August 10, 2020

Volume X, Number 223

August 10, 2020

Subscribe to Latest Legal News and Analysis

Washington State Takes The Lead In CCPA Copycat Legislation Race, Trends Emerge

Key trends are emerging out of the recently proposed CCPA “copycat” legislation across the United States, and Washington State is leading the charge for stricter data privacy legislation. Businesses should closely monitor the developments in Washington and other states with proposed new privacy laws, particularly with respect to the trend of increased private rights of action.


Since the California Consumer Privacy Act (CCPA) took effect on January 1, 2020, “copycat” legislation has been introduced at a dizzying pace by state legislatures across the country. Taking their cues from CCPA, at last count 16 states have borrowed language from California’s watershed law regarding consumer notices, data subject rights requests, and definitions of “personal information, “sale” of data and other key items. The likely intent is to provide equal (or, in some cases, greater) protections to the residents of their states.

As a practical matter, however, none of the proposed laws is identical to CCPA (nor to each other); some look to the EU General Data Protection Regulation (GDPR), and each takes a complex approach that requires careful reading. The proposed Washington Privacy Act (SB 6281) has been touted as the most comprehensive data protection law in the United States and combines elements of CCPA and GDPR, adding specific protections for biometric information. Late last week, the Washington House added significant enforcement “teeth” by passing an amendment that would provide a private right of action under the Washington Consumer Protection Act for any violation of the Privacy Act.

Despite the lack of uniformity among the recently proposed bills across the country, three key trends are emerging:

Trend #1 – Increased Push for a Private Right of Action

In Washington, pending legislation would extend the private right of action beyond alleged harm arising from data breaches to any violation of the proposed Washington Privacy Act. While prior versions of the legislation vested exclusive enforcement authority in the Washington Attorney General—with penalties up to $7,500 per violation—late last week, the Innovation, Technology and Economic Development Committee in the Washington House approved an amendment to SB 6281 under which any violation of the Privacy Act would be deemed a per se violation of Washington’s Consumer Protection Act. While it is unclear exactly how damages will ultimately be calculated, a broad private right of action is a significant enforcement mechanism for Washington consumers. Supporters of the amendment argued that without a private right of action, companies would have little incentive to comply with the law because the Attorney General’s office lacks the resources to undertake many enforcement actions.

Recent bills propose legislation that closely tracks the CCPA’s private right of action for individuals who allege that they were harmed by data breaches caused by a business’ failure to implement “reasonable security” measures. Both the Illinois Data Transparency and Privacy Act (SB 2330) and New Hampshire’s proposed privacy law, HB 1680, provide consumers with private right of action where personal information is (i) unencrypted and unredacted; and (ii) subject to exfiltration, theft or disclosure due to failure to implement reasonable data security procedures. Consumers may seek damages the greater of $100 – $750 per consumer, per incident or actual damages.

If Washington or other states enact data privacy laws with such provisions, the potential liability for organizations affected by data breaches or failing to comply with sweeping new privacy obligations could rapidly become substantial, if not staggering. The private rights of action in the proposed state laws make it imperative for businesses to inventory the personal data they hold, practice data minimization principles, and invest in reasonable cybersecurity measures to mitigate exposure in the event of a data breach and implement comprehensive compliance programs.

Trend #2 – Data Controllers to Undertake Risk Assessments

Recently proposed legislation reflects not only provisions drawn from the CCPA, but also those based on the GDPR, most notably the definition of data controller and data processor roles and responsibilities. In addition, at least three states include a requirement for data controllers to perform risk assessments of their data. A data controller is an entity who, alone or jointly with others, determines the means and purpose of the processing of personal data. For example, in the Washington Privacy Act, data controllers must conduct and document data protection assessments for:

  1. Targeted advertising data processing;

  2. The sale of personal data;

  3. When profiling of data creates a foreseeable risk of injury (financial, physical or reputational), unfair impact or intrusion on the private affairs of consumers;

  4. For the processing of sensitive data; and

  5. Any processing activity that represents a heightened risk of harm to consumers. In addition, the assessments must weigh the benefits and risks of processing.

Similarly, both the Virginia Privacy Act (HB 473) and Illinois Data Transparency and Privacy Act require controllers to perform a risk assessment for each processing activity involving personal information, and an additional risk assessment each time there is a change in processing that “materially increases the risk to consumers.” The proposed Virginia and Illinois laws assert that if the privacy harm risks to consumers outweigh the interest of a controller, business or other stakeholder, then consumer consent is required for processing. If such consumer consent is sought by a controller, it should be easily given and withdrawn.

Of note, all three states include a provision that the risk assessments must be provided to the state’s Attorney General upon written request; however, the assessments are confidential and exempt from public disclosure. Businesses subject to GDPR will likely have already performed internal data privacy impact assessments (DPIAs), which are a demanding exercise. For organizations without EU-facing operations, the compliance burden is likely to increase should these laws pass in their current form.

Trend #3 – Increased Protection for Biometric Data

Likely a result of publicity surrounding litigation arising out of the Illinois Biometric Information Privacy Act (BIPA) and recent media attention regarding the increased prevalence of biometric technologies, a number of the newly proposed data privacy laws focus on strengthening protections for biometric data. Several states proposing recent legislation—Illinois, Nebraska, New Hampshire, Virginia and Washington—include biometric identifiers in the definition of either personal information or sensitive data.

Notably, the Washington Privacy Act would require controllers to obtain opt-in consent from consumers to process biometric data and would include a section devoted exclusively to the requirements for data controllers with respect to Facial Recognition Technology (FRT). Examples of such requirements include:

  1. Obtaining consent from consumers prior to enrolling a consumer’s image in FRT;

  2. Separating FRT databases from other databases and reviewing FRT databases annually;

  3. Ensuring that any FRT that may have a legal effect is subject to human review; and

  4. Requiring periodic training of those who operate a FRT service.

Due to the increased focus on these technologies, companies should carefully and thoroughly evaluate the privacy implications of any biometric or FRT product or service prior to launch. For example, facial recognition technology has reportedly been deployed in certain countries to identify those with elevated temperatures in order to prevent the spread of COVID-19. How these new laws in the United States will mesh with biometric technologies in the event of a public health crisis remains to be seen.


Time will tell as to whether the 2020 crop of CCPA-like proposed statutes will eventually become law—many similar CCPA copycat proposals failed in 2019—but it is apparent that there is a strong movement to enact stricter data privacy legislation. As Washington’s legislature approaches the end of its legislative session early this month, there is keen interest in the outcome of the Washington Privacy Act, which has a proposed effective date of July 31, 2021. While a similar measure failed in Washington last year, now that CCPA is in effect, the landscape has changed.

Businesses should closely monitor the developments in Washington and other states, particularly with respect to the trend of increased private rights of action and the resulting liability. While these state legislative proposals share a common goal, the lack of standardization among federal, state and international data privacy regimes is cause for significant concern in the business community, which bears the brunt of complying with competing and sometimes conflicting legal and regulatory obligations. These trends show no signs of abating, so stay tuned.

© 2020 McDermott Will & EmeryNational Law Review, Volume X, Number 65


About this Author

Laura E. Jehl Partner Global Privacy & Cybersecurity  Autonomous Vehicles  Compliance  Consumer Data & Digital Marketing  Cross-Border Data Protection  Data Breach Management  Data Licensing & Strategies  Employer Data Privacy  Health Information Privacy  Information Security & Risk Mitigation  Privacy Litigation & Governmental Investigations  FinTech and Blockchain  Technology & Commercial Transactions  Telecommunications Transactions  Energy  Food, Beverage & Agribusiness  Healthcare  Technology  Alcohol

Laura Jehl serves as global head of the Firm’s Privacy and Cybersecurity Practice. Focusing on the intersection of data, law and emerging technologies, Laura advises clients on a broad range of privacy and cybersecurity issues. She has extensive experience identifying and mitigating privacy and data protection issues arising out of the collection, use and storage of data as well as the design of new business models, products and technologies. With unique experience as a former senior in-house counsel and C-suite executive, she understands the business, legal and technological challenges...

Mark Schreiber, McDermott Law Firm, Boston, Cybersecurity Law Attorney

Mark E. Schreiber focuses his practice on cybersecurity, data breach response and global privacy coordination. He advises entities facing cross-border data protection, Privacy Shield and related issues, strategic decisions, and investigations. Mark has led numerous multi-national and cross-border matters, including those involving data breaches, and has advised senior management, boards, and special board committees on a variety of investigations, including data breach prevention and response. Mark is a leader of the Firm’s Global Privacy and Cybersecurity practice.

Mark has spoken around the world on topics related to data breaches and related defense litigation strategy, overlapping international data protection compliance, and other privacy topics. He helped found and was chair for over a decade of the Privacy and Data Protection Group of the World Law Group, an international affiliation of 54 large law firms in some 65 countries, and received the “2012 World Law Group Practice/Industry Group Leader of the Year Award” in recognition of his privacy and data protection work. In addition, Mark helped found and was co-chair of the Boston Bar Association's Privacy Law Committee.

Kari Prochaska Associate  Chicago Corporate & Transactional  Global Privacy & Cybersecurity  Cross-Border Data Protection  Data Breach Management  Employer Data Privacy  Government Investigations  Health Information Privacy Corporate Reorganization  Corporate Services  Mergers & Acquisitions  Post-Merger Integration  Technology & Commercial Transactions  White-Collar  Discovery

Kari Prochaska focuses her practice on data privacy and cybersecurity, corporate due diligence, and complex civil litigation. She has counseled clients regarding incident response, breach notification obligations under state privacy statutes, and data governance. Kari has advised clients on General Data Protection Regulation (GDPR) contractual compliance and cross border data transfer mechanisms. She is a Certified Information Privacy Professional (CIPP/US) by the International Association of Privacy Professionals (IAPP). Also, she has extensive experience supporting clients in corporate...