Statue of lady Justice with scale buried in sand showing the failure in passing the Washington Privacy Act for the second time

Washington Privacy Act Fails to Pass, Again

Lawmakers in the U.S. state of Washington have last month, for the second year running, failed to push through a piece of legislation aimed at strengthening state-wide privacy regulations. The legislation in question, SB 6281 (referred to as the ‘Washington Privacy Act’) holds many similarities to both the EU’s GPDR and California’s CCPA in that it considerably tightens regulations around how companies make use of third-person data.

The Washington Privacy Act had initially passed through the Washington State Senate this year with a vote of 46-1 back in February. Then went on to pass through the state House of Representatives with a 63-33 vote on March 6, but only after various amendments had been made to the bill. Chief among these amendments centered around a broad private right of action, allowing individuals to take enforcement into their own hands. The state senate, however, did not agree with the bill’s amendments, and subsequently blocked its passage.

The movement marks the second time in which the Washington Privacy Act failed to pass into law. Last year, a version of the bill also made its way through the Senate in a 46-1 vote, only to be later blocked in the House of Representatives.

Outside of Washington, several other US states also have pieces of similar legislation pending which aim at protecting consumer privacy, following in the footsteps of CCPA. However, with the impact of the ongoing coronavirus outbreak on policymaking, many such bills will likely remain pending for the foreseeable future.

A question of enforcement

Interestingly, the failure of the Washington Privacy Act came largely as a result of a scuffle over how the law would be enforced, rather than any intrinsic disagreement about the contents of the bill itself.

In a 12 March statement, Democratic Senator Reuven Carlyle—who has spearheaded the legislation—said that a disagreement centered around whether enforcement should be left to the state attorney general’s office or to individuals.

“Following two historic near unanimous votes on proposals in the Senate this year and last,” Carlyle wrote, “I’m deeply disappointed that we weren’t able to reach consensus with our colleagues in the House. The impasse remains a question of enforcement.”

“I continue to believe that strong attorney general enforcement to identify patterns of abuse among companies and industries is the most responsible policy and a more effective model than the House proposal to allow direct individual legal action against companies.”

The House of Representatives, on the other hand, did not seek to have the state attorney general to enforce the law, but rather to afford a broad private right of action to individuals to enforce the law themselves.

In focus: the Washington Privacy Act

If the Washington Privacy Act were to have gone into effect, it would have applied to all companies which either do business in the state of Washington or which produce goods or services that are bought and sold there.

In addition, companies affected would need to have either the data of at least 100,000 customers in their possession, or 25,000 customers in their possession if the company derives more than 50% of its gross revenue off of the sale of that data.

The bill itself would have granted new levels of consumer protection to residents of Washington state with respect to their data security. These included affording state residents the right of access, the right to request that personal data is deleted by a company, and the right to opt out of their data being processed in the first place. In addition, the Washington Privacy Act also sought to place facial recognition technology under increasing regulation, requiring performance testing and consumer disclosures.

Privacy legislation in the U.S.

In the absence of any overarching federal protection for user privacy in the US, states themselves have taken the lead in bringing about restrictions on how companies use and interact with the personal information of their customers.

California’s CCPA is the primary example of this, serving as the strictest privacy act currently in effect in the US. However, should Washington Privacy Act come into effect in the future in its current form, it would likely surpass the CCPA to become the most comprehensive privacy law in the US to date.

Comparably to the both the EU’s GDPR and California’s, CCPA, the Washington Privacy Act approaches the subject of privacy from an all-inclusive approach point of view, asserting that privacy protections are fundamental to maintaining civil liberty.

This legal prospect stands in sharp contrast to existing US laws regarding privacy, which typically extend to privacy protections only in the context of specific sectors. For example, privacy is protected for US citizens in relation to personal medical information in the healthcare sector, income statements in the financial sector, and the personal information of minors in general.