[Editor’s Note: A version of this story originally appeared in journalist Eli Sanders’ “Wild West” newsletter, which covers internet-related legal issues. Subscribe here.]
The lobbyist representing Big Tech was adamant: lawmakers should pass the controversial Washington Privacy Act, a state-level attempt to deal with the perpetual failure of the US federal government to issue digital privacy rules that would protect American consumers from having their personal information collected, sold, and shared against their will by tech companies.
Samantha Kersul, representing the lobbying group TechNet, testified that in contrast to the ongoing inaction in the nation’s capital, “The Washington Privacy Act is the most well-worked and well-negotiated privacy bill in the country.” She urged a yes vote.
That was last month. As this month began, Kersul was again in front of Washington sate lawmakers, this time reading from a very different script. Her group, TechNet, has powerful members that include Google, Apple, Amazon, Zoom, eBay, Lyft, and many other large digital firms, and she was now urging opposition to the Washington Privacy Act, warning that a yes vote would mean “opening the floodgates for class-action liabilities.”
Between the March and April hearings, the Washington Privacy Act was revised by a Democratic house committee chair to include a limited right for consumers to take tech platforms to court for privacy violations. In policy and legal circles, this is known as granting consumers a “private right of action,” and it’s a red line for tech lobbyists who have now turned en masse against Washington state’s proposal.
Even Microsoft, which has pushed this bill for years, appears to be reconsidering. Last month, a company representative testified in support of the measure, telling lawmakers the bill stood to become “the strongest privacy law in the United States.” But at last week’s hearing the Microsoft representative was absent from testimony in support of the bill while a lobbyist for the Internet Association, whose members include Microsoft, told lawmakers her association now “strongly opposes” the Washington Privacy Act.
This abrupt turn now puts Big Tech on the same side as many digital privacy advocates, who’ve long wanted this particular privacy bill scrapped (because, in their opinion, it’s full of industry-friendly loopholes). These advocates also scoff at the limited private right of action that’s recently been added to the measure. They point out it would only allow individuals harmed by privacy violations to seek court injunctions against future privacy-violating behavior, not punitive damages for the violations that led them to court in the first place.
The newfound agreement that Washington’s privacy bill must be stopped has not, in fact, stopped the bill, which is on its third consecutive year of trying to make its way into law. The measure was voted out of the House Appropriations Committee on April 1 over the protestations of lobbyists on both sides, with all 19 of the committee’s Democrats voting yes and all 13 of the committee’s Republicans voting no.
Democrat Drew Hansen, who’s responsible for inserting the limited private right of action and other new provisions into the bill, calls his new creation “reasonable” and touts support for his revisions from Consumer Reports and Common Sense Media. But Rep. Hansen also made clear at the April 1 hearing that he expects “there is likely to be further refinement of this proposal” as it heads toward a vote of the full house sometime in the next two weeks.
A lot continues to hinge on whether this bill fails or succeeds. With only two other states—California and Virginia—having passed comprehensive digital privacy laws, Washington’s bill could signal whether America’s debate over digital data will head in a more consumer-friendly direction (like California’s 2018 law) or a more industry-friendly direction (like Virginia’s 2021 measure).
It could also set up a contrast with a long-stalled federal law proposed by Washington state’s own U.S. Senator, Maria Cantwell. Her law would give American consumers a private right of action against tech giants that includes the opportunity to win “punitive damages.” The latest version of another privacy bill from U.S. Rep. Susan DelBene of Washington state does not include a provision for a private right of action.
When it comes to the Washington Privacy Act, groups such as TechNet hope the Washington State Attorney General will be the only person granted a right to sue tech companies for digital privacy violations. Groups such as the ACLU, in contrast, want consumers to have a robust private right of action that allows for class-action suits aiming to make tech giants pay amounts proportionate to their offenses. In addition, these groups argue that calls for enforcement only by the AG ring hollow given that funding in the current bill wouldn’t give the AG’s office enough resources to meaningfully pursue violations.
Bill Block, of the ACLU, testified that the current bill would only fully fund one attorney in the AG’s office and that the bill’s allocations assume only three AG investigations into digital privacy issues each year—with none of those investigations proceeding to prosecutions. “That is grossly inadequate to address the scope of the problem,” Block testified on April 1. “Countries in Europe under the GDPR who have populations less than the state of Washington spend 15 times as much and still find it insufficient.”
Jonathan Pincus, a technologist and entrepreneur with Indivisible Plus Washington, urged lawmakers on April 1: “Don’t give the legislature’s endorsement to allowing predatory and exploitative behavior with no real consequences.”
A date for a vote of the full house has not yet been set.