This was the expanded written version of the testimony I planned to give at the House Appropriations hearing on SB 5062. Plans changed and I wound up discussing something different, but I still filed it as written testimony.
Mr. Chair, Ranking Member, and members of the Appropriations committee,
I’m Jon Pincus from Bellevue, a technologist and entrepreneur, and former General Manager of Strategy Development at Microsoft. I'm also one of the leaders of Indivisible Plus Washington, a grassroots activism group with more than 20,000 members across the state.
I OPPOSE SB 5062 in its current form for a long list of reasons. This testimony focuses on the fiscal aspects of SB 5062 and covers four points:
- The paltry $1.2 million budget allocated to the AG’s Office for 2021-2023, decreasing in future years, is insufficient for enforcement or deterrence
- Strengthening the very limited private right of action, and allowing cities and county attorneys to enforce the law as well, can improve enforcement and deterrence without incurring additional taxpayer cost
- The “right to cure” should be removed
- If those fixes are not made, the bill as budgeted will not protect Washingtonians’ privacy -- so please vote “no”
The budget is insufficient for enforcement or deterrence
Other than the very limited private right of action in Section 111, allowing individuals to sue for injunctive relief and costs, Section 112 of the bill limits enforcement “solely” to the AGO. As a result, the AGOs paltry budget of $1.2 million for 2021-2023 (3.6 FTEs), decreasing in future years, is not sufficient to protect Washingtonians privacy.
Look at the evidence from elsewhere. European budget allocations are much larger. Ireland’s data protection commission, for example, has a $23 million annual budget despite having a population smaller than Washington state. Even so, European data protection enforcement has been held back by lack of resources. Just last week, the EU Parliament issued a resolution criticizing enforcement, noting that cases referred to the Irish DPA in 2018 still have not been heard and that the Irish DPA closes most cases with a settlement rather than a sanction.
California’s experience is also instructive here. In the only case settled so far under their 2018 CCPA, the settlement gave $2 to each person who had been harmed, but did not impose any additional civil penalties. California’s newer CPRA allocates an annual budget starting at $10 million / year, which must be increased by the legislature “as may be necessary to carry out the provisions of this title.”
With the current budget, the AGO estimates it can bring three investigations per year. And what if a large company violates the law? Joseph Jerome of Common Sense Media testified in the Ways & Means hearing that the average large company has 15 privacy lawyers. Facebook has over 150.
The AG’s has not been able to prevent Facebook’s and Google’s ongoing violations of Washington political advertising transparency laws, which continued despite a lawsuit and settlement in 2018 and a second lawsuit in 2020. With such minimal resources, it is hard to see them fairing better here. Unless significant changes are made, SB 5062 will require substantial additional investment if we are to have any hope of holding companies who break the law accountable -- or deterring others.
Strengthen the private right of action and allow local enforcement
Appropriation can resolve this fiscal problem by some straightforward changes.
- Replace Section 111, the limited private right of action, with HB 1433’s Section 10 (1)
- Remove the word "solely" from Section 112 (1) to allow local enforcement
The much stronger private right of action in HB 1433 allows courts to award damages and civil penalties as well. This allows private actions to act as enforcement action -- and the threat of a private action becomes much more of a deterrent.
In addition, SB 5062’s Section 113 already provides that moneys from civil penalties can be used to fund the recovery of the AGs attorney fees and costs. If private actions can also lead to civil penalties, AG resources for enforcement can also increase over time -- without additional cost to the taxpayer.
Consumer groups such as WashPIRG and Consumer Federation of America generally support a stronger private right of action. Even Consumer Reports, who backs the current version of the bill, said in their March 26 letter to Rep. Hansen that "We would prefer a private right that would also afford consumers monetary relief."
Remove the right to cure
The AG’s office has testified that “right to cure” will be a drain on their resources. As Consumer Reports said in their March 26 letter, the right to cure is a ““get-out-of-jail-free” card” that “ties the AG’s hands and signals that a company won’t be punished for breaking the law”.
Again, the evidence from California is instructive here. Their 2018 CCPA law had a right to cure, and the AG’s initial right-to-cure letters focused on sites missing either key privacy disclosures from their privacy notices or a clear opt-out link.
Why should taxpayers fund free testing that companies running the sites should do on their own? Californians decided they shouldn’t, and removed the right-to-cure in 2020 CRPA, adopted by referendum.
The amendment adopted by CR&J last week introduces a one-year sunset for the right to cure. But there’s no reason to do this for even a year. Section 112 (4) should be removed.
If these fixes are not made, please vote “no”
A privacy bill without enforcement or deterrence will not protect Washingtonians. Instead, it gives the cover of law -- and the legislature’s endorsement -- to the current situation where there are virtually no consequences for predatory and exploitative behavior.
So if these improvements are not made, I ask you to vote “no” on SB 5062, the Bad Washington Privacy Act.
Jon Pincus, Bellevue, 98005