A Deep Dive into the Affiliates Loophole

An art exhibit in a gallery including black wire in a loop
Loophole For All, by Paolo Cirio

Does the Bad Washington Privacy Act (SB 5062) protect people — or corporations?  The loophole that allows “affiliate” companies (owned by the same parent) to share data without asking for consent is a great example.  Closing this loophole protects people.  Keeping it protects corporations.

Amazon’s a good example of a corporation that benefits from the affiliates loophole.  Amazon owns Whole Foods, Zappos, diapers.com, Twitch, Amazon Web Services, and at least 80 “private brands”, so this loophole lets all those companies share data and even sell it to each other and doesn’t even allow us to “opt out” of it.  Similarly, many people don’t know that WhatsApp, Instagram, Facebook and MetaQuest are owned by the same company, but they are, which means that they too are affiliates.

Recently reporting in The Markup on how a private equity firm has bought companies that collect data on America’s children is another good example: the affiliates loophole lets them share data and sell targeted advertising to predatory for-profit colleges looking for more students to exploit.  The suicide hotline that shared data with its for-profit spinoff would also fall under the affiliates loophole.  The affiliates loophole also let companies like Palantir USG who contract with ICE contract get access to all kinds of information that’s been shared with any of Palantir’s financial services, energy, AI, automative, or other products … again without having to provide notice, get consent, or even provide the opportunity to opt out.

a rope in with a loophole in the centerThe affiliates loophole was also in last year’s Bad Washington Privacy Act, but there were so many other bad things about the bill that nobody spent much time discussing affiliates.  This year, Representatives Slatter and Berg introduced the Foundational Data Privacy Act (HB 1850).  HB 1850 had some valuable new ideas, but started with a lot of the text of the Bad Washington Privacy Act, so inherited a lot of the problems.  For example, The Bad Washington Privacy Act had a very sneaky definition of “sale” of data that specifically excluded affiliates (as well as mergers and acquisitions), and the original version of HB 1850 used similar language in tis definition of “sharing”.

The Civil Rights & Judiciary committee worked with HB 1850’s sponsors to make some additional improvements in the substitute bill SHB 1850.  One of these improvements was a first step to cleaning up the affiliates loophole, by cleaning up the definition of sharing.  Good news!  But …

  • whoever drafted the Bad Washington Privacy Act had also included a sneaky definition of “third party” that also excluded affiliates.*  This definition of “third party” was also included in the original version of HB 1850 — and didn’t get changed by the CR&J committee.  So the affiliates loophole was still there even in SHB 1850.
  • Meanwhile tech companies claimed that even the partial fix in SHB 1850 would cause the sky to fall, and pushed legislators to undo it.  And legislators may well have listened to big tech, because the next version of the bill (2SHB 1850) got rid of all this language and replaced it by an as-yet-unpublished amendment to the Bad Washington Privacy Act, SB 5062.

Good times.

If you want to see the details, here’s the SHB 1850, the version the CR&J committee advanced, and here’s the original version,  The definition of affiliates is in Section 3 (1) on p.3; the definition of sharing is Section 3 (33); and the definition of third-party is Section 3 (37), p. 6.  Because affiliates are excluded from third-parties, the “right to opt out” in Section 5(5) doesn’t apply, and neither do several other important protections.  Once the amended version of SB 5062 is published we’ll include it here as well.

Update March 6: Google’s acquisition of security company Mandiant is another great example of the problems the affiliates loophole causes.  A different loophole in the Bad Washington Privacy Act means that companies can share any information related to preventing or detecting any malicious, deceptive, or fraudulent activity with no requirement for notice or consent.  And yet another loophole (closed in SHB 1850, but reopened in 2SHB 1850) exempts any information that’s been collected when there’s an acquisition.  So this mean Google can use any information that’s been shared by Mandiant for targeted advertising or whatever else it wants.  And the affiliates loophole means that so can any company owned by Alphabet, including their health-care companies like Verily and Calico which (again thanks to the affiliates loophole) are already get access to people’s Fitbit data without notice or and consent.

What could possibly go wrong?

* Why did they do that?  Well, even though  Washington’s legislators rejected the Bad Washington Privacy Act in 2021,  an Amazon lobbyist gave a copy of the Bad Washington Privacy Act to a Virginia state legislator, and after weakening it they quickly passed the Even Worse Virginia Privacy Act.  Reuters reported that Amazon drafted the Even Worse Virginia Privacy Act , so they may well have been involved with drafting the Bad Washington Privacy Act as well.  Bad Washington Privacy Act Sen. Carlyle, who will be retiring after this session, represents Amazon’s district and considers their lobbyist Guy Palumbo a treasured friend.  But maybe that’s all just a coincidence.

Leave a Comment