The Washington Privacy Act (SB 5376) is making its way through that state’s House after gaining nearly unanimous approval in the state Senate just weeks after being introduced. This bill promises to overhaul how Washington protects the personal information of its residents. The proposed Act closely mirrors the California Consumer Privacy Act of 2018 (CCPA) and is expressly modeled around the European General Data Privacy Regulation (GDPR) that went into effect last May. Despite borrowing heavily from these current regimes, the Washington Act is adding its own twists on privacy standards.
Washington residents would have the right to request that a company delete personal data maintained about them under a test that draws directly from the GDPR. Washington’s law defines “consumers” as natural persons who are Washington residents like California, but narrows that definition to include only people acting outside of the commercial and employment context. This exclusion for “commercial” activities is new in Washington, and it is not clear yet how this will be interpreted. Washington’s law would apply to companies that process personal data of over 100,000 Washington residents.
As proposed, the Washington law provides no private right of action, and leaves enforcement to the state Attorney General. The Washington Privacy Act will likely see many changes before its proposed effective date of July 31, 2021. But it is not the only state moving forward with such a comprehensive scheme. Other state legislatures like New York are working on sweeping legislation to address companies’ privacy practices.
Putting it Into Practice: This bill seems to be gaining traction and suggests that California may not be the only state with a new privacy regime in 2020.