The following is a brief summary of the proposed Washington Privacy Act and our expectations for 2021. The Washington Privacy Act was introduced earlier this year but failed to pass the legislature before session adjourned on March 12.

Ever since the Cambridge Analytica events, privacy laws have become more stringent. On April 14, 2016 the European Union passed its landmark General Data Privacy Regulation (“GDPR”). On June 28, 2018 California passed the California Consumer Privacy Act (“CCPA”), becoming the first state in the US to adopt privacy standards aimed to protect consumers and their personal data. Since then, Washington State lawmakers have attempted to bolster their privacy laws as well. In January, Senator Reuven Carlyle introduced SB 6281, the Washington Privacy Act (“WPA”). The legislation aimed to further empower Washington consumers by granting new Consumer Data Rights (defined below) and outlined new regulations on Washington business entities that sell, process, or control personal data.

The WPA was referred to as one of the most cutting-edge pieces of data privacy legislation in the country. Aspects of the bill showed influences of GDPR and CCPA, but the language was tailored to fit Washington’s unique business landscape. The jurisdictional scope threshold of the WPA is significantly higher than those of the GDPR or CCPA, providing a buffer for smaller businesses. Additionally, violations of the act would not be subject to a private right of action, which would minimize potential litigation. Microsoft Corporation, a Washington based company, was a key proponent of the bill.

Under the WPA, “Consumer Personal Data Rights” would be established as the right of access, correction, deletion, data portability, and opt out. The jurisdiction of the WPA would cover those (i) conducting business in the state, (ii) producing products and services targeted to Washington residents, (iii) controlling or processing the personal data of 100,000 or more consumers during a calendar year, or (iv) deriving 50% of its gross revenue from the sale, processing, or controlling of Washington residents personal data.

The WPA passed out of the State Senate with unanimous, bipartisan support. The House passed their version of the WPA that quickly attracted concern from legislators and key stakeholders. There was no concurrence prior to the end of the 2020 Legislative Session, and the bill did not reach the governor’s desk.

The Washington State Legislature will reconvene in January of 2021. Until federal privacy legislation moves forward, it’s safe to assume a bill reminiscent of SB 6281 will be introduced and seriously considered by lawmakers in Olympia. Here’s what we expect in 2021:

• The final piece of legislation will likely be comprised of provisions from both the House and Senate versions of the WPA.
• Plan to comply with new regulations as early as July 2021. Violators of the act may be subject to injunction and liable for a civil penalty of up to $7,500 per violation.
• There will be contention over enforcement. The Senate version would have granted the Office of the Attorney General exclusive enforcement authority. The AG’s office voiced concern regarding their capacity to conduct enforcement.The House version would have been enforceable under the Consumer Protection Act. Subsequently, any violation may serve as the basis for, or be subject to, a private right of action. Stakeholders, including the Association of Washington Business, believe a private right of action may lead to gratuitous lawsuits as businesses begin to comply with the new mandates.
• Businesses may be required to conduct a data protection assessment to determine if their processing of consumer data brings potential risk of harm to the consumer. The outcome of these assessments may determine whether consumer consent is required prior to processing data.
• The Senate version of the WPA included regulatory framework for the commercial use of facial recognition services (i.e. testing, training, and disclosure requirements). The provision was ultimately removed from the House version. We anticipate the private use of facial recognition services will be addressed in a separate, more comprehensive piece of legislation during the 2021 session.Separately, the legislature adopted SB 6280. This statute permits the use of facial recognition services by state and local government agencies starting in July of 2021. This statute may influence private regulations to come.

We encourage our clients to stay apprised of what lawmakers are considering at the state and local level. If you are interested in additional information on how new privacy laws could affect your business, please contact us.