Washington Privacy Act Clears Senate
Like other recent state data privacy laws, new legislation in Washington would require businesses to establish, implement, and maintain reasonable administrative, technical, and physical data security practices.
Yet another state-level privacy bill, this one in Washington state, seems poised to become law.
The Washington Privacy Act passed the Washington State Senate late Friday by a 46-1 vote.
The act, Senate Bill 6281, would give consumers rights and place additional obligations on businesses, entities the bill hopes to make "responsible custodians of data."
While it's not a given the act will pass the House of Representatives, where it's headed now, it is one step closer.
Similar to the California Consumer Privacy Act, the act would allow consumers to access their data, correct any errors in it, amend or delete it - and opt out of having it used for ad targeting or profiling.
Like other recent state data privacy laws, the legislation would require businesses to establish, implement, and maintain reasonable administrative, technical, and physical data security practices. Under the act, businesses would have to conduct a data protection assessment of its processing activities involving personal data.
If passed, the act would apply to any business in Washington state or any business that sells products or services to Washington residents, as long as that business controls or processes the data of at least 100,000 consumers, or derives more than 50 percent of its gross revenue from the sale of personal data, or controls the personal data of at least 25,000 consumers. In this scenario, the act sees data as any “any information that is linked or reasonably linkable to an identified or identifiable natural person.”
Unlike the CCPA, the Washington act doesn't include any guidance for consumers when it comes to clarifying whether businesses are collecting data for targeting advertising, nor does it require companies display a "Do Not Sell My Information" button on its website.
If passed, the act would go into effect on July 31, 2021; like the CCPA, it would be enforced by the state's attorney general. Civil penalties would be capped at $7,500 per violation.
Despite the overwhelming support for it, as mentioned, it’s not a given the bill becomes law. A different iteration of the bill cleared the Senate in the state last year but ultimately stalled in the House.
There are some moving parts that a handful of parties continue to take issue with, like the absence of a private right of action – a provision that would allow consumers to bring a business to court if their data rights were compromised.
Rep. Norma Smith, a ranking Republican on the state's House Innovation, Technology and Economic Development Committee made her thoughts clear last week, calling it a "corporate-centric approach with a laundry list of loopholes, exemptions and vague definitions."
In a statement on Friday, Rep. Smith pointed out the act's weak facial recognition safeguards.
It's worth noting the act does provide a baseline regulatory framework for facial recognition technology, including stipulations for third-party testing of the technology for accuracy and unfair performance, testing of the technology in operational conditions prior to deployment, consumer consent prior to enrolling an image in a service used in a public space, posting a conspicuous notice where the technology is deployed in a public space, and periodic training for all technology operators.
For what it’s worth, Washington's ACLU is also opposing the act, saying it "undermines privacy protections and has ignored community needs."
Reuven Carlyle, a Democrat who sponsored the bill, cited a Crosscut Elway poll from last month that showed 84 percent of respondents were in favor of consumer protections for personal data online.
"This bill carefully, responsibly takes the best practices from Europe, California and other states to build a data privacy regulatory framework that will help set a standard and lead the nation in bringing our data privacy laws into the 21st century," Carlyle said.