Washington State Data Privacy Act Fails to Pass

Posted by Thomas E. Sowers on

The Washington Privacy Act (SB 5367) (“WPA”), a bill which received 46-1 support in the Washington state Senate, failed to come to a floor vote in the Washington House of Representatives of Representatives before the April 17 deadline for the Washington state legislative session.  Given the near-unanimous support for the bill in the Senate, the bill was expected to pass the Washington House without problem.

The WPA would have been the second comprehensive state act (the California Consumer Protection Act (“CCPA”) being the first) to address the issue of consumer data protection.  The WPA was modeled on the European Union’s General Data Protection Regulation (“GDPR”) and used very similar language as the GDPR relating to the expansive definition of “personal data.” The WPA also would have given Washington residents very similar protections as those offered to European residents under the GDPR, including giving residents the right to delete data; the right to request that any data errors about the resident be corrected; the right to receive a copy of any personal data collected by a company in electronic format; and the right to withdraw consent from the processing of any personal data.  In addition, companies would have been required to conduct risk assessments of their processing of consumers’ personal data and to ask for the affirmative consent of consumers before processing their data in ways that posed a high risk of privacy harm.

The bill reportedly ran into trouble after privacy advocates pushed the Washington House to strengthen the bill. Ultimately, several issues proved too difficult to get past.  One key issue that involved the bill’s approach to the regulation of facial recognition software.  One amendment would have imposed stricter controls on the use of facial recognition software including companies to obtain consent prior to the use of the software which many found objectionable.

Enforcement of the WPA was another key issue.  Unlike the GDPR and the CCPA, the WPA did not allow for a private right of action giving individuals the ability to sue companies if the companies infringed upon their rights.  Privacy advocates pushed for an amendment allowing for a private right of action.

Even though Washington failed to pass the WPA, there is still a good bit of momentum at the state level behind the enactment of comprehensive privacy legislation. This year, several states including Hawaii. Texas, Massachusetts and New York have introduced significant privacy bills.  Though it is difficult to predict when or if Congress might enact a comprehensive federal privacy statute, it could be that the increased level of state activity on the issue could spur Congress.  Many believe one comprehensive federal privacy law which preempts state law would be preferable to a system of requiring companies to have to comply with the different obligations of the various states.  Multiple federal privacy bills have been introduced in Congress in the last several months. It remains to be seen if any of them is able to gain traction.