January Privacy Oracle: Analysis of Draft Washington State Privacy Act, New State and Federal Proposals, and Other Policy Developments

Washington threatened to further complicate the U.S. legal landscape on Friday, January 18, as a group of state senators introduced the "Washington Privacy Act," SB 5376, a bill which would establish GDPR-like requirements on businesses that collect personal information related to Washington residents. In addition to requirements for notice, and consumer rights such as access, deletion, and rectification, the WPA would impose restrictions on the use of automatic profiling and facial recognition.

The Washington Privacy Act similarly would prohibit subjecting an individual to a "decision based solely on profiling which produces legal effects concerning such consumer or similarly significantly affects the consumer." It goes a step further than the GDPR, requiring a company with respect to any "profiling," regardless of consequences, to disclose at the time of data collection "meaningful information about the logic involved and the significance and envisaged consequences of the profiling." Specifically, if the company uses profiling in its processing of personal data for direct marketing purposes (or sells it for such), it must disclose this and provide mechanisms for the consumer to object.

Washington state legislators also introduced SB 5064, which would amend the state’s data breach notification law to reduce the amount of time a business has to provide consumer notice following a breach. SB 5064 would require companies doing business in Washington to provide notice of a security breach to the Washington Attorney General (AG) within 14 days of discovery of the breach, and affected consumers within 30 days. Both notifications would have to include a "timeline of when the breach began, when it was discovered, the containment of data, and all windows of intrusion," and the AG notice would also have to include a summary of containment efforts. The new law would remove the threshold for AG notification of 500 people, requiring notification if any Washington residents are impacted.

Washington wasted no time moving these bills forward, and the Senate Environment, Energy & Technology Committee held a public hearing on both on January 22. Industry reaction was largely supportive, with many speakers deeming the Washington Privacy Act a "thoughtful approach." All three branches of the Washington state government are controlled by the Democratic Party, which could pave the way for swift passage of both bills.

Further analysis regarding the Washington bills, a new federal proposal from Marco Rubio (the most recent Republican to wade into the current privacy fray), the CCPA rulemaking process, and other developments in state privacy and security legislation, are available in the January issue of the Privacy Oracle. The Oracle is a monthly, subscription-based newsletter that consolidates significant U.S. legislative and regulatory developments at the federal and state levels into a single publication. For information on subscription pricing, please contact Nancy Libin or Rachel Marmor.