Skip to content

The session's in high gear: Washington privacy legislation update, January 31

With only 105 days in Washington's legislative session, things are moving quickly

Trees, reflected in a pond.  In the background, the dome of the state Capitol building

With only 105 days in Washington's legislative session, things are (as always) moving quickly.  Last week:

  • My Health My Data (HB 1155), which protects consumer health data – especially urgent as more and more states criminalize abortion and gender-affirming care – had a very encouraging hearing in the House Civil Rights & Judiciary (CR&J) Committee
TAKE ACTION: if you live in Washington state, ask your state Representatives  to pass My Health My Data using the ACLU's handy (albeit privacy-invasive1) web form
  • The Shield Law (SB 1469 / HB 5489), which protects abortion providers, patients, and helpers in Washington state by putting up barriers to out-of-state investigations from states that criminalize abortion abortion or gender-affirming care, had hearings in both the House and the Senate.  By the end of the week both committees had advanced versions of the bill (with the House making some amendments).
  • Digital Driver's Licenses (SB 5105) had a hearing in Senate Transportation, where privacy advocates including WA People's Privacy, ACLU of Washington and me all raised concerns.
  • The People's Privacy Act  (HB 1616 / SB 5643), which broadens My Health My Data's consent requirements to all data and covers government agencies as well as corporations, was officially introduced – with bipartisan sponsorship.  In the House, it's been assigned to CR&J.

This week, CR&J may have an executive session on Friday where they vote on amendments to My Health My Data and then decide whether or not to advance the bill.  There's no guarantee that will happen: they had originally scheduled and exec session for last Friday, delayed it till Wednesday, and then delayed again until Friday.  

Since we still haven't seen any amendments, that probably means language is still being negotiated.  Several potential issues were discussed at last week's hearing. As I said in A very encouraging first step,

"Industry lobbyists also consistently said they "support the bill's goals," and for good reason: in a state like Washington, they don't want to be seen as opposing reproductive freedom. But as expected, they pushed back strongly against some of the bill's language, warning that the bill as written would cause the sky to fall. They also, and suggested "improvements" (haha) including narrowing the definitions of consumer health data, introducing more loopholes and exemptions, allowing some geofencing as long as it wasn't "precise", and weakening enforcement....

To be fair, there may well be some valid suggestions for improvements along with exaggerated claims that the bill as written will cause the sky to fall."

One valid suggestion for improvement that ACLU of Washington and I both made in our testimony is removing the exemption for “de-identified” data.  As Sen. Ron Wyden has pointed out, since “de-identified” data can in practice always be reidentified, exempting it from privacy legislation puts pregnant people's privacy at risk. But there's a lot of money to be made in selling "de-identified" data, so I'm sure that industry lobbyists are telling legislators that removing the exemption would cause the sky to fall.

Talking points emerge

There's a lot of complexity to privacy, and unlike California and Colorado (which spend a while finalizing regulations after the legislation has been passed), Washington state tends to put all the details into the legislation itself – meaning it all has to get decided now.  The bill's sponsors, working with the AG's office, have to decide which suggested changes to incorporate – keeping the bill as strong as possible while still having enough legislators on board for it to pass.  

Looking at lobbyists' testimony in the hearing, you can see some talking points emerge.  One common thread is that the defintion of health data is too broad; as a result, one lobbyist warned, "consumers will get opt in requests for routine purchases like books about health."  Oh no!  Thank heavens industry lobbyists are looking out for our interests!!!!

But wait a second.  Data that somebody's purchased a book like "What to expect when you're expecting" needs to protected just like the result of a pregnancy test. So consumers should get opt-in requests if a company wants to do anything with that data other than use it to send you the book you've just bought.  And guess what, if businesses have to get people's consent, they'll find a way to make it less annoying.  As I said in my written comments:

"Apple has shown that it’s possible to do a very usable opt-in experience. Successful companies will learn from that."

Identifying industrytalking points – and helping legislators see through the spin – has been a key tactic for grassroots activists over the last few years, and will no doubt be just as useful this year.  

The Civil Rights & Judiciary vote is only one step in the process.  There will be further opportunities for amendments on the House floor, the Senate Law & Justice Committee, and the Senate floor.  At each step, privacy advocates will fight to keep the bill's strong protections, and maybe even strengthen them further; industry will push to weaken the bill.  Behind the scenes try to delay the votes as long as possible – if the legislature doesn't pass anything that'd be a major embarassment to Gov. Inslee and the Democratic caucus, so as time pressure mounts industry may have a better chance of extracting concessions.  

So even though there's still a long way to go, getting the bill "exec'ed out" of CR&J this week would be a very good thing from privacy advocates perspectives.  

Will it happen?  Stay tuned!


1 Privacy Badger reports a couple of trackers on the page.  And, here's the defaults on the form.  That doesn't look like affirmative consent (opt-in) to me!

Three checked check boxes: "Show my name in a list of action takers", "Sign me up for ACLU emails", "I agree to receive calls and texts"
Boxes checked by default is opt-out, not opt-in. Sigh.