Wash. Privacy Bill Reviews Mixed; Del. Panel Backs a Registry
A proposed Washington state data privacy commission got some support at a House Judiciary Committee hearing Tuesday. The panel heard testimony on a comprehensive privacy bill before a possible vote at a Friday meeting. The question of enforcement continued to divide witnesses Tuesday. In Delaware, a House panel unanimously cleared a data broker bill based on Vermont’s law.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
“Technology has become a utility that deserves our full attention, regulation and consumer protections,” so HB-1850 would create a state agency with rulemaking and enforcement authority, said sponsor Rep. Vandana Slatter (D). The bill offers “an absolute baseline for privacy rights,” said co-sponsor Rep. April Berg (D).
HB-1850 would provide enforcement through the proposed commission, the attorney general office and a limited private right of action (PRA). The commission would hold hearings on violations and decide to order violators to cease and desist, with up to a $2,500 penalty per violation or $7,500 per intentional violation. Companies would get a 30-day right to cure violations raised by the AG or private suits.
Clarify that the commission’s existence wouldn’t limit AG ability to enforce privacy, said Andrea Alegrett, assistant attorney general, Consumer Protection Division. HB-1850’s limited PRA is good, but a full PRA would be better, she said: “We urge the committee not to weaken the enforcement provisions.”
The commission is "a promising structure worth further consideration," said Washington Technology Industry Association Vice President-Public Policy Molly Jones: But three types of enforcement are too much, and including a PRA could lead to a flood of lawsuits. TechNet Vice President-State Policy David Edmonson raised similar concerns. They and other business groups noted their support for a 2021 Senate privacy bill by Sen. Reuven Carlyle (D) that formed a basis for HB-1850.
Opinions Mixed
HB-1850’s limits on the PRA will reduce inappropriate lawsuits, disagreed Washington State Association for Justice Director-Government Affairs Larry Shannon and Keller Rohrback trial lawyer Ian Birk.
Consumer Reports supports Slatter’s bill, said Senior Policy Analyst Maureen Mahoney: Setting up a state commission would expand enforcement resources and keep privacy protections up to date through rulemakings. But the American Civil Liberties Union thinks HB-1850’s opt-out structure, right to cure and exemptions would keep the status quo, said Jennifer Lee, ACLU-Washington technology and liberty project manager. ACLU prefers HB-1433, which is opt-in and doesn’t limit the PRA, she said.
The committee hasn’t scheduled a hearing on HB-1433 by Rep. Shelley Kloba (D). Chair Drew Hansen (D) hasn’t told the author it will be heard, Kloba said in a Monday interview. At “bare minimum, the concepts in it [will] become a part of the conversation,” she said. Kloba is developing amendments to HB-1433, including a change based on Brazil’s privacy law that would apply privacy rules to businesses of all sizes. “Thresholds are contrary to how we do privacy” in federal laws like the Health Insurance Portability and Accountability Act, she said.
With a short, 60-day session and many bills proposed this year, it could again be challenging to pass a Washington state privacy bill, Kloba said. She won’t back down on including a PRA, which the Senate opposed, though she said she's open to adding some “reasonable protections so that companies don’t feel like … this is going to be open season on suing companies for privacy violations.”
Kloba sees “some good things” in Slatter’s bill, including the data privacy commission, but still has enforcement questions, she said. On Carlyle’s new privacy bill (SB-5813), Kloba said she finds it “curious” that the bill limits opt-in to minors. “I’m not sure why that is the condition only for children. I think that we all deserve that kind of privacy.” Carlyle’s earlier, more comprehensive bill “lost ground” last year, asserted Kloba: SB-5062 didn’t get a House vote in 2021 after earlier iterations made it to the floor in two previous years.
A Senate committee last week heard much opposition to Carlyle’s narrower 2022 bill (see 2201200067). The senator won’t seek reelection this year, Democrats said Monday.
Delaware Bill Advances
Delaware consumers want “to know who is selling and making money off their personal data,” said House Technology and Telecommunications Committee Chair Krista Griffith (D). She sponsored data broker transparency bill HB-262.
The committee voted 8-0 at a virtual hearing Tuesday to pave the way for a floor vote. HB-262 would require companies that collect and sell information of more than 500 Delawareans to register and fill out a questionnaire with the state's DOJ, which then would share information with consumers on a website. Griffith said she isn’t “in a rush” to vote on the floor and will continue to hear comments over the February break.
The “disclosure-focused” bill will advance consumer trust and transparency, and won’t add to a state privacy law patchwork, Delaware DOJ Fraud and Consumer Protection Division Director Owen Lefkon told the committee. It expands on Vermont’s 2018 law establishing a state data broker registry by including companies that directly interface with consumers in addition to third parties.
Delaware’s bill improves on Vermont’s law by requiring a user-friendly website and asking companies more specific questions, said Vermont Assistant Attorney General Ryan Kriger. “Sunshine” is better than a “heavy-handed mandate” and can shift businesses’ behaviors, he said.
Rep. Bryan Shupe (R) disagreed that people already know businesses collect information and understand how to opt out. Rep. Kendra Johnson (D) agreed: "So many people do not understand nor do they know how to opt out."
Rep. Paul Baumbach (D) asked why the bill has no exemptions. Griffith said she didn’t want to “water down” the plan but said it wouldn’t apply to companies restricted from selling data under other laws, and she's open to further changes: “It’s not my intent to make anything onerous or duplicate regulations.” Baumbach asked why the legislation allows private suits. Griffith said she plans to discuss that more to find balance. Baumbach supported the proposal overall despite those concerns: “I like the sunshine that this brings.”
Industry witnesses raised concerns about the PRA and sought exemptions for companies covered by federal laws like HIPAA. TechNet fears the bill “could result in significant unintended consequences” and that “pro-consumer transactions will be wrapped up in this,” said Executive Director-Northeast Christopher Gilrein: The group has concerns with the proposed law covering first-party data relationships and including a PRA.