This legislative session has brought a flurry of new data privacy bills aimed at protecting consumer data from prying eyes, and worse, theft. Two of the most prominent bills are still working their way through the legislative process. Senate Bill 5062, the Washington Privacy Act is by far the most far reaching of these bills but only applies to private businesses. House Bill 1552 is smaller in scope and prohibits state agencies selling data they have collected on Washington residents.

Both bills would protect consumer data from being used in a way that the data owner didn’t initially authorize or isn’t aware of.

For those who work with data every day and understand how data moves around, the bigger issue and the elephant in the room, is the risk to data privacy that data aggregation from multiple sources poses. This aggregation process allows data to be pieced together to build a clear picture of a consumer or an activity.

Take, for example, cell phone tracking data. You might think driving down the road with your cell phone cellular network and GPS switched off prevents someone from tracking you, but you would be wrong. One of the least understood features on a cellphone is ‘Wi-Fi Scanning’ triangulation. As you drive down the road, your cellphone scans for available Wi-Fi networks, in some cases even if you switch Wi-Fi off. When it sees a Wi-Fi network it records the unique identifier from that network. Since other cell phones have likely identified the Wi-Fi network prior to you driving by, and its location when their GPS was enabled, your phone can now determine where you are by matching the IDs. When you reconnect to the internet, that data can be collected.

On some phones ‘Wi-Fi Scanning’ cannot be switched off and stays on in the background even when Wi-Fi is disabled.

The same principal applies to many activities you perform on your phone. By cross referencing IDs from different data sources, a picture can be built of activity and use. Many of the Apps on your phone report the unique identifier from your phone with any data collected and this can be matched between applications.

Recently the Seattle Times reported on a company that is contracted with the City of Seattle to monitor traffic data from Wi-Fi transmitters located on poles in the city. There are over 300 Wi-Fi points across downtown Seattle. They collect so-called anonymized data from the cellphones moving through the city, collecting only the identifier on the phone and not any other data. The data technically doesn’t qualify to be protected under the Washington Privacy Act since it’s not classified as PII or another protected data type.

Remember that aggregation issue? With the identifier from the phone, someone can take that location data, merge it with other personal data that has the same ID and now have a much larger dataset that can identify a consumer specifically.

That is why a government agency should not be able to sell even anonymized data, unless the data has been altered, summarized or rolled up to remove the ability to reverse the anonymization process later.

The Seattle Department of Transportation (SDOT) says that the Wi-Fi tracking data helps the engineers adjust traffic signals to optimize travel times. This only works because they can track where your phone entered the city and where it left. Otherwise, they are just counting cars.

The problem of data aggregation and data privacy is going to be hard to solve. Removal of unique identifiers has to be part of the solution, even when consent is given to sell or transfer data. Lawmakers should consider protections for identifiers in any legislation that is proposed.

In the meantime, the only real way to stop your cell phone data being tracked is to switch your phone off and leave it at home.