ACLU says Washington data privacy bill is not consumer friendly
In theory, Washington’s latest data privacy bill proposes to allow people to contact companies and ask what information they have on them. People could then ask the company to delete such data.
But it’s not so simple according to the ACLU, which argues that the state bill is not what it seems.
“Unfortunately, the reality and the marketing around this bill are two very different things,” said Shankar Narayan, technology and liberty project director with the ACLU. “It is being marketed as something that is supposed to give power back to the consumer in the area of data privacy.”
“The first problem is that it was written by the technology companies themselves,” Narayan said. “And it was stacked up with loopholes so that a company that holds your data can override your consent around that data.”
“So if you withdraw your consent to their using your data, they can still come back and override that,” he said.
Naryan notes that there is little movement at the national level to regulate data privacy, so many states are taking on the task, such as California, which has passed strict rules.
“I think the technology companies have taken notice and are looking to enact weaker statutes in different states, including the one in Washington,” he said.
Consumers give over data to companies frequently in daily life, often without realizing it.
“When you use a service, when to do business online, even when you type a search term into a search browser, you are accepting a terms of service that largely allows your data to be shared and sold to third parties without you understanding that is going to happen,” Naryan said.
“The problem with that is that so much of our decision making is now data driven and those pieces of data can come back to bite you,” he continued. “For example, when you try to get a job, or when you try to get a loan, those data brokers will have sold your data to a company that will then use an algorithm or a program to find out if you are worthy candidate for that loan or for that job.”
Naryan argues that the “gold standard” for data privacy is the European model, where a business has to not only get consent to collect your data, but they also have to get consent for a specific business purpose.
“Here it’s kind of the opposite,” he said. “In Washington’s statute, we basically assume the business has a legitimate purpose and they are legitimately collecting. And the burden goes back on the consumer to come back and fight. And even if they withdraw their consent, the entity or business could simply declare it a different business purpose and continue to hold the data despite the fact that you have withdrawn consent.”
“So we think the more consumer-focused model of Europe, and California which has a similar model, is much better than making it optional for companies to decide and giving them so many different ways to override the will of the consumer,” he added.