Read on Twitter
Happening now! UW's @rcalo, @ACLU_WA's @jennifer_e_lee, @CRAdvocacy's @mxmahoney5, and @futureofprivacy's @staceygraydc talking about privacy. #waleg #RealPrivacy4All
@rcalo talking about the importance of grounding privacy law in morals, and how the line between "PII" and other kinds of info is very fuzzy. Also the importance of redress, including a private right of action. #RealPrivacy4All
"There aren't enough people in the AGs office or in the FTC ... we need to make sure indpendent researchers feel empowered, and internal watchdogs." #RealPrivacy4All
"No solution will be satisfactory unless it addresses the fundamental problem: consumers are outgunned. There's an asymmetry, and we need to reestablish that balance" #RealPrivacy4All
@staceygraydc from @futureofprivacy discussing #SB5062, the Bad Washington Privacy Act. As she points out, it's very similar to the bad pro-corporate privacy acts that failed in #waleg the last two years.
More at https://www.seattletimes.com/opinion/washington-needs-a-privacy-law-that-protects-people-not-corporations/
More at https://www.seattletimes.com/opinion/washington-needs-a-privacy-law-that-protects-people-not-corporations/
Well okay, she didn't actually describe those previous bills as bad. In fact @futureofprivacy supported last year's bad bill. Here's a post I did on last year's so-called Washington Privacy Act. #RealPrivacy4All https://medium.com/a-change-is-coming/a-bad-day-for-a-bad-privacy-bill-a-good-day-for-privacy-a2aeea8e8739
@staceygraydc disussing #SB5062's provisions. Largely opt-out, although as she points out it has strong provisions for affirmative consent on "sensitive data". This ties to @rcalo's point ... what data should get weaker, opt-out, protections? #RealPrivacy4All
@jennifer_e_lee now talking about the People's Privacy Act, which has been driven by the Tech Equity coalition. "The intent of the bill is to empower people -- all people, not just consumers -- to have meaningful rights" #RealPrivacy4All
Highlights some of the differences between People's Privacy Act and the #WPA, including opt-in (for all information) and a private right of action. https://www.seattletimes.com/opinion/washington-needs-a-privacy-law-that-protects-people-not-corporations/
Also emphasizes the differences in how the bills were conceived. Over the last few years community and civil rights orgs have opposed #WPA, and recommended changes that haven't been incorporated.
The People's Privacy Act by contrast started by working with these communities.
The People's Privacy Act by contrast started by working with these communities.
@joejerome asks panelists: "what is the role of consent in privacy protection"?
@mxmahoney5 says consent in #SB5062 needs to be strengthened, "at least to levels of CCPA", but notes that @CRAdvocacy is "disillusioned" with consent frameworks -- too much burden on consumers.
Better, @mxmahoney5 suggests, is to put restrictions on what data companies can collect.
@joejerome notes that #SB5062 has some data minimization provisions. Is that enough? #RealPrivacy4All
@joejerome notes that #SB5062 has some data minimization provisions. Is that enough? #RealPrivacy4All
@rcalo notes that there are a lot of tools. Data minimization reduces damage for security leaks; notice and consent are appropriate in other situations. "If it's just those things, you haven't addressed the full problem." But they're important tools! #RealPrivacy4WA
@mxmahoney5 describes existing data minimization in #SB5062 as a good first step, but it's very limited. There's stronger language in the contract tracing section, a good additional step, would like to see it a bit stronger.
@joejerome reads it the same way. #waleg
@joejerome reads it the same way. #waleg
@joejerome notes that there's a range of legislation. Indeed! I discuss this in http://jedii.tech/wa-privacy-legislation-2021/
@jennifer_e_lee notes that you need accountability for consent to be meaningful. Opt-in puts the burden on companies to disclose and persuade. Suggests the WPA assumes consumers consent to risks they don't understand. #RealPrivacy4All
@staceygraydc agrees that accountability is needed. Suggests that opt-in works in situations where there's an opportunity for person to be informed - as @rcalo points out, that's tricky. Also tricky when you're in a public space. #RealPrivacy4All
@staceygraydc suggests that the opt-in for sensitive data would apply to facial recognition. How to get opt-in there? #RealPrivacy4All
Suggests that opt-in won't work in web situations -- creates "notice fatigue". Also where it doesn't involve a consumer transaction; for example, an autonomous vehicle sweeping in images of people on the street. Can't get consent from pedestrians. #RealPrivacy4All
In those situations, you have to rely on other tools. In Europe, having a legitimate interest - requires complex balancing of value of data processing against invasiveness. Unfortunately (in her view) haven't seen similar approaches in the US. #RealPrivacy4All
@rcalo agrees autonomous vehicles. In his own work, he focuses on techniques companies use to manipulate consumers. "I tend to think we should have really strong remedies in those situations" - dark patterns, using data about you to manipulate pricing. #RealPrivacy4All
oops, i mean @rcalo agrees autonomous vehicles are interesting
@jennifer_e_lee focuses on loopholes in #WPA. one of the memorable moments of last week's was when Susan Grant of @ConsumerFed described the loopholes as "neutering" the protections the bill claims to offer. #RealPrivacy4All
@jennifer_e_lee gives a few examples, including language that makes it easy for controllers to deny correction. And Section 110 says that controllers aren't liable for violations if the recipients abuse information they share unless there's "actual knowledge" - a high bar
@mxmahoney5 notes that in California, many companies are using loopholes to avoid opt-out requirements. #WPA does take some additional steps, but language still needs to be clearer. #RealPrivacy4WA
@joejerome focuses on kids and teens privacy. @Parents4Privacy has a good post " #SB5062 does not go far enough to protect consumers or students" that covers some of #WPA's weaknesses here https://studentprivacymatters.org/washington-privacy-act-sb5062-does-not-go-far-enough-to-protect-consumers-or-students/
@joejerome notes that loyalty cards came up several times in last week's hearing. @mxmahoney5 notes that CCPA ias weak here, agrees that consumers are used to tracking their purchases, but concerned about companies selling this data. Thinks that #WPA strikes the right balance.
@joejerome notes the importance of enforcement - this is what sank bill last year.
@jennifer_e_lee: giving the AGO sole enforcement ability just isn't enough. "If there isn't a strong enforcement mechanism, any rights in the bill aren't meaningful." Notes that in #WPA weak enforcement is coupled with loopholes. #RealPrivacy4All
As @jennifer_e_lee points out many Tech Equity Coalition orgs have sent strong feedback on this over the last few years - including @jaclseattle, @cair_wa, and @IndiPlusWA - that's been ignored. #RealPrivacy4All
@staceygraydc notes that it's not a binary yes/no question "is there a private right of action?" There are a lot of options. @joejerome agrees. If I recall correctly, Joe had a very thoughtful post on this last year, I'll try to find the link. #RealPrivacy4All
@mxmahoney5 notes that even with AG enforcement, the "right to cure" is problematic. With the CCPA (which has a right to cure), it's incentivized companies not to follow the law until it's tracked down. And would also like to see some form private right of action!
@joejerome asks whether any of this meaningfully addresses the larger ethical concerns around big tech companies.
@rcalo: evening the playing field helps. "but it's gotta be strong enough! we'll be back here again if it's not!"
@rcalo: evening the playing field helps. "but it's gotta be strong enough! we'll be back here again if it's not!"
@staceygraydc returns to the right to cure. Thinks it's useful: AG in CA sent out swathes of mail to encourage companies to fix small things (opt-out notice, etc.)
@staceygraydc thinks #WPA is a great start. "There's a lot to like in the bill. It's strong." Things that are happening now would be addressed - IoT devices without security, selling geolocation data from mobile apps.
@mxmahoney5 suggests several tools from CCPA should be pulled in to #WPA. (Sorry I missed the details)
@jennifer_e_lee closes. Passing a law that's not strong enough makes people more vulnerable. "We'll continue to advocate for a really strong privacy law, a law that's supprted by historically-marginalized communities that bear the brunt of these harms." #RealPrivacy4All
A good example of this: @staceygraydc suggested that #WPA would limit harms from sharing of geolcation data from mobile apps. Here's what @BAuffrayEsq of @CAIR_wa had to say about that at last week's #SB5062 hearing. https://twitter.com/cair_wa/status/1349810751100207104
And with that, the panel wraps up. That was excellent! Thanks to all the panelists, the moderator, and to @CommonSense for hosting! #RealPrivacy4All
