What Lawmakers Need to Know About Protecting Privacy

In the absence of a strong national privacy law, state houses across the United States have seen a flurry of bills that aim to provide new online and offline privacy rights to residents, better data security, and limitations on how businesses share and sell sensitive information about us. Lawmakers in blue states, red states, and purple states have introduced important privacy bills. 

Common Sense has sponsored and supported a number of these efforts, including comprehensive privacy laws like the California Consumer Privacy Act and the California Privacy Rights Act. Common Sense has offered a number of recommendations to state lawmakers about how to draft strong privacy protections. Common Sense's advocacy efforts have focused on ensuring that state privacy legislation includes extra protections for families and young people, avoids tricky and confusing loopholes, and contains real enforcement teeth.

Last month, Common Sense hosted a virtual briefing for lawmakers in Washington State on the nuts and bolts of privacy law. Besides California, Washington has seen the most activity around privacy legislation. A proposal known as the Washington Privacy Act has been introduced for three years running, and the state's ACLU affiliate also has spearheaded its own proposal. 

During the briefing, Professor Ryan Calo from the University of Washington School of Law provided a foundation for the current interest in privacy. The core function of any privacy law, he said, is "to address the vast asymmetries of information and power that exist between corporations and individuals consumers." 

He encouraged lawmakers to carefully consider how to ensure that information, no matter how sensitive it may be perceived, is protected against actual -- or perceived -- misuse by companies.

"Sensitive data is a category of data that's particularly sensitive, but the truth of the matter is that we're moving into a world where computers and AI are increasingly able to derive the intimate from the available," he said, noting that consumers can be harmed even if companies do not know specifically who a person is by their data. 

We also heard from other privacy organizations that have been active in Washington, including:

• ACLU of Washington

• Consumer Reports

• Future of Privacy Forum (FPF)

FPF's Stacey Gray, who monitors privacy legislative trends, provided an overview of the Washington Privacy Act and encouraged lawmakers to think about privacy legislation in terms of both the consumer rights it can enshrine and the obligations placed on companies. 

All of the panelists touched on the debates and disputes about the effectiveness of relying on consumers' consent to protect privacy. Lawmakers are frequently confronted with bills that address consent by requiring individuals to opt in to certain types of data collection and use, while industry voices tend to support proposals that focus on letting individuals opt out of marketing. Gray noted that opt-in consent works best "where it effectively bans something from happening because it's impossible to get consent," highlighting the practical challenges a business would face in getting individuals to affirmatively consent to facial recognition surveillance in public places. 

On the other hand, opt-outs are especially problematic when individuals have to jump through hoops to take advantage of them. Consumer Reports' Maureen Mahoney discussed some of the challenges Californians have faced in exercising their privacy rights under the CCPA. Mahoney recently published a detailed report showing some of the ways companies have not lived up to their obligations under that law. 

Finally, Jennifer Lee from the ACLU of Washington promoted an alternative piece of legislation dubbed the People's Privacy Act. That bipartisan bill awaits a hearing in the Washington House, but it diverges from the Washington Privacy Act most significantly by permitting individuals, rather than exclusively Washington's attorney general, to sue for violations. 

How privacy laws are enforced has proven tremendously controversial, and the panelists each touched on their views of what strong and meaningful enforcement means. The simple truth is that a privacy law is only as strong as how it is enforced. The tech industry is vast, well-resourced, and complex, and privacy violations can go unchecked because law enforcement lacks the resources and money to investigate problems. Remote learning and the pandemic have made kids and families more dependent on technology than ever, and state regulators are stretched even thinner. 

SB 5062 and HB 1433 are currently under consideration by lawmakers in Olympia, Washington, and similar efforts are popping up across the country. Common Sense will continue to work with lawmakers to improve these bills.