Iโve been spying on you.
Some of what Iโve seen is fairly innocuous. I know, for example, what groceries you buy. But I also know what movies you like to watch, including the occasional adult title. (Haha, I canโt believe you watched 1996โs Playboyโs Girls of the Internet.) And Iโve seen the inside of your home, from multiple vantage points. Iโve seen the faces of all your family members, and I know what you looked like when you were a child. I could save those pictures if I wanted to. Maybe I already have. Youโll never know.
Itโs uncomfortable to think about just how much of your personal data is floating around out in the world; data you’ve entrusted to various companies youโve forgotten about, or handed off to third parties youโre not even aware of. You canโt control that dataโ if you click an affiliate link in one of my YouTube videos, you canโt stop Amazon from telling me what else you buy. You canโt stop me from seeing that you clicked on a Facebook ad that I created. You canโt stop me from saving that information.
Itโs creepy when I do it โ but the reality is that giant corporations are doing the same thing, constantly, with lots more information and lots more tools to pinpoint data points directly to you.
Wouldnโt you like to have more control over that information? Wouldnโt you like to punish me for hoarding your data without your permission? Maybe, soon, youโll be able to.
Last year, the legislature tried to pass two different bills to protect your digital privacy, and both of them failed. Now theyโre back.
Coming out of the Senate, we have SB 5062, the somewhat wishy-washy Washington Privacy Act, which passed a House committee this morning. And starting in the House, there was the stronger HB 1433, the People’s Privacy Act, which didnโt make it out of committee this year.
โI think we can do better,โ Rep. Shelley Kloba said when we spoke by phone. Sheโs the prime sponsor of the Peopleโs Privacy Act, which was the more robust of the two bills, and which failed to advance. โI still think, and Iโm not trying to toot my own horn, my bill does a much better job of correcting the asymmetry of power,โ she said.
In fact, the bills have a lot in common. Neither one is focused on individual creeps (like me) who might spy on you; instead, they would apply some regulations to the companies that gather up massive dossiers about who you are and what you do when youโre online โ which, given how the last year has gone, is a ton of data. The idea behind both of them is that you should know whoโs watching you and what theyโre doing with everything they seeโand you should be able to tell them when to delete that data.
The bills differ in how they handle opting in to privacy policies versus opting out, and also in how they’re enforced.
Until a recent amendment, the Senate bill, sponsored again this year by Seattle Sen. Reuven Carlyle, included a “right to cure,” which basically meant that a company could violate the law as much as they wanted until the Attorney General’s office went through a lengthy enforcement process. Under that process, if the company FINALLY fixed the issue, then there’d be no penalty. That’s dumb. Kloba’s version of the bill gave Washingtonians the right to data privacy and then allowed them to sue companies who violated that right, which is typically how we treat any other right in this country.
“In the spirit of compromise, our office has consistently said we could accept a ‘right to cure’ provision for one year after the bill goes into effect, but we cannot support this limitation going into perpetuity,” writes Brionna Aho, communications director in the AG’s office. She added that the AG sees “no public policy reason why it should be maintained into perpetuity except to shield violators.”
Initially, SB 5062 included that right to cure forever. But an amendment added in committee now ends it in 2023… which isn’t the one-year limitation that the AG’s office asked for, but it’s less than forever.
Look, I know, this is already confusing and boring, and honestly Iโd understand if youโd rather just let random people know what you bought at the grocery store than have to worry about clicking through a loooooong privacy policy. As soon as I see the words โwe have recently updated our privacy policyโ my first impulse is to shout, โYes! Whatever! Fine! I donโt care! Just let me read this Yu-Gi-Oh fanfic forum!โ
Rep. Kloba understands that feeling (well, not the Yu-Gi-Oh part specifically, but in general). โWe know right now that privacy policies, which I kind of read as a hobby, are really thick,โ she said. โPeople donโt understand whatโs in there, and itโs time consuming. The idea of an opt-in [which her bill provided, and the bill that passed committee does not] is thatโฆ if you do nothing as a consumer, theyโre not allowed to use your information. You can opt in to them using your information.โ
Why does all this matter so much? My little spy games are just a dumb hobby, but there are more serious privacy concerns: Databases are seldom hacker-proof, and you never know when someone might, say, discover that the password you used on a site to buy pet food is the same as the password you use for online banking. Anyone whoโs been the target of a stalker or a violent creep knows the value of protecting your identifying information. And hey, remember a few months ago when it was revealed that the military buys data about usersโ location from Muslim dating apps?
And hereโs what it all boils down to: Your data is valuable. If it wasnโt, giant corporations and the government wouldnโt be so hell-bent on obtaining it. If you have something valuable, like basic facts about who you are, you should be the one who gets to control it. In the last year, our lives have moved increasingly online, and the risk of your data getting into nefarious hands (or just embarrassing you) is growing.
Now that one of the privacy bills has passed the House, itโll probably go through another committee, flop around in a pile of amendments, and then eventually head to the Senate for additional consideration. If it finally lands on the Governorโs desk, you might be able to finally have some control (not total control, but some) over your data. Itโs a start, at least.
