Washington State Appears Next in Line for Comprehensive Privacy Legislation

Privacy and Data Security

The Washington Privacy Act would follow California’s CCPA as the second-in-the-nation law of its kind

Since the passage of the California Consumer Privacy Act (CCPA) in June 2018, over a dozen other states have moved to enact similar comprehensive privacy legislation. Due to developments this month in both houses of the Washington state legislature, it appears that the Washington Privacy Act (WPA) is likely to become the second major privacy legislation in the United States, and it includes provisions that both reflect the CCPA and go further.

Earlier this month, the Washington Senate passed the WPA in a near-unanimous bipartisan vote, and the Washington House now appears likely to pass the companion bill just as easily. Though the two bills differ somewhat, the WPA’s general architecture appears resolved. Here are the features of the Senate bill:

  • Applies to any entity that does business in Washington and either (1) controls or processes the personal data of 100,000 or more consumers; or (2) derives more than 50% of gross revenue from personal data sales and processes or controls the personal data of 25,000 or more consumers.
  • Defines “personal data” as any information “that is linked or reasonably linkable to an identified or identifiable natural person.” This definition is substantially similar to the CCPA, but notably lacks the CCPA’s problematic inclusion of “households.”
  • Introduces wide-ranging consumer rights pursuant to verified requests, including rights to access, correct and delete data; restrict or object to data processing; and data portability. The WPA also includes a novel protection against “final decisions” based solely on automated data processing (or “profiling”) if the decision would have a legal effect on consumers.
  • Requires privacy notices that disclose the categories of personal data collected, the purpose of the personal data’s use and disclosure to third parties, the categories of personal data shared with third parties, and the categories of those third parties. A notice must also disclose sales to data brokers, direct marketing, and any profiling and its envisaged consequences, including facial recognition technology.
  • Borrows the European Union’s General Data Protection Regulation’s (GDPR’s) distinction between controllers (i.e., entities deciding how data is used) and processors (i.e., entities handling data on behalf of controllers). Controllers are responsible for responding to consumer requests relating to processors, communicating those requests to processors, and conducting risk assessments both annually and prior to material changes in processing activities.
  • Exclusions for data regulated by HIPAA and GLBA. Unlike the CCPA, employment records are expressly excluded.

The only remaining challenges appear to be certain differences between the House and Senate versions that must be resolved. Two major differences await:

  • First, the House version includes a private right of action for violations of the WPA, though the provision would allow a 30-day right to cure and forbid attorneys’ fees and costs. The Senate version, like the CCPA, places sole enforcement authority in the hands of the state attorney general, which includes injunctive relief and penalties of $2,500 to $7,500 per violation.
  • Second, the applicability thresholds differ, with the House version applying to any entity doing business in Washington or intentionally targeting Washington residents.

Why it matters: Now that a second comprehensive privacy law on the West Coast appears likely, the core privacy rights undergirding the CCPA and WPA appear to be here to stay. Businesses of nearly any size should immediately begin modifying their information governance plans accordingly, if they have not started that process already. For businesses that have been reluctant to greenlight reviews of their data ecosystem and information governance programs, the compliance risk presented by comprehensive privacy laws such as the GDPR, CCPA and the WPA is only going to increase from here.

The Washington Senate Bill, SB-5376, is available here.