January 27, 2023

Volume XIII, Number 27


January 26, 2023

Subscribe to Latest Legal News and Analysis

January 25, 2023

Subscribe to Latest Legal News and Analysis

January 24, 2023

Subscribe to Latest Legal News and Analysis

New Washington State Privacy Bill Incorporates Some GDPR Concepts

new bill, titled the “Washington Privacy Act,” was introduced in the Washington State Senate on January 18, 2019. If enacted, Washington would follow California to become the second state to adopt a comprehensive privacy law.

Similar to the California Consumer Privacy Act (CCPA), the Washington bill applies to entities that conduct business in the state or produce products or services that are intentionally targeted to residents of Washington and includes similar, though not identical size triggers. For example, it would apply to businesses that 1) control or process data of 100,000 or more consumers; or 2) derive 50 percent or more of gross revenue from the sale of personal information, and process or control personal information of 25,000 or more consumers. The bill would not apply to certain data sets regulated by some federal laws, or employment records and would not apply to state or local governments.

The bill incorporates aspects of the EU’s General Data Protection Regulation (GDPR) and borrows the “controller”/“processor” lexicon in identifying obligations for each role from the GDPR. It defines personal data as any information relating to an identified or identifiable natural person, but does not include de-identified data. Similar to the GDPR, it treats certain types of sensitive information differently. Unlike the CCPA, the bill excludes from the definition of “consumer” employees and contractors acting in the scope of their employment. Additionally, the definition of “sale” is narrower and limited to the exchange of personal data to a third party, “for purposes of licensing or selling personal data at the third party’s discretion to additional third parties,” while excluding any exchange that is “consistent with a consumer’s reasonable expectations considering the context in which the consumer provided the personal data to the controller.”

Another element similar to the GDPR in the bill, requires businesses to conduct and document comprehensive risk assessments when their data processing procedures materially change and on an annual basis. In addition, it would impose notice requirements when engaging in profiling and a prohibition against decision-making solely based on profiling.

Consumer rights 

Similar to both the GDPR and the CCPA, the bill outlines specific consumer rights.  Specifically, upon request from the consumer, a controller must:

  • Confirm if a consumer’s personal data is being processed and provide access to such data.
  • Correct inaccurate consumer data.
  • Delete the consumer’s personal data if certain grounds apply, such as in cases where the data is no longer necessary for the purpose for which it was collected.
  • Restrict the processing of such information if certain grounds apply, including the right to object to the processing of personal data related to direct marketing. If the consumer objects to processing for any purpose other than direct marketing, the controller may continue processing the personal data if the controller can demonstrate a compelling legitimate ground to process such data.

If a controller sells personal data to data brokers or processes personal data for direct marketing purposes, it must disclose such processing as well as how a consumer may exercise the right to object to such processing.

The bill specifically addresses the use of facial recognition technologies. It requires controllers that use facial recognition for profiling purposes to employ meaningful human review prior to making final decisions and obtain consumer consent prior to deploying facial recognition services. State and local government agencies are prohibited from using facial recognition technology to engage in ongoing surveillance of specified individuals in public spaces, absent a court order or in the case of an emergency.

The Washington State Attorney General would enforce the act and would have the authority to obtain not more than $2,500 for each violation or $7,500 for each intentional violation. There is no private right of action.

The Washington Senate Committee on Environment, Energy & Technology held a public hearing on January 22, 2019 to solicit public opinions on this proposed legislation. At the beginning of the public hearing, the Chief Privacy Officer of Washington, Alex Alben, commented that the proposed legislation would be just in time to address a “point of crisis [when] our economy has shifted into a data-driven economy” in the absence of federal legislation regarding data security and privacy protection.

Industry reaction to the bill

Companies and industry groups with an interest in this process applauded this proposed legislation as good news for entities that have become, or are on their way, to becoming compliant with the GDPR. Many also shared suggestions or criticisms. Among others, some speakers cautioned that by setting a high standard closely resembling the GDPR, the bill might drive small- or medium-sized companies to block Washington customers, just as they have done in the past to avoid compliance with the GDPR.

Some representatives, including the Chief of the Consumer Protection Division of the Washington Attorney General’s Office, call for a private cause of action so that this law would mean more to a private citizen than simply “a click on the banner.” The retail industry, the land title association, and other small business representatives expressed their preference for legislation on a federal level and a higher threshold for applicable businesses. Specifically, Stuart Halsan from the Washington Land Title Association recommended that the Washington Senate consider this bill’s impact on industries, such as the land title insurance industry, where the number of customers is significantly lower than the amount of data it processes in their ordinary course of business.

In response to these industry concerns, the committee acknowledged that this new legislation would need to be very sensitive to apply proportionately to businesses of different sizes and technology capabilities. The committee also recognized the need to make this legislation more administratively feasible for certain industries or entities that face difficulty in compliance (such as the secondary ticketing market) or subject to complicated regulatory frameworks (such as the bank industry). The Washington Senate continues to invite individuals, companies, or industry groups to submit brief written comments here.

© 2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.National Law Review, Volume IX, Number 31

About this Author

Katherine Armstrong, Drinker Biddle Law Firm, Washington DC, Data Privacy Attorney

Katherine E. Armstrong is counsel in the firm’s Government & Regulatory Affairs Practice Group where she focuses her practice on data privacy issues, including law enforcement investigations, and research and analysis of big data information practices including data broker issues.

Katherine has more than 30 years of consumer protection experience at the Federal Trade Commission (FTC), where she served in a variety of roles, including most recently as a Senior Attorney in the Division of Privacy and Identity Protection.  In the Division of...


Qiusi Y. Newcom assists clients with navigating emerging issues and regulatory compliance in telecommunications laws and international trade laws. She is an associate with the Telecommunications Team and the Customs and International Trade Team.

Prior to joining Drinker Biddle, Qiusi was an associate with a boutique employment law firm where she handled labor and employment matters before federal courts and federal agencies, including the Equal Employment Opportunity Commission. Qiusi also gained valuable litigation experience...