In the wake of the passage of the California Consumer Privacy Act (CCPA), Washington state is primed to be the next state to pass its own privacy law, which is modeled after the GDPR.
Senate Bill 5376, also known as the Washington Privacy Act, seeks to give consumers visibility into the information collected about them, and how their information is shared with third parties. The law, like the CCPA, gives consumers the right to correct inaccurate information, request the deletion of their personal data, and object to their personal data being used in marketing. The law also draws from Europe's General Data Protection Regulation (GDPR) in its definitions of controllers and processors of personal data, and the responsibilities of both. Additionally, the law requires consent for the use of facial recognition technology on consumers.
Notably, the law has garnered support from Microsoft's General Counsel for Privacy and Regulatory Affairs.
The bill was quickly passed in the Senate and now awaits passage in the House. The State House version of the bill, which has yet to pass, broadens the applicability of the law to all "legal entities that conduct business in Washington or produce products or services that are intentionally targeted to residents of Washington" and adds a private right of action with a 30-day grace period.
"Now that a second comprehensive privacy law on the West Coast appears likely, the core privacy rights undergirding the CCPA and WPA appear to be here to stay. Businesses of nearly any size should immediately begin modifying their information governance plans accordingly, if they have not started that process already. For businesses that have been reluctant to greenlight reviews of their data ecosystem and information governance programs, the compliance risk presented by comprehensive privacy laws such as the GDPR, CCPA and the WPA is only going to increase from here. " - Mannatt
If passed, the law will go into effect on July 30, 2020.