Washington State Senator Carlyle has introduced a new version of the Washington Privacy Act bill ("WPA"). The proposed holistic version of the WPA is designed to provide a comprehensive data protection framework for the residents of Washington, which will go beyond the scope of the California Consumer Privacy Act (CCPA) and in some cases, even beyond the scope of the European General Data Protection Regulation (GDPR). If adopted by the legislators, the WPA will enter into effect on 31 July 2021.

Similar to the CCPA, the WPA would not apply to any company that collects or processes personal information of a Washington resident. In this regard, the WPA would only apply to entities which: (i) conduct business in Washington; or (ii) produce products or services targeted to Washington residents; and (a) process personal data of at least 100,000 consumers; or (b) derive 50% of gross revenue from the sale of personal data and process or control personal data of at least 25,000 consumers.

The WPA will grant consumers basic privacy individual rights such as the right to access, amend, delete or transfer personal data. Entities that are subject to the WPA, will also be required to allow consumer to opt-out of the processing of their personal data, for the purposes of targeted advertising; the sale of personal data; and of automated decision making that gives rise to legal consequences. As with the CCPA, the WPA will also prohibit companies from discriminating against consumers from exercising their rights. Companies, which process pseudonymous personal data, will not be required to comply with the individual rights if they are not in a position to identify the consumer.

In addition, the WPA requires companies to provide an accessible privacy policy to data subjects, disclosing the categories of personal data that has been processed, their purpose, consumer rights and data sharing practices. The proposed act would also set additional obligations that align with the GDPR, such as data minimization and reasonable security standards.

The WPA distinguishes between controllers and processors and sets obligations for each. For example, processors will be required to comply with controller's instructions and provide controllers with an opportunity to object before engaging with a subcontractor.

The WPA would also require companies to conduct data protection assessments any time where there is a change in the processing activities that might materially increase the risks to consumers. If the potential risks of harm occurring to the privacy rights of consumers will outweigh other interests, then controllers will be required to obtain the consumers' affirmative consent before processing.

Unlike other data protection laws, the WPA specifically addresses the issues regarding the commercial uses of facial recognition technologies. The WPA would require companies to obtain an affirmative "opt-in" consent from consumers before using facial recognition. The WPA also places a heightened obligation on both controllers and processors of commercial facial recognition services. Providers of facial recognition services for commercial uses will in addition, be obliged to provide APIs that will allow controllers and other third parties to evaluate the fairness and accuracy of the service. Controller will also need to take affirmative steps and post notices in public spaces, where facial recognition services are deployed.

In addition to the WPA, the legislators in Washington have introduced nine additional privacy and consumer protection related bills, including a bill against the use of deceptive bots for commercial purposes; a bill requiring written consent before retaining voice information; and a bill providing consumers with exclusive proprietary rights on their biometric identifiers.