Washington: Proposed Privacy Act adds to development of "patchwork of different state laws"
Washington State Senator, Reuven Carlyle, announced, on 13 January 2020, that he, along with other five Washington State Senators, had introduced Senate Bill 6281 for the Washington Privacy Act ('WPA').
Rights of consumers
In particular, the WPA would grant Washington residents:
- the right to know who is using their personal data and why;
- the right to correct inaccurate data, the right to delete certain data; and
- the right to opt out of the processing of data in key areas, such as targeted advertising and profiling.
Washington seeks to follow other U.S. States who have passed legislation related to consumer privacy, the most notable being California with the California Consumer Privacy Act of 2018 ('CCPA').
Thomas Ritter, Associate Attorney at Thompson Burton PLLC, told OneTrust DataGuidance, "In fact, Massachusetts, New York, and New Jersey are just a few of the states like Washington that are currently considering privacy laws. This possible patchwork of different state laws will ultimately leave businesses no choice but to devote more time and resources towards consumer-oriented privacy measures."
Complying with the WPA
The WPA will require controllers to conduct data protection assessments where they are processing personal data and an additional data protection assessment any time there is a change in the processing that materially increases the risk to consumers. In addition, the WPA places requirements on data controllers to be transparent with consumers, limit the collection of personal to what is reasonably necessary and for controllers to ensure their collection of personal data is adequate, relevant and limited to the purposes which are disclosed to the consumer.
Rachel R. Marmor, Counsel at Davis Wright Tremaine LLP told OneTrust DataGuidance that "organisations that are subject to the GDPR have likely already taken a number of steps that will make the compliance effort less painful, but news reports continue to suggest that the number of organisations that have fully complied with GDPR (or CCPA for that matter) is low. Many organisations have taken a "check-the-box" approach to privacy where consumer disclosures are generated and website updates are made, but the organisation does not engage in the deep thinking about how it uses data that these laws really require. As more laws are implemented, organisations will find that their risk of lawsuit or enforcement increases greatly, and they would be wise to start taking a more holistic approach to privacy compliance."
Comparing the WPA with the CCPA
Ritter outlined that, while the "CCPA provides affected consumers a pathway for bringing a lawsuit, WPA only allows a civil action to come from the state attorney general. When the law failed to materialise last year, a big reason was this omission of a private right of action. Moreover, the WPA's definition of ‘personal data’ is more flexible than CCPA, holding that personal data is ‘any information relating to an identified or identifiable person’ compared to California's broader mandate on ‘information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.’ Lastly, a big portion of the WPA also addresses restrictions facial recognition technology while CCPA does not."
Following its introduction, the WPA is scheduled to undergo an executive session in the Washington Senate Committee on Environment, Energy and Technology on 23 January 2020. If it passes the legislative stages within the Washington Legislature it will then require the signature of the Governor of the State of Washington in order to become a law and would take effect on 31 July 2021.
Alexander Fetani – Privacy Analyst
Comments provided by:
Rachel R. Marmor – Counsel at Davis Wright Tremaine LLP
Thomas Ritter - Associate Attorney at Thompson Burton PLLC