On Friday, March 22, 2019, the State of Washington continued efforts to move forward on new privacy legislation. The State House of Representative's Committee on Innovation, Technology and Economic Development held its first public hearing on the proposed Washington Privacy Act.
The Washington state proposal draws substantially on Europe's General Data Protection Regulation (GDPR), incorporating a broad definition of "personal data" and adopting GDPR's controller/processor distinction. Like GDPR, it gives consumers comprehensive rights over their personal data, including the right to be informed about what personal data is collected and processed by a data controller and whether that information is sold; to receive a copy of personal data maintained by a controller; to request a data controller correct inaccurate personal data and to delete data; and to restrict and object to certain processing.
The Washington State Senate has already passed a bill. That version of the legislation applies only to businesses that (a) control or process the personal data of one hundred thousand consumers or more; or (b) derive over 50 percent of gross revenue from the sale of personal data and process or control personal data of 25,000 consumers or more.
The draft of the bill in the State House contains no such thresholds. Rather, it applies to all "legal entities that conduct business in Washington or produce products or services that are intentionally targeted to residents of Washington." The House version expands enforcement as well, by adding a private right of action. To bring a claim, a consumer must first provide a controller (i.e. the entity directing the processing of the consumer's personal data, generally a company) with written notice specifying the provisions of the law it is alleged to have violated. If the controller does not cure the concerns raised by the consumer within 30 days, the consumer must notify the state attorney general. The state attorney general then has 30 days to either advise the consumer of the government's intent to bring an action, or refrain from acting and allow the consumer to sue.
Washington's bill has moved through the legislative process with surprising speed. The Senate passed the bill on March 6, 2019, just two months after introduction. If the bill passes in the House and is signed into law, it will become effective on July 30, 2020.
Washington joins a growing number of U.S. states that are moving forward to regulate the way personal data is collected and handled and to codify consumers' rights in their data. Illinois enacted the Biometric Information Privacy Act in 2008 to address the collection of residents' biometric data, such as fingerprints and the law has survived a vigorous challenge by the private sector. Vermont now regulates businesses that collect and sell the personal information of consumers with whom the business does not have a direct relationship. In California, businesses are trying to operationalize the requirements of the California Consumer Privacy Act while waiting for the Attorney General to issue regulations before the law goes into effect in January 2020. Other states that have introduced privacy legislation this year include: Connecticut (Raised S.B. No. 1108); Hawaii (SB418); Massachusetts (Bill S.120); Maryland (SB0613); Nevada (SB 220); North Dakota (HB 1485); New Mexico (SB 176); New York (SB S224); and Rhode Island (S0234). Mississippi also introduced a bill, HB 1253, but it failed to pass out of committee.
The enactment of GDPR and the wide reaching impact that California's law will have on business has kicked off a focused effort to create a federal privacy standard that would preempt state laws on privacy related matters. Efforts are already under way in the U.S. Congress to craft a comprehensive federal privacy law and influential members of Congress have indicated that they intend to release a bill for public debate in the next few weeks. Companies across sectors are in the process of drafting their own bill text that addresses state and federal enforcement questions, potential increased rulemaking authority for the Federal Trade Commission and importantly, how the proposed law might apply across industry sectors, including those with existing laws and implementing regulations on privacy matters. While the debate will likely continue through 2019, many companies are hoping a federal bill will be signed into law, if not in 2019, then by early 2020.