Washington Privacy Act, SB5062, does not go far enough to protect consumers or students

On January 14, 2021, the Washington state legislature will hold a hearing on a privacy bill, The Washington Privacy Act, SB 5062 which is weak and does not fully protect consumers’ right to privacy: 

  • SB5062 does nothing to better protect educational, teacher, or student data. 
  • SB5062 does not apply to state or local government agencies.
  • SB5062 has many limitations and exemptions that allow the selling of user data or its use for marketing purposes: 
    • SB5062  allows corporations and other third parties to sell your data or use it for marketing purposes UNLESS you  expressly opt out.
    • If you do opt out, companies can charge you a higher price for their services.
  • Even then, consumers  can only “opt out” of the collection and use of personal data for certain purposes.” 
    • Instead, companies should be required to get prior consent or “opt in” for any disclosure of your personal data, including its use for marketing or sale. 
  • Finally, SB5062 does not allow people to hold companies accountable for violating their privacy rights by suing, if they’ve violated the law or your decision to opt out.

 We agree with this Seattle Times op-ed: Washington needs a privacy law that protects people, not corporations. Oppose SB5062, Washingtonians deserve better. 

Sign up to leave a written comment or remotely testify against SB5062 HERE: https://app.leg.wa.gov/CSIRemote/Senate Senate Environment, Energy & Technology Committee,  Hearing on January 14, 2021 at 10:30 am.  You can sign up or leave comments up until 1 hour prior to the hearing.

Update: You can watch a recording from this January 14, 2021 hearing here.

*See Parent Coalition submitted testimony here:

WA “Senate Environment, Energy & Technology Committee” hearing on Jan 14, 2021

My name is Cheri Kiesecker, Co-Chair of the Parent Coalition for Student Privacy. Thank you for the opportunity to comment on The Washington Privacy Act, SB5062. In this time of increased use of technology, it is crucial that citizens control who is collecting data about them and how it is being used. Unfortunately, this bill neglects to protect some of the most vulnerable in our population: school children; for this reason and others, which we briefly highlight here, and in my testimony today, we oppose this bill.

The privacy and transparency protections in this bill do not apply to government agencies (schools) and students are exempted, defaulting instead to outdated FERPA, COPPA, and WA state student privacy law passed in 2015 HB1495—all of which have several limitations and exceptions.

(SB5062 Page 8) Sec. 102. JURISDICTIONAL SCOPE.

This chapter does not apply to:

4(a) State agencies, legislative agencies, local governments, or tribes

  1. Identifiable private information for purposes of the federal policy for the protection of human subjects, 45 C.F.R. Part 46;

(page 10)

  1. Personal data collected, processed, sold, or disclosed pursuant to the federal driver’s privacy protection act of 1994 (18 2U.S.C. Sec. 2721 et seq.), if the collection, processing, sale, or 3disclosure is in compliance with that law; (j) Personal data regulated by the federal family education rights and privacy act, 20 U.S.C. Sec. 1232g and its implementing regulations; (k) Personal data regulated by the student user privacy in education rights act,chapter 28A.604 RCW

Students are often required to submit an astonishing amount of personal data, often medical and mental health, behavioral and discipline information to schools; these data can be shared outside of the school walls, and uploaded to government databases. The data can be used to predict and profile children as criminals. Students are also required to use educational technology (edtech) platforms such as Zoom, Google products (Gsuite, Meet, and YouTube), and 100s of other apps, often with embedded hidden algorithms. As this recent report states, companies that rely on algorithms to profile students can discriminate and are often biased and wrong. Researchers have shown that 1000s of edtech apps often share senstitive data with advertisers and other third parties. There is little to no regulatory oversight of edtech, no parental consent, no way for parents to see data points collected or how their children’s data are being used, processed, profiled, and marketed by third parties, data brokers, etc. The FBI issued a warning about the risks associated with edtech apps and surveillance including tracking and targeting of children, misuse of sensitive data, social engineering, identify theft, and breach. (See King County, WA breach announced yesterday.) For more concerns about student data privacy, invasive surveillance technology, and opportunistic edtech, see EFF’s Student Privacy and the Fight to Keep Spying Out of Schools: Year in Review 2020.

FERPA

FERPA was weakened in 2008 and 2011 to allow disclosure of students’ personal information to businesses, researchers, agencies etc without parent knowledge or consent; in fact parents cannot opt out of this sharing. As recently reported by the US Dept of Ed, a 2 year study found that most districts violate federal privacy law FERPA. Additionally, FERPA has no private right of action, making it difficult for parents to enforce.

COPPA

Advocates and lawmakers agree, COPPA needs to be updated. SB502 should be updated to define children as 17-18 year olds (California CCPA increases the coverage to 16), should include a providers’ constructive knowledge, should address behavioral advertising,

Current WA state law HB15-1495, which SB5062 relies on to protect students, does not afford parental consent, does not give adequate transparency (does not require written contracts, exempts algorithms and adaptive learning (protection from dark patterns AI SB5062 would not be afforded to students), finally your student privacy law has no enforcement mechanism or penalty. Subsequently, Washington’s student privacy law HB15-1495, earned a D+ on our state-by-state report card comparison of student privacy laws.

SB5062 has many limitations and exemptions that allow the selling of user data or its use for marketing purposes:

  • SB5062 allows corporations and other third parties to sell your data or use it for marketing purposes UNLESS you expressly opt out. SHOULD BE OPT IN consent for collection and third party sharing.
  • If you do opt out, companies can charge you a higher price for their services.
  • Even then, consumers can only “opt out” of the collection and use of personal data for certain purposes.”
  • Companies can choose to refuse consumers’ request* to see what data the company has collected about them, and can charge a fee for this service. (*If they find the request –unfounded or excessive)
  • SB5062 allows personal data from Dept of Motor Vehicles to be sold. According to a 2019 report this information is sold, often to databrokers and resold; name, address, and other personal information. States are making millions off the sale of this data. Data in this data base, including social security numbers, is also often disclosed and matched to track students.
  • Finally, SB5062 does not have a strong private right of action, as last year’s House version did.

We don’t believe citizens data, especially school children’s data, should be bought and sold, profiled, used for research, or shared without their consent. — Data collection and disclosure should be OPT IN, and those collecting and disclosing the data should be held accountable with strong enforceable penalties. We hope you agree.

Thank you.

Cheri Kiesecker

Co-Chair Parent Coalition for Student Privacy

https://www.studentprivacymatters.org