Washington State Legislature Takes Another Shot At a Consumer Data Privacy Law

Following an unsuccessful attempt last year at passing a comprehensive data privacy bill, the Washington State Legislature is hoping the second time’s the charm. Senate Bill 6281, this session’s updated version of The Washington Privacy Act, is based on the best practices taken from the European Union’s General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA) which went into effect on January 1 of this year. Although last year’s effort fizzled in Washington’s House of Representatives after passing the Senate 46-1, SB 6281 has been drafted to avoid a similar fate.

Stakeholders from Microsoft, Amazon, Comcast and others in the Washington Business community – as well as many from Consumer Privacy and Civil Liberties groups – have been meeting with the Committee to update the act in answer to the concerns brought up in last year’s go around. Specifically, a separate bill has been introduced, SB 6280, to address the government’s use and regulation of facial recognition technology, a controversial issue with respect to profiling and civil rights concerns according to the American Civil Liberties Union (ACLU). The bill’s sponsor, Democratic State Senator Reuven Carlyle, has also enlisted the help of the state’s newly appointed chief privacy officer, Katy Ruckle, who has pledged to champion the bill. 

Ultimately, Washington state is following California and a growing number of states’ efforts to codify privacy protections in the absence of any forthcoming federal data privacy legislation. The updated Washington Privacy Act aims to:

    • Provide Washington residents with the consumer personal data rights of access, correction, deletion, data portability, and the right to opt out of the processing of personal data for specified purposes.
    • Specify the thresholds a business must satisfy for the requirements set forth in the act to apply.
    • Identify certain controller responsibilities such as transparency, purpose specification and data minimization.
    • Require controllers to conduct data protection assessments under certain conditions.
    • Authorize enforcement exclusively by the attorney general. The bill does not, however, allow for a private right of action – a point of contention with many of those opposed.
    • Provide a regulatory framework for the commercial use of facial recognition services such as testing, training, and disclosure requirements. The companion bill, SB 6820, carves out regulations on the public sector’s use of facial recognition technology.

SB 6281 and SB 6280 received first readings Jan 14, and were referred to the Committee on Environment, Energy & Technology.  A public hearing was held on Jan 15 where staff, supporters and those opposed to the legislation testified to the impact the act might have on the groups they represent. The bills are scheduled for executive session in the Committee on Jan 23 at 10:00 AM.

We will continue to monitor developments in Washington state and the trend to provide greater rights to consumers to protect their personal information.

About Leslie Pedernales

Leslie Pedernales works with clients to develop communication strategies as part of integrated government relations initiatives. She partners with her clients to understand their business objectives and priorities so she can provide practical counsel and help them formulate successful legislative and legal strategies. Leslie has assisted clients in media and privacy law as well as in managing communications on issues including privacy and data breach legislation, copyright and trademarks, election law, global climate change and greenhouse gas emissions, international trade and interstate commerce, and energy policy. She has worked with clients to develop responses to legislation, media relations material, books, video scripts, print advertisements and commercials as part of comprehensive strategies to engage stakeholders on these issues. 

About MVA

Moore & Van Allen represents companies nationwide with regard to data privacy protection and compliance. If you have questions about your company’s data privacy and security obligations and would like to speak with an attorney, you can contact any member of our Privacy & Data Security practice group for more information.

Leave a Reply

Your email address will not be published. Required fields are marked *