Skip to Content

Knowledge

Washington Takes Aim, Again, at Creating a GDPR-Style Privacy Law of its Own

January 22, 2020

On January 13, lawmakers in the State of Washington introduced a law that would provide state residents with new privacy rights.

If passed, the Washington Privacy Act (WPA) would be another state law in the same vein of the European Union’s General Data Protection Regulation (GDPR) and the newly enacted California Consumer Privacy Act (CCPA).

The WPA would grant Washington consumers the right to access, delete, correct and move their personal data, or opt out of data collection altogether.

Washington’s proposed definition of “personal data” is “any information that is linked or reasonably linkable to an identified or identifiable natural person,” but does not include deidentified or publically available information.

Would WPA apply to my company?

The proposed law would apply to any business located in Washington or that targets services or products to Washington consumers.

To fall within the law’s purview, the business must either control or process the personal data of at least 100,000 consumers or derive more than 50% of its gross revenue from the sale of personal data of more than 25,000 Washington residents.

WPA’s broader impact

WPA-impacted companies could range from big names like Amazon and Microsoft to data brokers and retail stores, among others.

As drafted, the WPA does not create a private right of action. Rather, it would empower the state attorney general to seek injunctive relief and fines of up to $7,500 per violation. The proposed effective date is July 31, 2021.

This marks Washington’s second attempt at passing a sweeping data protection law. Last year, Washington came close to becoming the second state following California to enact consumer privacy legislation. However, the 2019 version of the WPA passed the Washington Senate — only to stall in the Washington House.

A separate bill was recently introduced that would regulate state and local governments’ use of facial recognition programs. Senate Bill 6280 would require governments to publish accountability reports and conduct testing of its facial recognition software to ensure accuracy, as well as provide public notice when it is in use.

Future of Washington’s consumer privacy laws

The future of both the 2020 WPA and SB 6280 is unclear at this stage. Many critics, including the American Civil Liberties Union, Electronic Frontier Foundation and Consumer Reports, argue that the proposed measures do not go far enough and contain too many loopholes for businesses.

Similar concerns led to the downfall of the WPA last year. Some critics champion more forceful measures, including ones that would require data brokers to register with the state, create a private right of action and implement a moratorium on the use of facial recognition software.

Other critics oppose further creation of a state-level patchwork of privacy protections and instead advocate for a federal bill that would standardize requirements across the country.

Our Privacy, Cybersecurity, and Data Management team will continue to monitor WPA developments, as well as consumer privacy bills introduced in other states and at the federal level.