I testified at the February 8 House Ways & Means hearing on SB 5062. So did quite a few other people, so we only had a minute each! The video is available on TVW; SB 5062 was the first bill discussed in the session, and my testimony starts at 23:15.
Here's an expanded version of what I said, which I'm also submitting as written testimony.
Madame Chair, Madame Ranking Member, and members of the committee,
Thank you once again for the opportunity to speak at today’s hearing on SB 5062. In my written testimony, I’d like to expand on the points I made.
I’m Jon Pincus from Bellevue, a technologist and entrepreneur, and former General Manager of Strategy Development at Microsoft.
I continue to OPPOSE SB 5062 as currently written. My testimony at the January 14 ENET hearing and followup letter to the committee, and lengthy discussion in The Illusion of Protection cover a wide variety of issues. My comments here focus on the fiscal aspects, where Ways & Means has an opportunity to improve the legislation.
SB 5062’s current fiscal note fails to allocate sufficient resources for enforcement. Section 111 of the bill gives the Attorney General’s Office (AGO) sole enforcement authority -- but the paltry $1.4 million budget for the next two years is only enough for 3.6 full-time equivalent employees (FTEs) and three investigations per year. Allocations then decrease in future years.
Contrast this with Ireland, whose data protection commission has a $23 million annual budget despite having a population smaller than Washington state. The German state of Schleswig-Holstein, half the population of Washington, has a staff of 25 in its data protection office. Even tiny Luxembourg allocates over $8 million/year.
Despite these much larger allocations, European data protection enforcement has been held back by lack of resources. As you heard at the hearing, Facebook has 150 privacy lawyers. Just last week, an EU commission called for the European Commission to sued the Irish DPC for failing to enforce the GDPR.
While SB 5062 does reserve any receipts from civil penalties under this act for recovering costs and attorney’s fees, the fiscal note projects this as not generating any cash through 2027.
California’s experience is instructive here. In the only case settled so far under their 2018 CCPA, the settlement gave $2 to each person who had been harmed, but did not impose any additional civil penalties. California’s newer CPRA allocates an annual budget starting at $10 million / year, which must be increased by the legislature “as may be necessary to carry out the provisions of this title.” [The CPRA also removed the right to cure, a topic several other speakers at the hearing discussed.]
Ways & Means can resolve this fiscal problem by taking the AGO’s suggestion of allowing a private right of action. Some specific changes to consider:
- Replace Section 111 with HB 1433’s Section 10 (1)
- Remove the word "solely" from Section 112 (1)
Otherwise, SB 5062 will require substantial additional investment if we are to have any hope of holding companies who break the law accountable.
Thank you all for your continued work on this bill (and all the others on your plate). I firmly believe that we share the same goal of protecting Washingtonians’ privacy, and am looking forward to ongoing discussions as SB 5062 moves forward.