On January 14, a new version of the proposed Washington Privacy Act, Senate Bill 6281, was introduced in the state Senate. Similar to last year’s proposed act, which Manatt covered at the time (read more here), the new bill combines key features of both the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR).
Under the bill, companies would be required to provide consumers with a “reasonably accessible, clear, and meaningful privacy notice” that contains elements similar to a notice provided under the CCPA.
Consumers would, as under the GDPR, have rights to access their personal data, to correct or delete it, to move it, and to object to automated decision making, as well as to opt out of the sale of their personal data, as under the CCPA. Moreover, consumers would be able to opt out of the processing of their personal data for targeted advertising. Companies receiving a request would need to convey that request to others who, in the past year, received the consumer’s personal data, and they would need to set up internal processes to handle appeals if they deny any requests.
As with last year’s version of the act, companies would need to sign contracts with their service providers; under the new bill, however, the terms of those contracts would increasingly resemble GDPR Article 28 processor terms for contracts between controllers and processors.
Importantly, companies would need to secure consumers’ consent before processing sensitive data, e.g., racial, religious, health, biometric and geolocation data, or any data from “a known child.” The level of consent required is similar to the heightened consent the GDPR requires: “a clear affirmative act signifying a freely given, specific, informed, and unambiguous indication of a consumer’s agreement.”
The bill does not create a private right of action for violations. Instead, the state’s attorney general would have the right to bring an action in the name of affected residents and to levy a $7,500 civil penalty per violation. Unlike the CCPA and last year’s bill, the new bill does not contain a period to cure violations before the state attorney general could bring an action.
If approved, the law would take effect on July 31, 2021.
To read Senate Bill 6281, click here.
To read a comparison of Senate Bill 6281 against last year’s version of the Washington Privacy Act, click here.
Why it matters: If the legislature moves Senate Bill 6281 forward, Washington could join California and Nevada in the regulation of consumer privacy, giving rise to three state privacy laws that contain different requirements and different exemptions. These three laws could spur other states to quickly pass their own privacy laws with their own unique requirements and exemptions, resulting in an increasing patchwork of state privacy regulation and an increasingly difficult environment for federal lawmakers to agree on a common baseline for a nationwide law with preemptive effect. Put differently, it appears that companies should anticipate having to comply with different privacy requirements in the different states in which they operate.