For the second year in a row, Washington State is considering the “Washington Privacy Act,” legislation that would regulate the collection and use of consumer data and have Washington join a chorus of states looking to legislate privacy. The bill (SB 6281) passed the Washington Senate with near-unanimous approval on February 14 and has until March 6 to be approved by the House of Representatives.

The bill mirrors existing privacy laws, like the GDPR and CCPA, in its treatment of consumer rights and restrictions on data use and regulates the use of facial recognition technology. It has attracted criticism from a variety of stakeholders, including some who argue it insufficiently protects consumers.

What’s in the Washington Privacy Act (as of February 18, 2020)?

Scope: The Washington Privacy Act would apply to “legal entities” that conduct business in Washington or offer products or services targeted to Washington residents and (i) control or process personal data of 100,000 or more consumers annually or (ii) derive over 50% of gross revenue from the sale of personal data and process or control the personal data of 25,000 or more consumers. The bill carves out certain organizations (e.g., state agencies, local government, and tribes) and types of information (e.g., information covered by GLBA or HIPAA) from the scope. The bill does not apply to employment data and delays application to higher education and non-profit organizations for 3 years.

Restrictions on Covered Businesses: The bill uses a controller/processor structure similar to the GDPR and assigns responsibilities based on the business’s role. Controllers must (1) publish a privacy policy, explaining why and how they use data; (2) limit collection of personal data to only that data reasonably necessary to the purposes for which it was collected (“purpose specification”); (3) minimize the data collected and maintained (“data minimization”); (4) avoid secondary uses of the data; and (5) maintain reasonable data security practices. They must also conduct data protection assessments for certain data processing activities. Processing of sensitive data (which includes specific geolocation data and genetic or biometric data) requires the consumer’s consent.

Consumer Rights: The bill provides Washington consumers with rights to access, correct, and delete their personal data. They also have the right to data portability. Consumers can opt out of the processing of their personal data for targeted advertising, sale, or profiling in furtherance of decisions that produce legal effects concerning the consumer.

Facial Recognition: The bill’s section on facial recognition requires processors offering facial recognition technology to make their technology available for controllers or third parties to conduct independent tests for accuracy and unfair performance bias. If independent testing finds inaccuracies or bias, the processor must implement a mitigation plan. Controllers using facial recognition technology in public must post a notice. Consent must be obtained from a consumer prior to enrolling an image of the consumer in a facial recognition service, subject to exceptions. Meaningful human review is required prior to making decisions using facial recognition technology that produce legal effects on consumers.

Enforcement and Effective Date: The attorney general would have exclusive authority to enforce the law; there is no private right of action. Civil penalties are available, up to $7,500 per violation. The Act would supersede local laws, ordinances, and regulations. The Act would take effect on July 31, 2021.

What happens between now and March 6?

The bill is currently proceeding through the House of Representatives. There are a number of “cut-off” deadlines the bill has to meet in order to progress.

  • By February 28, the bill needs approval by the House Committee on Innovation, Technology and Economic Development.
  • By March 2, the bill needs approval by the House Appropriations Committee.
  • By March 6, the bill needs approval by a vote on the House floor.
  • By March 12, the House and Senate need to resolve any differences in the version passed by the Senate on February 14 and the version passed by the House.

In the 2019 legislative session, the Washington Privacy Act received approval from the Senate but underwent extensive amendment in the House, where it ultimately failed to move forward. This year may be a repeat of the last, as the House did not advance the companion bill to this session’s Washington Privacy Act, HB 2742, and significant debate animates stakeholders, including consumer privacy groups, particularly regarding the treatment of facial recognition technology. With just three weeks remaining in the 2020 legislative session, an uphill battle remains for the Washington Privacy Act.