Conceptual image about how a laptop computer with internet open a virtual door to worldwide information sharing.Keypoint: The WPA version that passed out of the House committee contains a private right of action along with other changes strengthening the WPA’s privacy provisions.

On Friday, February 28, the Washington House Innovation, Technology & Economic Development Committee (ITED) voted to pass a strengthened version of the Washington Privacy Act (WPA) out of committee. As discussed in our prior post, on February 14, the Washington Senate voted overwhelmingly to pass the WPA. Yet, after moving to the House, the WPA encountered substantial resistance from privacy advocates. At a public hearing on February 21, privacy advocates argued against the WPA’s lack of a private right of action, facial recognition provisions, and preemption of local laws, among other things.

Ultimately, the ITED committee approved a number of amendments to the bill. Perhaps the most notable amendment was the creation of a private right of action to enforce the privacy rights granted in the WPA. By way of explanation, the Senate version of the WPA grants the state Attorney General with “exclusive authority to enforce” the WPA. In comparison, the ITED committee version of the WPA allows Washington residents to bring claims under the state Consumer Protection Act, which authorizes litigants to seek an injunction, actual damages, treble damages, costs of suit, and attorney’s fees.

The lack of a private right of action was one of the reasons why the WPA failed in 2019. Privacy advocates argue that a private right of action is essential for consumers to adequately enforce their privacy rights. Conversely, business advocates argue that a private right of action (particularly, one that allows for attorney’s fees) would result in endless litigation. Nevertheless, if Washington lawmakers want to pass consumer privacy legislation this year, they will need to find a compromise on this issue.

Other notable changes made to the WPA by the ITED committee are detailed below.

  1. Changes to the WPA’s Jurisdictional Scope

The ITED committee modified Section 4 (Jurisdictional Scope) to provide that the WPA applies to legal entities that derive over 25% of their gross revenue from the sale of personal data and process and control the personal data of 25,000 or more consumers (i.e., Washington residents). The Senate version of the WPA sets the threshold at 50%.

The WPA would still also apply to legal entities that, during a calendar year, control or process the personal data of 100,000 or more consumers.

Moreover, in another amendment, payment-only credit, check, or cash transactions where no data about the consumer is retained would not count as “consumers” for purposes of meeting the consumer threshold requirements.

  1. Change to Definition of Consumer

The ITED committee slightly modified the WPA’s definition of “consumer” to specify that acting in an individual or household context includes buying and selling in an individual or household context.

  1. Facial Recognition

The ITED committee passed a number of amendments to the facial recognition provisions in Section 17 of the WPA. First, local laws, ordinances, or regulations regarding facial recognition would no longer be preempted by the WPA. Second, the committee removed the WPA’s provisions permitting controllers to enroll a consumer’s image in a facial recognition service without first obtaining the consumer’s consent. The committee amendments also require facial recognition training to include coverage of facial recognition error rates based on demographical differences. Finally, the amendments permit disclosure of personal data obtained from a facial recognition service to law enforcement when required in response to a court-ordered warrant, rather than a court order, or subpoena or summons issued by a judicial officer or grand jury.

  1. Data Minimization

The ITED committee also modified the data minimization responsibility of controllers to require that a controller’s collection of personal data be only as reasonably necessary for specified purposes, rather than adequate, relevant, and limited to what is necessary for processing purposes disclosed to consumer.

  1. Consumer Rights

The committee amendments require controllers to allow guardians or conservators to exercise consumer personal data rights on behalf of consumers subject to guardianship or conservatorship.

  1. Preemption

Local laws, ordinances, or regulations regarding the processing of personal data by controllers or processors that are adopted prior to the effective date of the WPA would not be superseded or preempted.

The House version of the WPA now moves to appropriations. While the ITED committee’s passing of the WPA out of committee is a significant step towards the potential passage of the WPA, it still remains uncertain whether lawmakers will be able to reach a compromise bill prior to the legislature closing on March 12.

Print:
EmailTweetLikeLinkedIn
Photo of David Stauss David Stauss

David is leader of Husch Blackwell’s national privacy and cybersecurity practice group. He routinely counsels clients on responding to data breaches, complying with privacy laws such as GDPR and the California Consumer Privacy Act, and complying with information security statutes. He also…

David is leader of Husch Blackwell’s national privacy and cybersecurity practice group. He routinely counsels clients on responding to data breaches, complying with privacy laws such as GDPR and the California Consumer Privacy Act, and complying with information security statutes. He also represents clients in data security-related litigation. David is certified by the International Association of Privacy Professionals as a Privacy Law Specialist, Certified Information Privacy Professional (US), Certified Information Privacy Technologist, and Fellow of Information Privacy.

Photo of Malia Rogers Malia Rogers

Clients of all sizes – from innovative startups to Fortune 500 corporations – value Malia’s counsel on a broad range of privacy and cybersecurity issues, including incident response in times of emergency. She advises clients on privacy compliance planning, which encompasses cybersecurity measures…

Clients of all sizes – from innovative startups to Fortune 500 corporations – value Malia’s counsel on a broad range of privacy and cybersecurity issues, including incident response in times of emergency. She advises clients on privacy compliance planning, which encompasses cybersecurity measures as well as drafting breach response and action plans.

Photo of Megan Herr Megan Herr

Whether clients are forming, growing or governing businesses, Megan assists in the corporate deals and transactions necessary to move forward. A corporate attorney, Megan focuses her practice on helping clients of all sizes – from emerging startups to international corporations – establish, grow…

Whether clients are forming, growing or governing businesses, Megan assists in the corporate deals and transactions necessary to move forward. A corporate attorney, Megan focuses her practice on helping clients of all sizes – from emerging startups to international corporations – establish, grow and protect business.