Inside One State's Fierce Battle Over Online Privacy
They decried corporate tech giants and their “non-consensual commodification of our personal information.” They warned that for the third year in a row, a proposed digital privacy act in Washington state remains alarmingly slanted toward the interests of its tech-industry backers. And they pointed to a stark division between themselves and those speaking in favor of the “Washington Privacy Act” during online testimony before the Civil Rights & Judiciary Committee of the Washington State House last week.
“You only need to look at the list of those signed in as ‘pro’ versus ‘con’ to see that tech companies, not people, are in favor of this bill,” said Ashely Del Villar, an advocate for immigrant rights who was one of the critics testifying at the hearing.
Del Villar reminded lawmakers that ICE has been among the purchasers of digital data that’s routinely scooped up, sliced, diced, and re-sold under the dominant model for online life, in which tech companies provide free or cheap digital services and, in exchange, consumers—often unknowingly—give away valuable, potentially compromising details about their personal lives, movements, preferences, and daily habits.
“Who are you accountable to?” Del Villar asked the lawmakers. “Tech companies or people in your district?”
The stakes are high, not just for Washington state but for the entire nation. Federal privacy legislation, which people on all sides of this issue want, has been stalled for years. That means any bill that might pass in Washington state in the coming weeks would inevitably be trotted out as a proposed model during negotiations over federal privacy bills that could move in the new, Democrat-controlled Congress.
Only two other states, California and Virginia, have passed their own comprehensive privacy laws. California’s is broadly seen as more consumer-friendly. Virginia’s is broadly seen as more friendly to tech executives. If and when a federal bill passes it could end up pre-empting all state measures, but until then any state-level policies will be used to shape federal lawmakers’ perceptions about what’s really desired by the public on this complex issue (and what’s truly possible politically).
For example, the national digital privacy baseline proposed by Washington Senator Maria Cantwell, now the chair of the powerful Senate Commerce Committee, gives broader rights to consumers than the current Washington state proposal does. “You have to start saying these aspects of your life belong to you, and you have the right to decide how they’re used,” Cantwell said in 2019 as she introduced her measure, known as COPRA. But if the current Washington state bill passes, Cantwell would likely have her home-state’s law thrown in her face by critics who say her proposed federal law goes too far.
Given these high stakes, emotions are running high, too. State Senator Reuven Carlyle, a Seattle Democrat who’s the prime sponsor of the Washington Privacy Act, said the narrative about this being a fight between ideologically pure consumer-rights activists and malevolent Big Tech powerbrokers is “extremely simplistic” and “intellectually uninteresting.”
“None of these rights exist today,” Carlyle said of the rights his bill grants to Washington state consumers. “It’s easy to kill a bill. It’s hard to pass one,” he continued, adding that if his privacy act is torpedoed for the third year in a row—this time by a coalition of critics that includes the ACLU, the Tech Equity Coalition, and the Electronic Frontier Foundation—then “the end result is that consumers have no rights.”
The new rights Carlyle’s bill creates include the right to see what information a company has collected about you, the right to correct and delete that information, and the right to opt-out of having such data used to target you with advertising as you move around the web.
A major problem with the bill, according to Jennifer Lee, Technology and Liberty Manager at the ACLU of Washington, is that those rights come with “a litany of loopholes and exemptions” that are sewn into many of the bill’s key provisions, “making it difficult for ordinary people to even understand and exercise what limited rights they would have.”
For example, Lee contends the bill’s fine print says people don’t have a right to know the scope of the data that’s being retained about them, making the bill’s right to correct and delete such data far less meaningful.
Lee and other critics also point out that while the bill requires “opt-in” consent from consumers for the processing of “sensitive” data—relating to race, ethnicity, religious beliefs, sexual orientation, genetics, and other delicate topics—it only requires “opt-out” consent for the processing of other types of data. (Meaning the default is that the data would be collected.) This other data, while seemingly innocuous, could still be used to, in Lee’s words, “paint an intimate portrait of our lives.”
“My clients are afraid that data as innocuous as the number of times they open their prayer apps is going to result in increased FBI patrols and government surveillance in their neighborhoods,” testified Brianna Auffray, Legal and Policy Manager for CAIR Washington, raising a far-from-hypothetical scenario, given that the US military was found last year to be purchasing location data gleaned from Muslim prayer apps.
Critics of Carlyle’s bill want mandatory “opt-in” consent for all data collection, and they’re backing their own bill, the “People’s Privacy Act,” to promote this and other digital privacy ideas. Their bill has gained little traction, however, while Carlyle’s passed the state senate this year on a 48-1 vote. Microsoft, based in Washington state, is a major backer of Carlyle’s legislation and its lobbyists have reportedly been pushing the “Washington Privacy Act,” under other names, in a number of other states, too.
Another major point of contention when it comes to Carlyle’s bill is its lack of a so-called “private right of action,” which would allow individual consumers to sue companies that violate their privacy rights. The absence of a “private right of action” strongly differentiates Carlyle’s bill from California’s current law and from Senator Cantwell’s proposed federal law (while aligning it with Virginia’s new digital privacy law, which also lacks a private right of action and was actually modeled on last year’s weaker, failed version of the Carlyle-proposed, Microsoft-supported Washington Privacy Act).
Under the current version of Carlyle’s bill, only the Washington State Attorney General can bring actions against companies that violate the privacy rights of Washingtonians. What does the current state attorney general, Bob Ferguson, think about this?
He wants the provision changed.
“As you all know, the attorney general has always strongly believed there should be a private right of action,” testified Yasmin Trudeau, a representative of the AG’s office, during last week’s hearing. “In short, this is because we believe that everyone should have access to the courts to enforce their rights, including privacy rights.”
Cantwell made a similar point during a 2019 Senate hearing on her bill. “If your privacy rights are violated,” she said, “you need to first find out about it, and then you need to have the power to do something about it as well.”
Carlyle counters that Ferguson, whose office filed more than 80 lawsuits against the Trump administration, should be plenty capable of protecting new digital privacy rights for Washington state residents. Carlyle also sees a certain amount of hypocrisy and hidden motivations among the people campaigning against his bill’s lack of a private right of action.
“I think this bill is so much stronger than people realize,” Carlyle said. “The deeper issue for me is the perception that [the bill’s critics] cultivate—that they’re above special interests, that they’re above having their own interests—and they’re just not.” What are those special, hidden interests? What, exactly, is Carlyle suggesting?
“I’m a Democrat respectfully suggesting that one of the largest donors to the Democratic party, the trial attorneys, might have an interest on their part,” he said. “This is how they make their money… You can’t convince me that the trial lawyers are over there losing sleep about the interests of consumers.”
Also on AG Ferguson’s list of requested changes to Carlyle’s bill: trimming back a provision that would require the AG’s office to first send warning letters to any tech company suspected of violating privacy rights. Those letters would give the companies a 30-day “right to cure” any alleged offense without facing legal action.
“Simply put,” said Trudeau of the AG’s office, “we’re not and should not be in the position of serving warning letters to businesses to make sure that they are aware when they are violating the law.” Trudeau testified that this would eat up “critical staff time and resources” and that any “right to cure” provision, if it’s included, should sunset after one year.
Lee, of the ACLU, testified that offering people rights that allow them to head straight to court, irrespective of what any state AG may or may not be doing, is a basic and obvious good. “If you can’t enforce your rights, are they actually meaningful?” she asked.
In addition, Washington state won’t always have Democrat Bob Ferguson as its attorney general. The last Washington State Attorney general, Rob McKenna, was a Republican who, since leaving office, has become a prominent attorney for Facebook. Given that the AG post is an elected position, there’s no guarantee the next AG won’t come in flush with campaign donations from tech companies hoping for leniency with any digital privacy warning letters or legal actions.
“Giving people a meaningful accountability mechanism is not a radical idea,” Lee testified. “It is the bare minimum to even start disrupting the non-consensual commodification of our personal information.”
Disrupting the current online paradigm, more than governing, is what Carlyle believes his bill’s critics are all about. “The critiques and the problems that people have with the bill are fundamentally with the very construct of the internet,” he said.
Carlyle hastened to say that’s not a value judgment. When I told him a lot of people, including some early internet pioneers, now firmly believe the data-for-services model powering much of the online economy is in dire need of disruption, given the harms it’s created for consumers and democracy itself, Carlyle responded: “I can understand that. But that’s the difference between activism and governing.”
He noted that large tech companies have, in recent years, supplanted Boeing as “the central drivers of our state’s economic success,” suggesting that their current data-for-services model has become inextricably linked with Washington’s fate. He also returned to an earlier theme. “It’s easy to kill a bill,” Carlyle repeated. “It’s hard to pass one.” Especially, he said, when “anything that’s seen as middle ground is, by its very nature, seen as weak and an unnecessary compromise. I just believe in governing and taking incremental steps forward.”
Lee, of the ACLU, disagrees. “We can and should do better than this weak bill,” she told the members of the state house’s Civil Rights & Judiciary Committee. That committee is chaired by Drew Hansen, a Democrat who sponsored the country’s first state-level net neutrality law, earned his law degree from Yale, and now works as an attorney when he’s not at the state capital. Hansen’s committee is scheduled to meet again this Friday to decide whether Carlyle’s bill will move ahead toward a floor vote or, once again, die in the house.
Some of the stories I’ve been reading this week:
• Jacobin weighs in on content moderation — The left is being shortsighted and hypocritical with its support for deplatforming, Ben Burgis writes in the left-of-left magazine. Instead, “We should champion free speech online—and argue that the best way to protect it is with a socialist program that brings privatized social media platforms into public control.”
• Stratechery weighs in on content moderation — The central idea: “Moderation decisions should be based on where you are in the stack.”
• Calls for deplatforming on Substack — “A nascent boycott aims to pressure Substack into deplatforming the alleged offenders,” writes Megan McArdle. “Reportedly, their campaign is having some effect.”
• Substack’s response — Right here: “We will continue to require all writers to abide by Substack’s content guidelines, which guard against harassment and threats. But we will also stick to a hands-off approach to censorship, as laid out in our statement about our content moderation philosophy.”
Questions? Tips? Comments? firstname.lastname@example.org