For more background on the Washington Privacy Act, see: Washington State Legislature Takes Another Shot At a Consumer Data Privacy Law (DataPoints, 1/22/2020)
Senate Bill 6281, the Washington Privacy Act, passed out of the Senate on February 14 and moved to the House of Representatives where it is expected to run up against some skepticism and questions.
The bill was drafted to help bring Washington state more in line with California’s and the EU’s data privacy regulation efforts, in the absence of comprehensive privacy regulation at the federal level. The Act places requirements on companies to notify consumers when their data is being used and provides an avenue for those consumers to correct inaccurate data and delete personal information under certain circumstances. The state’s Attorney General’s Office would be designated as the sole authority to enforce violations, each of which could amount to a civil penalty of up to $7,500. The fines from these penalties would help fund the existing Washington state Office of Privacy and Data Protection.
As previously reported, the bill is the result of conversations with stakeholders from tech companies, consumers and consumer privacy protection groups, civil rights organizations and entities doing business in Washington. The concerns about the legislation center on the following issues:
- The Enforcement Authority – The Act’s enforcement authority rests exclusively in the hands of the state’s attorney general. The bill as written does not allow for a private right of action for an individual consumer to sue entities violating the Act’s provisions.
- “Covered entities” – Based on the definition used in the Act, a large company could theoretically attempt to avoid the regulations altogether by creating smaller companies with numbers under the thresholds. The Act applies to “legal entities that conduct business in Washington or produce products or services that are targeted to residents of Washington, and that satisfy one or more of the following: controls or processes personal data of at least 100,000 individuals in a year; or derives over 50% of their gross revenue from the sale of personal data, and control or process information on 25,000 or more consumers.
- Facial Recognition Technology – SB 6281 passed the Senate 46-1, with Senator Bob Hasegawa (D-Seattle) voting against the bill in favor of his own legislation proposing a total moratorium on all government facial-recognition programs.
The rush is on, however, to resolve these and other concerns – and to get the bill passed through the House soon – since the Washington state legislative session ends on March 12. A public hearing in the House Committee on Innovation, Technology & Economic Development has been scheduled for February 21 at 10:00 AM (Pacific Standard Time).
About Leslie Pedernales
Leslie Pedernales works with clients to develop communication strategies as part of integrated government relations initiatives. She partners with her clients to understand their business objectives and priorities so she can provide practical counsel and help them formulate successful legislative and legal strategies. Leslie has assisted clients in media and privacy law as well as in managing communications on issues including privacy and data breach legislation, copyright and trademarks, election law, global climate change and greenhouse gas emissions, international trade and interstate commerce, and energy policy. She has worked with clients to develop responses to legislation, media relations material, books, video scripts, print advertisements and commercials as part of comprehensive strategies to engage stakeholders on these issues.
Moore & Van Allen represents companies nationwide with regard to data privacy protection and compliance. If you have questions about your company’s data privacy and security obligations and would like to speak with an attorney, you can contact any member of our Privacy & Data Security practice group for more information.
About Data Points: Privacy & Data Security Blog
The technology and regulatory landscape is rapidly changing, thus impacting the manner in which companies across all industries operate, specifically in the ways they collect, use and secure confidential data. We provide transparent and cutting-edge insight on critical issues and dynamics. Our team informs business decision-makers about the information they must protect, and what to do if/when security is breached.
Data Points: Privacy & Data Security Blog Updates
- The Consumer Financial Protection Bureau Stakes Out Its Enforcement Authority Over Unfair Information Security Practices
- Maryland Amendments to Data Security and Breach Notification Law
- The Devil Really is in the Details: The SEC Proposed Rule on Cybersecurity Risk Management for Investment Advisors, Registered Investment Companies and BDCs
- Will the U.S. Finally Pass Comprehensive Data Privacy Legislation?