Washington State Proposes New Data Privacy Legislation

After negotiations collapsed in 2019, Washington State has resumed work on proposed data privacy legislation. If approved, the updated version of the Washington Privacy Act (WPA), Senate Bill 6281, will go into effect on July 31, 2021:

Stakeholders from Microsoft, Amazon, Comcast, and others in the Washington Business community – as well as many from Consumer Privacy and Civil Liberties groups – have been meeting with the Committee to update the act in answer to the concerns brought up in last year’s go around. Specifically, a separate bill has been introduced, SB 6280, to address the government’s use and regulation of facial recognition technology.

While privacy protection laws are good for consumers, many critics argue that the modern data economy is too large to manage at the state level. At the same time, implementing a multi-layered security approach at the federal level is a massive undertaking – various state, local and federal laws contain inconsistent requirements and exemptions, a topic ADCG has covered extensively. Federal lawmakers may find it challenging to determine a common baseline for a federal law. Here’s how the WPA stacks up against other recent privacy laws:

The California Consumer Privacy Act

Under the WPA, if approved, companies would need to provide consumers with “reasonably accessible, clear, and meaningful” privacy notices. This is similar to the California Consumer Privacy Act (CCPA), which creates “new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses.”

Both the WPA and the CCPA have similar exclusions and apply to companies of a generally “reasonable size.” Exclusions include activities relating to a consumer’s creditworthiness and personal data that’s covered by the Gramm-Leach-Bliley Act (GLBA).

Unlike the CCPA, when it comes to the processing of personal data by controllers or processors, the WPA preempts local regulations, laws, and ordinances. Washington cities, for example, are not allowed to pass facial-recognition technology restrictions or permissions at the municipal level.

Finally, the WPA does not include a private right of action in any capacity for consumers who fall victim to a data breach. The CCPA, on the other hand, does. Washington State’s attorney general would be solely responsible for bringing an action against those who fail to comply.

The General Data Protection Regulation

As with the EU’s General Data Protection Regulation (GDPR), consumers in Washington state would have the right to access their personal data, opt-out of having their data sold, and make corrections or delete data. If a company receives a consumer request for removal or correction, it would need to convey the request to all third parties that have been given access to the consumer’s personal data in the past year. Also similar to GDPR is the requirement that companies obtain consumers prior to processing sensitive data, which would include information about race and religion, as well as biometric, health, and geolocation data. The law also explicitly classifies data from a “known child” as sensitive.

The New York SHIELD Act

The New York SHIELD Act (SHIELD), contains similar provisions to the CCPA and the WPA. A notable difference, however, is that SHIELD explicitly expands cybersecurity to businesses operating outside the state of New York. So, for example, employers not located in New York may be required to comply if they solicit or accept applications from a New York resident. SHIELD also applies to companies of any size, whereas the CCPA only applies to businesses that make $25 million annual gross revenue. The WPA does not include a specific revenue threshold either.

The Florida Consumer Data Privacy Act

The 2020 Florida Consumer Data Privacy Act is yet another proposed legislation that would require certain operators or websites to accept consumer opt-out requests of personal data sales. Much like the Nevada Online Privacy Protection Act, the proposed Florida bill would be relatively general in comparison to the CCPA and the WPA. The act also does not appear to require operators to disclose the right to opt-out in their online privacy notice. Other states considering consumer privacy legislation in 2020 include Massachusetts, Minnesota, Pennsylvania, New Jersey, New Hampshire, Virginia, Hawaii, and Nebraska.

Federal Data Privacy Law Needed

The current patchwork of state privacy laws creates challenges for companies who do business nationally – as many large companies do. Financial firms that regularly handle interstate and international transactions are having a difficult time determining the best way to comply with each law. Consumers are also left puzzling through conflicting legalese.

Several business leaders, including PayPal CEO Daniel Schulman, and Salesforce co-CEO Keith Block, have called for the U.S. to enact its own version of the European Union’s General Data Protection Regulation (GDPR), citing the need for federal legislation to simplify the tangled web of state-issued data privacy legislation. Block and Schulman aren’t the only business leaders advocating for data privacy in Davos this week: Microsoft’s CEO, Satya Nadella, said on Thursday that data privacy must be protected as a human right.