It was a given that the Washington Privacy Act – the country’s (presumptive) second piece of general data-privacy legislation – would pass this year and follow the path blazed by the California Consumer Privacy Act (the “CCPA”).
The Washington Legislature first proposed (and failed to pass) privacy legislation in 2019. Just a few months ago, a new version of the Washington Privacy Act was proposed. The new version was expected to include protections for Washington consumers similar to the protections afforded by the European Union’s General Data Protection Regular (GDPR), and privacy professionals began preparing clients for compliance.
In mid-February 2020. The Act passed the state Senate 46-1 and headed to the House where many expected it to pass without any major obstacles.
One primary issue dissuaded the House: the lack of a private right of action. Senator Reuven Carlyle summed up the issue:
“Following two historic, near-unanimous votes on proposals in the Senate this year and last, I’m deeply disappointed that we weren’t able to reach consensus with our colleagues in the House. The impasse remains a question of enforcement. As a tech entrepreneur who has worked in multiple startup companies, and in the absence of any compelling data suggesting otherwise, I continue to believe that strong attorney general enforcement to identify patterns of abuse among companies and industries is the most responsible policy and a more effective model than the House proposal to allow direct individual legal action against companies.”
Washington legislators will have a chance to try again next year – and all signs indicate that they will do so. In the meantime, businesses should keep an eye on other states (Florida, Minnesota, New York, and Wisconsin to name a few). As always, we’ll keep an eye on things for our clients.
Employers with questions regarding data privacy, cybersecurity or other business matters should contact a Kerr Russell attorney.
Jeffrey A. May practices in the areas of general business law, intellectual property, and litigation with a focus on the increasingly important area of Cybersecurity and Data Privacy Law. He is credentialed as a Certified Information Privacy Professional/United States (CIPP/US). He has prior experience owning and operating a technology-based business. His experience and education allow him to assist clients with a wide range of business issues and litigation matters. Jeffrey helps clients identify and mitigate risks related to data security incidents and breaches. He also helps with information technology policies and practices, and data sharing arrangements with third parties.
Other posts to consider: