Privacy & Information Security Law Blog

On January 13, 2020, lawmakers in Washington state introduced a new version of the Washington Privacy Act, a comprehensive data privacy bill, in both the state Senate and House of Representatives. It would apply to companies conducting business in Washington or who provide products or services to Washington residents.

The bill mirrors some of the language and requirements of the General Data Protection Regulation and would provide consumers with several new rights to control the use of their data. It also contains a section dedicated entirely to the use of facial recognition technology. As drafted, the bill does not provide a private right of action.

Key provisions of the bill would:

•  provide consumers with the rights of access, correction, deletion and data portability;
• provide consumers with the right to opt-out of processing of personal data for the purposes of targeted advertising, sale of personal data or profiling;
• require that collection of personal data is adequate, relevant and limited to what is reasonably necessary in relation to the specified and express purposes for which the data is processed;
• require that controllers avoid secondary uses of data without the consumer’s consent;
• require that controllers obtain consumer’s consent before processing “sensitive” data;
•  require that controllers conduct a data protection assessment of each of their processing activities, identify and weigh benefits and risks of the processing, and avoid processing where the risks are substantial and outweigh the benefits unless an exemption applies;
• allow the state attorneys general to enforce the law through injunctions and civil penalties up to $7,500 per violation; and,
• require companies providing facial recognition services to comply with several obligations, including making an interface available for accuracy and unfairness testing and providing notice whenever the service is deployed in a physical premise open to the public.

Last year, Washington’s Senate passed a predecessor version of the Washington Privacy Act, but the bill died in the House. This draft, if enacted, would take force in July 2021.