Washington State Privacy Act: A Postmortem

For most of March, the Washington Privacy Act (“WPA”) (SB 5367) looked like a sure thing. With Democrats in complete control of the state government, the bill’s nearly unanimous passage in the state Senate, and the support of the technology industry, the WPA seemed poised to join the CCPA as one of the first comprehensive state privacy laws. But the House substantially amended the bill in response to strong opposition from some consumer privacy advocacy groups. Efforts to find a compromise failed, and the bill was shelved for the year.

Although the legislature failed to enact the WPA, it did take some action in the privacy area, amending the state’s data breach law to require companies that have suffered a breach to notify consumers within 30 days of discovering the breach (the previous deadline was 45 days). The law also now requires businesses to inform affected consumers of when the breach occurred and when it was discovered, and, if the breach involved usernames or passwords, to tell consumers to take steps to secure their electronic accounts.

Washington lawmakers agreed on the basic framework of the WPA. Unlike the CCPA and other state privacy bills introduced this year, the bill was based on the EU’s General Data Protection Regulation (“GDPR”). It would have given Washington residents the right to access data that companies held about them (similar to the right contained in the CCPA), to correct inaccurate information about them, to demand deletion of data with only a few exceptions, and to opt out of some uses of their data, such as for targeted advertising. In addition, companies would have been required to conduct “risk assessments” for their processing of consumers’ personal data and to ask for the affirmative consent of consumers before processing their data in ways that posed a high risk of privacy harm. Legislators in both the Senate and House expressed that limiting the use of facial recognition technology by both the private sector and government agencies was a priority; however, they disagreed on how to accomplish this objective.

The Scope of the Law

At the most basic level, there were different opinions on who and what the law should cover. The Senate bill would have applied to entities doing business in Washington who met certain thresholds regarding the number of consumers whose data they controlled and how much of the businesses’ revenue derived from selling personal data; the amended House bill would have removed those thresholds so that all entities doing business in Washington would have been subject to the law by default (though both bills had some exceptions).

There were several other notable differences in scope. The House bill used a broader definition of personal data that would have included data that had already been made public, unlike the Senate’s bill. The House version also offered more guidance on what it meant to de-identify personal data so that it would no longer be subject to the law. And while the Senate bill would have defined a “sale” of personal data as an exchange for monetary consideration to a third party for the purpose of further licensing or selling the data, the House included any exchange or disclosure of personal data to a third party in exchange for anything of value and for any purpose in its definition of a sale.

Trusting Businesses?

Perhaps the most significant difference between the two versions of the WPA was in how they viewed businesses. The Senate bill reflected a relatively positive view of businesses, recognizing that they needed to be regulated in this sphere but also evincing a desire not to overly burden businesses with costly obligations. A belief that businesses might take advantage of consumers at every opportunity and needed to be regulated more strictly, on the other hand, was manifest in the House bill.

This difference in outlook could be seen in how the same GDPR-style rights were implemented. The Senate bill often made exceptions to consumer rights in situations where complying with a request would be cost prohibitive or technically infeasible, would have allowed businesses to retain data a consumer requested to delete if it was necessary for a “business purpose,” and in limited circumstances would have permitted businesses to charge a “reasonable fee” to comply with repetitive consumer requests. The House bill did not include nearly as many exceptions for businesses, only allowed for an analogous exception from the right to deletion if the data was necessary “in relation to the purposes for which it was collected or processed,” and forbid business from ever charging consumers any fees.

Facial Recognition

The differences in the Senate and House approach to facial recognition are a microcosm of the debates over the WPA. The scope of the Senate’s definition of facial recognition, covering only uses for identification, was narrower than the House’s bill, which also regulated its use to detect demographic information or mood. And as it did in other areas, the Senate bill also provided businesses with more latitude to deploy this new technology. The Senate version of the WPA would have permitted the use of facial recognition in decisions that have legal or other significant effects as long as a human reviewed the decision, but the House version prohibited such uses entirely. While the Senate bill would have required companies to allow third parties to test their facial recognition technology for unfair bias, the House bill would have required independent verification that the technology was not biased before it could be deployed. The House similarly put more limits and stricter judicial oversight on the use of facial recognition by government agencies.

Enforcement

The disagreements between the two chambers’ bills regarding enforcement reflected the same worldviews. The House wanted to provide significantly broader enforcement mechanisms for the law—and do so sooner—than the Senate. One of the biggest points of disagreement between the two bills was whether to provide a private right of action. The Senate would have limited enforcement actions to those brought by the state Attorney General, while the House would also have allowed consumers to sue companies who allegedly violated the law directly. Further, the Senate bill provided for a 30-day opportunity to cure violations before becoming liable under the WPA; the House removed that provision. And the House was in a bigger hurry to start enforcing the law: its version would have gone into effect at the end of July 2020, while the Senate would have given businesses an extra year to get into compliance.

Too Far Apart

With the exception of the House providing for a private right of action, the differences between the Senate and the House versions of the WPA were arguably of degree, not kind. It is possible that each issue standing alone would not have been a deal breaker during negotiations. But cumulatively, there was too much daylight between the two drafts to reach a compromise—especially with time running short at the end of the legislative session. The failure of Washington to pass the WPA is a warning to other states trying to pass similar legislation that they too will have to wrestle with these questions about how broad a scope such a law should have, the leeway given to businesses, and how to enforce consumer privacy rights.