Following an unsuccessful attempt last year at passing a comprehensive data privacy bill, the Washington State Legislature is hoping the second time’s the charm. Senate Bill 6281, this session’s updated version of The Washington Privacy Act, is based on the best practices taken from the European Union’s General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA) which went into effect on January 1 of this year. Although last year’s effort fizzled in Washington’s House of Representatives after passing the Senate 46-1, SB 6281 has been drafted to avoid a similar fate.

Stakeholders from Microsoft, Amazon, Comcast and others in the Washington Business community – as well as many from Consumer Privacy and Civil Liberties groups – have been meeting with the Committee to update the act in answer to the concerns brought up in last year’s go around. Specifically, a separate bill has been introduced, SB 6280, to address the government’s use and regulation of facial recognition technology, a controversial issue with respect to profiling and civil rights concerns according to the American Civil Liberties Union (ACLU). The bill’s sponsor, Democratic State Senator Reuven Carlyle, has also enlisted the help of the state’s newly appointed chief privacy officer, Katy Ruckle, who has pledged to champion the bill.

Ultimately, Washington state is following California and a growing number of states’ efforts to codify privacy protections in the absence of any forthcoming federal data privacy legislation. The updated Washington Privacy Act aims to:

• Provide Washington residents with the consumer personal data rights of access, correction, deletion, data portability, and the right to opt out of the processing of personal data for specified purposes.
• Specify the thresholds a business must satisfy for the requirements set forth in the act to apply.
• Identify certain controller responsibilities such as transparency, purpose specification and data minimization.
• Require controllers to conduct data protection assessments under certain conditions.
• Authorize enforcement exclusively by the attorney general. The bill does not, however, allow for a private right of action – a point of contention with many of those opposed.
• Provide a regulatory framework for the commercial use of facial recognition services such as testing, training, and disclosure requirements. The companion bill, SB 6820, carves out regulations on the public sector’s use of facial recognition technology.

SB 6281 and SB 6280 received first readings Jan 14, and were referred to the Committee on Environment, Energy & Technology. A public hearing was held on Jan 15 where staff, supporters and those opposed to the legislation testified to the impact the act might have on the groups they represent. The bills are scheduled for executive session in the Committee on Jan 23 at 10:00 AM.

We will continue to monitor developments in Washington state and the trend to provide greater rights to consumers to protect their personal information.