsoft said this month that it will make changes required by California’s new data privacy law available to all its U.S. customers.
Amazon is coming around to the idea. In September Amazon CEO Jeff Bezos said the company’s public policy team is working on a set of proposed regulations for facial recognition technology. It’s a shift from 2018, when Amazon attorney Andrew DeVore warned U.S. senators about the risks of onerous privacy regulations during a public hearing.
Both Microsoft and Amazon develop facial recognition technology and handle an enormous amount of consumer data. The regulations outlined in Carlyle’s draft bill would apply to both companies, and any other business that controls or processes personal data of 100,000 consumers or more.
The rules apply to companies located in Washington and companies that target services to Washington customers. Businesses that derive more than 50 percent of their revenue from the sale or processing of personal data are also subject to the regulations, even if they have fewer than 100,000 customers.
One point of contention during the debate over last session’s bill has to do with what’s called the “private right of action.” That’s the ability for individual consumers to sue companies that violate the rules outlined in the bill. That right was not included in the original bill last session and it’s not in the new draft either. If enacted, only Washington’s attorney general could sue companies for violating the law, with some exceptions.
“A blanket private right of action, when it comes to technology, is a slippery slope,” said Sen. Joe Nguyen, a co-sponsor of the bill who also works full-time for Microsoft. “That’s why they have it under the AG’s office.”
Nguyen said that giving individuals the authority to sue over privacy violations would be too burdensome for smaller companies without the resources to field those legal challenges. As a senior program manager at Microsoft, Nguyen is in a unique position. He’s helping to craft what could become Washington’s new data privacy laws and he helped a major tech company implement the European Union’s new rules, known as the General Data Protection Regulation.
“It was a year-long process, completely engaged the engineering team, and the cost associated with it was astronomical, relatively speaking,” Nguyen said. “In order to put some of these things in place is not easy.”
Nguyen also plans to spin out the facial recognition regulations as a separate bill in an effort to ensure they move forward, even if the privacy bill stalls.
“I’m very passionate about making sure something for facial recognition is in place, because I believe it is impacting communities right now, and I don’t want it to be caught up in any potential political fight,” Nguyen said.
A data governance workgroup in Portland last week unveiled a draft ordinance prohibiting city government agencies from acquiring or employing facial recognition technology. A companion ban on privately owned use of the technology in public spaces also is in the works.
Carlyle and Nguyen are quietly soliciting feedback on the draft bill before formally introducing it. Washington’s new legislative session begins Jan. 14.