Grassroots activism makes a difference, and other reflections on the fight for strong privacy legislation in Washington state - DRAFT

Draft! Feedback Welcome!
Please do not forward broadly yet!

When will Washington finally pass privacy legislation?     This session: 0%.  2022 session: 70%.  2022, by initiative: 20%.  Never: 10%.
Twitter poll, April 22 (a few days before the end of the 2021 session)

For the third year in a row, Washington state legislators rejected a weak industry-backed privacy bill that would have allowed predatory and exploitative behavior with no real consequences.   It's a huge victory for the immigrant rights, civil rights, racial justice groups and grassroots activists who worked together to convince Republican and progressive Democratic legislators not to settle for the illusion of privacy.  

The Tech Equity Coalition (the group of civil liberties and civil rights-focused organizations and individuals that helped lead the resistance) backed a different bill.  The People's Privacy Act, introduced by Rep. Shelley Kloba introduced  with bi-partisan co-sponsorship, defined the terms of the 2021 debate even though it didn't get a hearing.   With time in the interim to refine it and build on the momentum, 2022 offers the best chance yet for passing strong privacy legislation in Washington state.

There's a lot to learn from this year's battle – and much of it potentially also applies to legislation in other states and federally.  One of the distinctive aspects of the Washington state battle over the last few years has been the role of grassroots activists, and I've had a unique perspective as a leader of Indivisible Plus Washington (one of the dozens of progressive activism groups who got involved) and member of the Tech Equity Coalition.  

So here's a few reflections on what just happened, along with thoughts about what next.  

The People's Privacy Act

"We need a strong data privacy law that puts people in charge of their data — not one that hamstrings people’s ability to enforce their rights."

-- Aneelah Afzali of MAPS-AMEN, Jennifer Lee of ACLU of Washington, and me in Washington needs a privacy law that protects people, not corporations December 2020

The 2021 Washington Privacy battle was a follow-on to the 2020 battle.  In 2020,
the Senate passed a weak, industry-backed bill overwhelmingly but momentum shifted after a dramatic House ITED committee hearing featuring testimony from Tech Equity Coalition members and grassroots activists.  After an excellent floor debate the House advanced a much stronger version with the intent of further improving it.  But the Senate refused to compromise, and nothing passed.

In an attempt to change the dynamics, the Tech Equity Coalition and ACLU of Washington had spent months between sessions working with people from the communities that are most harmed by data abuse to develop the People's Privacy Act.  The People’s Privacy Act gives people meaningful control over our personal information by:

  • Prohibiting companies from using, selling, or sharing data without affirmative “opt-in” consent
  • Empowering people to take companies to court if they violate people's data rights
  • Ensuring that any legislation that passes does not restrict local jurisdictions from advancing stronger privacy laws where needed
  • Banning facial recognition technology and AI-enabled profiling in any place of public accommodation (e.g., restaurants, hotels, theaters, pharmacies, parks, schools, and stores).

Rep. Shelley Kloba introduced  the People's Privacy Act in late January with 11 co-sponsors, an interesting mix of progressive Democrats and right-wing Republicans that really highlghts how privacy cuts across party lines.  

As tech lobbyists Jim Halpert of DLA Piper and Samantha Kersul of TechNet point out in Washington Privacy Act goes 0 for 3

"The influence this effort had on many progressive members of the House Democratic Caucus cannot be overstated, as those votes were critically absent when the WPA moved to the House of Representatives."

WPA is short for the "Washington Privacy Act", the industry-backed privacy bill officially known as SB 5062 that we opposed.   The People's Privacy Act was a lens to spotlight how weaknesses in the other privacy bill being considered, SB 5062, put Washingtonians at risk.  

For example, here's Ashley Del Villar of La Resistencia testifying about how SB 5062 leaves immigrants vulnerable to data exploitation – and how the People's Privacy Act provides stronger protection to immigrant communities.

"This bill leaves immigrants vulnerable to data exploitation": Ashley Villar of La Resistencia testifying at the March Civil Rights & Judiciary hearing

The Bad Washington Privacy Act is Bad

But the People's Privacy Act never got a hearing, so SB 5062 was the only game in town.  SB 5062 was much the same as the bill the weak bill the Senate had passed (and the House had rejected) in 2020, with a few improvements but also a few steps in the wrong direction.  SB 5062's official name is "Concerning the management, oversight, and use of data".  I usually referred to it as "the Bad Washington Privacy Act."  

SB 5062's supporters, unsurprisingly, didn't see it as bad.  They described it as "the most well-worked and well-negotiated privacy bill in the country," and claimed it provided "unambiguous rights" and "the strongest protections for consumers in the United States”; and "balanced" consumer interests with the need for a "predictable" business environment.

Of course they had similar things the last two years, when the Senate passed even worse versions of the Bad Washington Privacy Act just as overwhelmingly.  The 2020 version, for example, was literally unenforceable (it did not give the Attorney General authority to enforce it, and didn't allow anybody but the AG to enforce it), and lobbyists still talked about its "strong enforcement".  

So take what they with a grain of salt.   The Bad Washington Privacy Act is bad.

Civil rights, immigrant rights and civil liberties groups were withering in our criticisms.  So were grassroots activists.   In testimony, op-eds, letters to legislators, and blog posts we talked about how the "rights" and "protections" the Bad Washington Privacy Act claims to give are illusions.  For example, here's Susan Grant of Consumer Federation of America, talking about the loopholes and definitional problems that neuter the protections the Bad Washington Privacy Act claims to provide.

And that's just the tip of the iceberg.  For example

  • Steph Hager (a former Microsoft employee and a parent), and Cheri Kesiecker of Parent Coalition on Student Privacy focused on how SB 5062 wouldn't protect students, who often have no choice about sharing their data.  
  • Brianna Auffray of CAIR Washington described why SB 5062 wouldn't protect American Muslims from non-consensual data sharing (a topic I discuss in more detail in The Illusion of Protection).
  • Privacy compliance expert (and former Microsoft employee) Gregg Brown testified that the bill was unfair to Washingtonians.  In a followup to an excellent question on the one thing he'd change in the bill, he focused on the defintions whose nuances undercut what looks like strong protections.
  • Yasmin Trudeau of the Attorney General's Office discussed the need for a private right of action to complement AG enforcement, and critiqued the "right to cure" clause of the bill, which she described as a drain on resources.  
  • In my Ways & Means testimony, I criticized the paltry $700,000/year budget for enforcement, only enough for 3.6 full-time equivalent employees (FTEs) and three investigations per year. Contrast this with Ireland, whose data protection commission has a $23 million annual budget despite having a population smaller than Washington state.
  • Independent security expert Cynthia Spiess highlighted how the Bad Washington Privacy Act's opt-out approach harms people with accessibility challenges or limited English skills.

One of my biggest takeaways from the 2021 battle was how broadly the criticisms of the Bad Washington Privacy Act's mostly-opt-out model resonated.  It's easy for people to understand the problems that can come up when lets companies can use data without your permission unless you tell them no.   As Dr. Carollynn Zimmers of North Kitsap Indivisible says, opt-out is like Google, Amazon, and Facebook being allowed to walk into your house and rummage around in your drawers without being invited in.

By contrast, the idea that companies should need your permission to share or sell your data, or use your data to target ads, is overwhelmingly popular – the unpublished polls I've seen have it at 80% or more.   That makes it attractive to legislators of both parties.   And when activists highlight the ways opt-out fails to protect immigrants, survivors, seniors, people with limited English skills, and disabled people ... it can be especially difficult for progressive legislators to defend voting for something that's opt-out.

Unsurprisingly, though, most of the tech industry has long been fiercely resistant to the idea that they need to get permission from people before exploiting people's data.   From they're perspective, "consent is important, but ..."   So the Bad Washington Privacy Act is mostly "opt-out" – companies can share or sell your data, and use it to target ads at you.   It does have a limited "opt-in for sensitive data" clause, but in practice even that doesn't provide much protection.  As Brandy Donaghy of Indivisible Plus Washington points out in Real Electronic Data Protection Is Opt In

"One of the major values that data collection provides is the ability to build an accurate picture of a user outside of what we might consider to be typical demographic information. For example, the cosmetics I purchase in a specific color family are enough to tell you that I am a Black woman, and hair care information I access would indicate that I wear my hair in a natural style. But these details aren’t commonly considered sensitive personal information and so they don’t get opt-in protection by the current iteration of the bill."

Here's Emilie St. Pierre of Future Ada discussing how the Bad Washington Privacy Act's opt-out approach fails to protect survivors of stalking, harassment, and domestic violence.

Emilie St. Pierre of Future Ada: "Opt-out doesn't protect survivors"

Grassroots activism makes a difference

"The authors of this commentary met last year. The Senate had passed the even more deceptive Washington Privacy Act 47-1. One of us was a Republican state legislator on the House committee who’s job it was to try and fix the bad bill. The others were grass-roots activists with Indivisible, a progressive coalition. We disagree about a lot of issues, but this issue brings together ordinary folks across the political spectrum; after all, it’s our data and our rights at the heart of this debate."

– Former Republican state legislator Norma Smith, indivisible activists Linda, and me in We need a data privacy law; but Senate bill isn’t it

Grassroots activists across the state once again made a big difference in the Washington privacy state battle this year – the Tech Equity Coalition, or progressives groups like Code Blue Washington, DemCast and the network of Indivisible groups across the state.  Many of these activists have a lot of practice contacting their legislators.  And many have relationships with legislators, and networks they can share action items with, so they have a lot of impact.

Activists phoned, emailed, and meeting with legislators.  Groups signed on to letters the Tech Equity Coalition sent legislators, and sent letters of their own. Indivisible groups shared recommendations for committee votes and potential floor amendments with their legislators.  The broad involvement across the state with these very complementary networks meant that legislators were getting a lot feedback from their constituents.

Indivisible groups' overall message to legislators was "fix it or nix it": either address the Bad Washington Privacy Act's problems, or vote no.  

Take Action Today.  Fix it or nix it.  Bad Washington Privacy Act.  Tell your state reps.

The Tech Equity Coalition focused on four key improvements to fix the Bad Washington Privacy Act: making the bill fully opt in; adding a private right of action allowing people to sue companies who break the law; allowing cities and counties to pass stronger laws; and cleaning up the many many loopholes and exceptions.  There were two different possible routes to fixing it:

  • introducing the People's Privacy Act as a "striker" (a striking amendment, completely replacing the text of the bill)
  • or amending the current bill's text to strengthen it.  

Quite a few grassroots activists signed up to testify at the House Civil Rights and Judiciary (CR&J) Committee hearing.  Unfortunately, so many people had signed up to speak against the Bad Washington Privacy Act that public comments before we had a chance to speak.  So we submitted written testimony instead.  Here's some excerpts (quoted with permission).

"I’m old, and like many people in my age group, have a limited understanding of the internet, technology and even the vocabulary associated with it....  Although many other populations vulnerable, seniors are most frequently targeted for scams.  As constituents we look to our elected officials to legislate on our behalf.  So why does it feel like this legislation is actually making it legal for industries to harvest our data at will, sell it without telling or paying us and any legal recourse seems unlikely?"   – Christine Kohnert, Indivsible Skagit
"Minority communities like ours are the ones most negatively harmed by intrusive data collection.  Most people do not have the time to opt out in all of the services they use.  Personally, I have spent hours hunting through my app and account settings trying to opt out of data collection. As a student, I have better things to do." – Hamza Eqbal, Coalition of Seattle Indian Americans
"Small Businesses will not be unduly harmed by stronger privacy with Opt in. We nave managed with OPT IN. We currently have DOUBLE opt in for email lists for email marketing, and email is still by far the best tool that small business marketers have. " - Katherine Cleland, Small Business Advisor

This feedback was a powerful complement to the advocacy work Tech Equity Coalition members were doing.   One thing I really want to highlight, though, is that as well as speaking from our own perspectives, the progressive activists who got involved followed the lead and amplified the perspectives of the communities who are most impacted by surveillance and data abuse.   The four areas we focused on aligned with the Tech Equity Coalition's priorities, and we consistenly highlighted the importance of taking an equity lens.

Here's Brianna Auffray of CAIR Washington discussing how the Bad Washington Privacy Act doesn't protect American Muslims from non-consensual data sharing (a topic I went into more detail on in The Illusion of Protection) – but the People's Privacy Act does.

Watching sausage getting made

A picture of a woman speaking.  "Please pass SB 5062" -- Big Tech lobbyist on March 12, 201.  "We urge you to oppose SB 5062."  - Same Big Tech Lobbyist on April 1, 2021
Samantha Kersul of Technet, testifying at hearings on the Bad Washington Privacy Act. Image from For It, Now Against It, by Eli Sanders

The CR&J committee advanceed the bill with some minor improvements on a party-line vote.  At a rocky House Appropriations hearing, over a hundred people signed in opposing it, with only two in favor.  Tech Equity Coalition groups opposed it because it didn't really fix any of the four problem areas we had focused on.  Some tech lobbyists also opposed it for a different reason: even the relatively-minor improvements it offered would also cause the sky to fall.   Nevertheless Appropriations advanced SB 5062 without making any improvements, again on a straight party-line vote and the bill moved ahead.  

With the April 11 "session cutoff" looming, things got hectic.  Rep. Kloba introduced a series of amendments, strong enough that Tech Equity Coalition and Indivisibles supported them (while noting that there was still room for improvement).  Over 20 other amendments were filed.  Tech lobbyists pressed for a return to the Senate bill.   Activists kept the pressure on here, with the "fix it" suggestion now more specific: support the Kloba amendment.  

But after ten days of wrangling, none of the proposals got enough support. The House adjourned on April 11 without acting on the Bad Washington Privacy Act.   As Indivisible Plus Washington said in our update afterwards

We asked the House to fix to nix it. They gave a good try at fixing it — Rep. Kloba’s amendment had support from civil rights, immigrant rights, and civil liberties groups. Instead, they wound up listening to us nixing it. Good for them — and yay us!

It's not over until it's over

What part of NO don't you understand?

But it wasn't over yeat! The Bad Washington Privacy Act got classified as NTIB (necessary to implement budget), meaning that the session cutoff didn't apply. So "negotiations" and sausage-making went on for another two weeks.  We continued to advocate for the Kloba amendments, and meaningful privacy protection.  A draft of an even weaker "compromise compromise" striker circulated.  Big tech lobbyists cranked up the pressure.   There were rumors of threats to block funding for eviction protections and homelessness prevention to get the privacy bill passed.   Once again, though, progressive Democrats held the line, and so did Republicans.

The session ended on April 25 and for the third year in a row, Sen. Carlyle's Bad Washington Privacy Act did not pass.

Looking forward

ad privacy bills from @Reuvencarlyle  failed in 2019 and 2020.    When will Washington finally pass privacy legislation?     This session: 0%.  2022 session: 70%.  2022, by initiative: 20%.  Never: 10%.
Twitter poll, April 22 (a few days before the end of the session)
Concerned about growing momentum behind efforts to regulate the commercial use of personal data, Big Tech has begun seeding watered-down “privacy” legislation in states with the goal of preempting greater protections, experts say.

– Todd Feathers, Big Tech Is Pushing States to Pass Privacy Laws, and Yes, You Should Be Suspicious

It's an open secret that an Amazon lobbyis successfully proposed last year's Bad WPA as the basis for the Bad Virginia Privacy Act, and there's similar legislation in quite a few other states.   It'll be interesting to see how our latest victory in Washington influences the discussions – and hopefully some of the techniques we used in Washington will be useful in fighting similar legislation elsewhere.

It'll also be interesting to see what happens in Congress.  Rep. Suzan DelBene has introduced very similar legislation, but Senators Sherrod Brown and Maria Cantwell have both proposed stronger alternatives – and Sen. Ron Wyden's Fourth Amendment is Not For Sale Act has bipartisan sponsorship (including both Washington Senators).  If the Bad WPA had passed, big tech would have claimed that there's a "consensus" that it's the right path forward.  Now, there's pressure on Congress has to act because there isn't consensu in the states.  But big tech is a lot less popular in DC than it is in Washington state, and progressive Democrats and Republicans have the votes to block a bad bill.   So it's hard to know what'll happen.

Here in Washington, we'll already starting to prepare for next year's battle.  Big tech has a lot of influence, and I'm sure they'll try to push the Bad Washington Privacy Act through again.   But now that it's been rejected for the third year in a row, perhaps they'll consider trying a different approach. Microsoft in particular, as a company that sees privacy as a strategic advantage, would actually benefit from strong privacy legislation.  I'm not going to hold my breath, but it's very much in their business interest to listening to the input from civil rights, immigrant rights, civil liberty, consumer and privacy groups and started prioritizing protecting people (not just corporations).  

Whatever big tech decides to do, though, we'll be pressing for strong privacy legislation.  In the short term, that means debriefing with activists and legislators, setting up ongoing discussions to help educate legislators as well as the general public, and refining the People's Privacy Act.    

We made a lot of progress refining our messaging and activism tactics this year, and the Bad Washington Privacy Act's supporters did us a big favor by keeping the bill alive until the bitter end of the session – it gave us an opportunity to keep highlighting the advantages of the People's Privacy Act.    

So I'm optimistic that 2022 is the year when Washingtonians finally get strong privacy protections!

Show Comments