May 17, 2022

Volume XII, Number 137


May 16, 2022

Subscribe to Latest Legal News and Analysis

Somebody's Watching EU: Washington State Senate Passes Privacy Legislation Similar to European Union's Data Privacy Regulations

Washington could be the next U.S. state to enact consumer privacy legislation similar to the EU's General Data Protection Regulation (GDPR). On Wednesday, the Washington state Senate overwhelmingly approved the Washington Privacy Act, SB 5376 (the "WPA") which takes its cues from the GDPR playbook to address consumer privacy concerns.

Under the WPA, companies must be transparent and accountable for how they process consumer data, which includes providing a clear and meaningful privacy notice that describes the types of data collected, the purposes for collecting such data, and how the data is used, including whether the data is shared with or sold to third parties.  In an effort to assist companies in being transparent, the WPA also requires companies to conduct risk assessments to determine whether their data collection procedures are putting consumer privacy rights at risk.  Where a company’s data collection practices go against consumer privacy rights, the company must have express consumer consent before collecting personal data.

The WPA gives individual consumers the right to request that a company: (1) fully disclose what kinds of personal information they are holding and how they are using it; (2) modify or correct an individual’s personal data; (3) delete an individual’s personal data; and (4) limit how an individuals’ personal data may be used.  The WPA also gives consumers the right to withdraw previous consent for the use of personal data.

The WPA also addresses consumer privacy in the context of facial recognition technology and requires facial recognition technology providers to contractually prohibit their customers from using the technology to unlawfully discriminate against individuals or groups of consumers. 

The WPA applies to companies that conduct business in Washington or intentionally target Washington residents, who also either (1) control or process data of at least 100,000 consumers or (2) derive at least 50% of their gross revenue from the sale of personal data and also control or process data of at least 25,000 consumers.

The WPA does not create a private right of action for individual consumers, but gives the state attorney general the right to bring an action in the name of affected Washingtonians.  Companies in violation of the Act will have a 30-day period to cure any violations and otherwise will be subject to a $2,500 civil penalty for each violation, or $7,500 for each violation that is found to be intentional.  The bill now moves to the House which is also reviewing a companion bill.

Washington State’s move to bolster state-mandated consumer privacy protections follows on the heels of the passage of the California Consumer Privacy Act of 2018 (“CCPA”) which goes into effect January 1, 2020.  The CCPA requires businesses to provide notice to consumers regarding the personal information collected and shared, along with notice of consumer’s rights with respect to that personal information.  Notably, the CCPA contains a broad, seemingly all-encompassing definition of the term consumer that would include employees and business contacts.  Unlike the WPA, the CCPA includes a private right of action, which could be expanded under recently introduced legislation (SB 561) which also removes the 30 day cure period for businesses receiving a notice of an alleged violation.

Legislation similar to the CCPA has been introduced in Hawaii (SB418, introduced January 2019), Massachusetts (SD341, introduced January 2019), New Mexico (SB176, introduced January 2019), Rhode Island (S0234, introduced January 2019), and Maryland (SB0613, introduced February 2019). 

If approved, the Washington State Privacy Act would go into effect July 31, 2021.

© 2022 Bracewell LLPNational Law Review, Volume IX, Number 71

About this Author

Annie Allison, Bracewell Law Firm, Copyright and IP attorney

Annie Allison focuses on advising and assisting clients on intellectual property issues related to trademark, copyright, and technology law.

She regularly prepares and prosecutes trademark applications and assists in the management of global trademark portfolios. Annie also assists on a broad array of IP and technology related matters, including IP licensing and technology transactions focused on software, digital media, advertising, merchandising, and innovative technology. She advises clients on data privacy strategies and related regulatory compliance. Her experience also...

Philip Bezanson, white collar criminal defense, securities, attorney, Bracewell
Managing Partner, Seattle

Philip J. Bezanson's practice focuses on white collar criminal defense, internal investigations, securities enforcement and regulatory matters.

Mr. Bezanson is a member of the Bracewell & Giuliani LLP team that has represented corporate and individual clients in recent high-profile and complex cases, including the Deepwater Horizon explosion, the George Washington Bridge lane closure and General Motors ignition switch investigations, "Pay to Play" cases in New York, New Mexico and Illinois, the stock options backdating cases, and a variety...

Lucy Tyson Privacy and technology lawyer Bracewell

Lucy Tyson’s practice focuses on advising clients in a variety of matters related to the structuring and negotiating of services agreements for business process and information technology outsourcing and managed services. Lucy works with clients to develop and implement data privacy solutions that are compliant with global regulations. She has experience working across organizations, including compliance, HR, security, IT, and legal, to ensure that data privacy solutions are tailored to the client’s needs. Lucy also has experience in advising clients with the protection, maintenance,...