House Bill 1799 Looks to Regulate the Data Broker Industry

With the annual IAPP* Global Summit happening in a little more than a week, I’m excited to see what topics will be covered this year. In past events, many of the very talented speakers rued the collapse of the Washington Privacy Act (SB 5062) (“WPA”), which would have been one of the most sweeping and broad privacy rights legislation in the United States. While debatable, the reasons for its failure largely point to the efforts to include private right of action enforcement, which proved to be too contentious in the House of Representatives to even go to a floor vote. What could have been a law on par, or even more significant, than the California Consumer Privacy Act (“CCPA”) died a silent and lonely death. Privacy professionals such as myself were disappointed that a progressive state failed to pass much-needed legislation. While privacy laws in Utah, Colorado, and Virginia come into effect this year, none match the broad, sweeping content of SB 5062’s proposed legislation.
A smaller but significant effort surfaced this year that would help correct this failure. House Bill 1799, introduced by Representatives Shelly Kloba (D-1 st District), who championed the WPA’s private right of action, and Liz Berry (D-36 th District), places needed oversight on data brokers, including the requirement to register annually and the gives the Department of Licensing the power and discretion to penalize data brokers who do not comply with the law.
A data broker is business that aggregates, processes, analyzes, cleanses, and sometimes uses information from many sources before licensing to other organizations for a profit. It can either source data via application program interfaces (“API”) via subscription-type contracts, or by licensing the data from other organizations. Due to the impact these businesses have on individual’s information, and moreover, their detrimental effects were summarized in a 2013 report from a US Senate Committee, “ A Review of the Data Broker Industry: Collection, Use, and Sale of Consumer Data for Marketing Purposes .” The report cited that data brokers collect a “huge volume of data on hundreds of millions of consumers,” that they “sell products that identify financially vulnerable consumers” and “about consumer offline behavior to tailor outreach to marketers,” and “operate behind a veil of secrecy.”
Similar to the private right of action in the WPA, HB 1799 includes provisions allowing individuals to opt-out of all or a portion of a data broker’s activities (i.e., collection, sale, or licensing of the individual’s brokered personal data), identifies which of the data broker’s activities an individual may opt-out, and describes the method for the opt-out. It also provides some clarification of which activities collection, sale, or licensing activities that may fall outside of this legislation, such as publicly available information or publishing access to journals. Like other businesses registered with the state, the Department of Licensing will publish all relevant information about each data broker on its website, making it available to the public. Finally, it carves out data collection, sales, and licensing activities that may fall under other, broader legislation such as the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act.
As of this posting, the House Bill has only gone to review under the Consumer Protection & Business Committee with no significant action aside from a scheduled executive session that was never held. Despite this, there’s hope that this will eventually make more headway in later sessions. If so, this would represent a significant step forward in the state’s efforts to make those who profit from individual’s personal information more accountable.
See the latest on HB 1799 here .
* – International Association of Privacy Professionals