Washington State Fails to Enact Privacy Act
Despite support from the technology industry and almost unanimous support in the state Senate, the Washington Privacy Act (SB 5367) appears to dead after it failed to pass the Washington House before the April 17 deadline for the current legislative session. The bill—assumed by many to be a sure thing in light of the complete Democratic control of the Washington state government—hit a roadblock after significant amendments aimed at increasing consumer privacy, including enhanced obligations related to facial recognition, were proposed in the House. When legislators failed to bring the bill for a vote before the deadline, the bill's sponsor, Sen. Carlyle (D.-Seattle), tweeted that consumer privacy reform would be shelved until 2020.
The WPA, unlike other state privacy laws proposed this year, was modeled on the EU's General Data Protection Regulation ("GDPR") rather than the recently enacted California Consumer Privacy Act ("CCPA"). As explained in an earlier client alert, the WPA would have given Washington residents the right to access data that companies held about them (similar to the right contained in the CCPA), to correct inaccurate information about them, to demand deletion of data with only a few exceptions, and to opt out of some uses of their data, such as for targeted advertising. In addition, companies would have been required to conduct "risk assessments" of their processing of consumers' personal data and to ask for the affirmative consent of consumers before processing their data in ways that posed a high risk of privacy harm.
While the WPA's GDPR-like obligations would have provided Washington residents with more privacy protections than most US citizens have, some privacy advocates opposed the Senate bill as not going far enough, supporting instead the amended House version as a positive first step. The amendments proposed in the House would have applied the law to all for-profit entities, rather than just those above certain revenue or number-of-customers thresholds, and included a private right of action that allowed individual consumers, not just the attorney general, to sue to enforce the law. The proposed amendments would have also imposed stricter controls on the use of facial recognition technology, including a requirement that companies obtain consent prior to the use of such technology on consumers' personal data, and would not have allowed conspicuous notice in the place where facial images are gathered to suffice as consent. The amendments would also have required companies using facial recognition technology to obtain an independent audit to confirm that "no statistically significant variation occurs in the accuracy of the facial recognition technology on the basis of race, skin tone, ethnicity, gender, or age of the individuals portrayed in the testing images" and would have prohibited the use of profiling to make decisions that produced "legal effects concerning consumers or similarly significant effects concerning consumers."
If Washington lawmakers can act quickly to come to an agreement on the substance of privacy reform, it is possible that the law could be considered before the legislative session ends for the year on April 28, provided that legislators vote to extend the deadline for considering bills that do not affect the budget. And while the possibility of privacy reform in Washington looks grim, legislatures around the country continue to debate a plethora of other privacy laws, including CCPA-like reforms, amendments to data breach notification laws, and biometrics laws.