Although the legislature failed to enact the WPA, it did take some action in the privacy area, amending the state’s data breach law to require companies that have suffered a breach to notify consumers within 30 days of discovering the breach (the previous deadline was 45 days). The law also now requires businesses to inform affected consumers of when the breach occurred and when it was discovered, and, if the breach involved usernames or passwords, to tell consumers to take steps to secure their electronic accounts.
Washington lawmakers agreed on the basic framework of the WPA. Unlike the CCPA and other state privacy bills introduced this year, the bill was based on the EU’s General Data Protection Regulation (“GDPR”). It would have given Washington residents the right to access data that companies held about them (similar to the right contained in the CCPA), to correct inaccurate information about them, to demand deletion of data with only a few exceptions, and to opt out of some uses of their data, such as for targeted advertising. In addition, companies would have been required to conduct “risk assessments” for their processing of consumers’ personal data and to ask for the affirmative consent of consumers before processing their data in ways that posed a high risk of privacy harm. Legislators in both the Senate and House expressed that limiting the use of facial recognition technology by both the private sector and government agencies was a priority; however, they disagreed on how to accomplish this objective.
The Scope of the LawAt the most basic level, there were different opinions on who and what the law should cover. The Senate bill would have applied to entities doing business in Washington who met certain thresholds regarding the number of consumers whose data they controlled and how much of the businesses’ revenue derived from selling personal data; the amended House bill would have removed those thresholds so that all entities doing business in Washington would have been subject to the law by default (though both bills had some exceptions).
There were several other notable differences in scope. The House bill used a broader definition of personal data that would have included data that had already been made public, unlike the Senate’s bill. The House version also offered more guidance on what it meant to de-identify personal data so that it would no longer be subject to the law. And while the Senate bill would have defined a “sale” of personal data as an exchange for monetary consideration to a third party for the purpose of further licensing or selling the data, the House included any exchange or disclosure of personal data to a third party in exchange for anything of value and for any purpose in its definition of a sale.
Trusting Businesses?Perhaps the most significant difference between the two versions of the WPA was in how they viewed businesses. The Senate bill reflected a relatively positive view of businesses, recognizing that they needed to be regulated in this sphere but also evincing a desire not to overly burden businesses with costly obligations. A belief that businesses might take advantage of consumers at every opportunity and needed to be regulated more strictly, on the other hand, was manifest in the House bill.
This difference in outlook could be seen in how the same GDPR-style rights were implemented. The Senate bill often made exceptions to consumer rights in situations where complying with a request would be cost prohibitive or technically infeasible, would have allowed businesses to retain data a consumer requested to delete if it was necessary for a “business purpose,” and in limited circumstances would have permitted businesses to charge a “reasonable fee” to comply with repetitive consumer requests. The House bill did not include nearly as many exceptions for businesses, only allowed for an analogous exception from the right to deletion if the data was necessary “in relation to the purposes for which it was collected or processed,” and forbid business from ever charging consumers any fees.