I want to debunk a few myths about the Washington Privacy Act 3.0 ( #SB5062) perpetuated at the hearing yesterday, and to emphasize that the legislation is not only stronger and more sophisticated than the #CCPA, but in many ways also the #CPRA.

(Thread)
#WALeg #WaPA
First, the WPA goes beyond both opt-in and opt-out models. Sec. 107 (6) outright prohibits controllers from processing personal data on the basis of “actual or perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation...”
“...familial status, lawful source of income, or disability” in a manner that unlawfully discriminates in the provision of housing; employment; credit; education; the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation.
Second, the WPA would require opt-in consent for controllers to process sensitive data, including data from children under 13 (Sec. 107 (8)), and to process personal data for unnecessary or incompatible secondary uses (107 (4)).
Third, the definition of “consent” has been strengthened a lot: agreement obtained through “dark patterns” does not constitute consent (“a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice.”)
This would create a higher standard for sensitive data than the ​California Privacy Rights Act​ (CPRA), which provides individuals with the right to limit the use and disclosure of sensitive personal information (an opt out right).
Forth, the WPA would enable consumers to opt out of the processing of personal data for the purposes of targeted advertising; the sale of personal data; and profiling in furtherance of decisions that produce legal (or similarly significant) effects (Sec. 103(5).
Finally, the WPA goes beyond outdated notice and choice frameworks which studies have shown do not serve consumers. The bill would incentivize deidentification, require risk assessments, data security standards, use and retention limitations, and safeguard downstream data flows
The limitations of consent frameworks have been discussed by consumer advocacy organizations such as @publicknowledge. Consent mechanisms place the burden on consumers to figure out what uses of data are beneficial or harmful. How can consent be real, who reads privacy policies?
Consent frameworks assume the existence of a user interface, promote consent bias (which can undermine the rigor of research and more), lead to notice fatigue, & are unworkable for consumers who are unable to weigh the risks and benefits to complex downstream data practices.
You can follow @PrivacyPoll.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.