I’ve been spying on you.
Some of what I’ve seen is fairly innocuous. I know, for example, what groceries you buy. But I also know what movies you like to watch, including the occasional adult title. (Haha, I can’t believe you watched 1996’s Playboy’s Girls of the Internet.) And I’ve seen the inside of your home, from multiple vantage points. I’ve seen the faces of all your family members, and I know what you looked like when you were a child. I could save those pictures if I wanted to. Maybe I already have. You’ll never know.
It’s uncomfortable to think about just how much of your personal data is floating around out in the world; data you've entrusted to various companies you’ve forgotten about, or handed off to third parties you’re not even aware of. You can’t control that data— if you click an affiliate link in one of my YouTube videos, you can’t stop Amazon from telling me what else you buy. You can’t stop me from seeing that you clicked on a Facebook ad that I created. You can’t stop me from saving that information.
It’s creepy when I do it — but the reality is that giant corporations are doing the same thing, constantly, with lots more information and lots more tools to pinpoint data points directly to you.
Wouldn’t you like to have more control over that information? Wouldn’t you like to punish me for hoarding your data without your permission? Maybe, soon, you’ll be able to.
Last year, the legislature tried to pass two different bills to protect your digital privacy, and both of them failed. Now they’re back.
Coming out of the Senate, we have SB 5062, the somewhat wishy-washy Washington Privacy Act, which passed a House committee this morning. And starting in the House, there was the stronger HB 1433, the People's Privacy Act, which didn’t make it out of committee this year.
“I think we can do better,” Rep. Shelley Kloba said when we spoke by phone. She’s the prime sponsor of the People’s Privacy Act, which was the more robust of the two bills, and which failed to advance. “I still think, and I’m not trying to toot my own horn, my bill does a much better job of correcting the asymmetry of power,” she said.
In fact, the bills have a lot in common. Neither one is focused on individual creeps (like me) who might spy on you; instead, they would apply some regulations to the companies that gather up massive dossiers about who you are and what you do when you’re online — which, given how the last year has gone, is a ton of data. The idea behind both of them is that you should know who’s watching you and what they’re doing with everything they see—and you should be able to tell them when to delete that data.
The bills differ in how they handle opting in to privacy policies versus opting out, and also in how they're enforced.
Until a recent amendment, the Senate bill, sponsored again this year by Seattle Sen. Reuven Carlyle, included a "right to cure," which basically meant that a company could violate the law as much as they wanted until the Attorney General's office went through a lengthy enforcement process. Under that process, if the company FINALLY fixed the issue, then there'd be no penalty. That's dumb. Kloba's version of the bill gave Washingtonians the right to data privacy and then allowed them to sue companies who violated that right, which is typically how we treat any other right in this country.
"In the spirit of compromise, our office has consistently said we could accept a 'right to cure' provision for one year after the bill goes into effect, but we cannot support this limitation going into perpetuity," writes Brionna Aho, communications director in the AG's office. She added that the AG sees "no public policy reason why it should be maintained into perpetuity except to shield violators."
Initially, SB 5062 included that right to cure forever. But an amendment added in committee now ends it in 2023... which isn't the one-year limitation that the AG's office asked for, but it's less than forever.
Rep. Kloba understands that feeling (well, not the Yu-Gi-Oh part specifically, but in general). “We know right now that privacy policies, which I kind of read as a hobby, are really thick,” she said. “People don’t understand what’s in there, and it’s time consuming. The idea of an opt-in [which her bill provided, and the bill that passed committee does not] is that… if you do nothing as a consumer, they’re not allowed to use your information. You can opt in to them using your information.”
Why does all this matter so much? My little spy games are just a dumb hobby, but there are more serious privacy concerns: Databases are seldom hacker-proof, and you never know when someone might, say, discover that the password you used on a site to buy pet food is the same as the password you use for online banking. Anyone who’s been the target of a stalker or a violent creep knows the value of protecting your identifying information. And hey, remember a few months ago when it was revealed that the military buys data about users’ location from Muslim dating apps?
And here’s what it all boils down to: Your data is valuable. If it wasn’t, giant corporations and the government wouldn’t be so hell-bent on obtaining it. If you have something valuable, like basic facts about who you are, you should be the one who gets to control it. In the last year, our lives have moved increasingly online, and the risk of your data getting into nefarious hands (or just embarrassing you) is growing.
Now that one of the privacy bills has passed the House, it’ll probably go through another committee, flop around in a pile of amendments, and then eventually head to the Senate for additional consideration. If it finally lands on the Governor’s desk, you might be able to finally have some control (not total control, but some) over your data. It’s a start, at least.