Privacy Bill Essentials: Washington

March 25, 2021 | Updated, April 28, 2021
Hinshaw Privacy & Cyber Bytes

* Update on April 28, 2021: The Washington Legislature closed on April 25, 2021 without voting on the Washington Privacy Act (WPA), thus Washington has failed to pass a privacy bill for the third straight year. The deadline for the vote was April 11, 2021, but the bill’s author, Senator Carlyle, tried to keep it alive by holding out until the close of legislation. With that having ended as well, the WPA is dead for 2021. 

The state of Washington is making another attempt at passing a privacy bill. Earlier this month, the Washington Privacy Act passed the Senate and has now moved to the House of Representatives. Although it has the support of large tech companies like Microsoft and Amazon, it is facing pushback from consumer groups who are demanding a private right of action be included.

To whom would it apply?

The Washington Privacy Act would apply to all legal entities that conduct business in Washington or produce products or services that are targeted to Washington residents (referred to as "consumers") who meet one or both of the following criteria:

The Act exempts certain entities such as state agencies and local governments.

What types of information would it cover?

The Act would cover any information that is linked or reasonably linkable to an identifiable person. It would not include deidentified (anonymized) data or publicly available information. Certain types of information, such as information subject to HIPAA and GLBA, would not be covered by the Act.

What rights would it create?

The bill would create a number of consumer rights, including the right to:

What obligations would it impose?

Under the bill, businesses would be required to:

How would it be enforced?

The rights provided by the Act would only be enforced by the attorney general. No private right of action is provided for. If a violation is discovered, the attorney general would be required to provide the entity with 30 days to resolve the issue prior to filing any complaint. After that, an entity found in violation of the act could be fined up to $7,500 per violation plus any costs the state incurred in enforcing the act. Further, the bill would create an exception for any contracts that a consumer may enter into with the business that negates anything set forth in the bill. It does not however, specifically define how the term "contract" will be interpreted. Finally, some of the language seems to imply liability only for knowing violations of the Act, so it is unclear if and what consequences there would be for unintended data breaches.

When would it go into effect?

The Act is slated to take effect on July 31, 2022. Certain sections would not apply to higher education or nonprofit organizations until July 31, 2026.

Where does it stand?

The Washington Privacy Act is currently being considered by a House committee, and is scheduled to be reviewed on March 26, 2021.