Last week, the Washington State Senate and House failed to reach agreement on a final version of the “Washington privacy act” (SB 6281) (See here for detailed analysis of the original bill) and have adjourned for the rest of 2020, meaning that privacy legislation is almost certainly not going to be enacted in this year. Consequently, the “California Consumer Privacy Act” (CCPA) (AB 375) essentially stands alone as the only major state privacy stature at present. The House’s insertion of a private right of action and tightening some of the provisions as called for by privacy and consumer advocates seems to have been the differences that were too vast to close given the amount of time lawmakers had. And yet, a privacy bill made it farther than last year when the Senate’s bill perished in the House without even coming to the floor for a vote, largely over facial recognition provisions. However, it looks like lawmakers will try again next year when the Washington state legislature is slated to be in for most of the year unless, of course, Congress passes a federal privacy law that preempts state laws.
A number of stakeholders in the legislature sought to make clear where they think the blame should be laid for SB 6281 failing to make it to the governor’s desk. In a statement, one of the Senate’s primary sponsors, Senator Reuven Carlyle (D-Seattle) claimed that “[t]he impasse remains a question of enforcement…[and] I continue to believe that strong attorney general enforcement to identify patterns of abuse among companies and industries is the most responsible policy and a more effective model than the House proposal to allow direct individual legal action against companies.”
The bill the Senate passed “purported to be comprehensive consumer data privacy…[but] was corporate-centric, not consumer focused.”Representative Smith
In her framing of SB 6281 dying, the House Innovation, Technology and Economic Development Committee Ranking Member Norma Smith (R-Clinton) claimed that the version of the bill the Senate passed “purported to be comprehensive consumer data privacy…[but] was corporate-centric, not consumer focused.” She added that the House “closed some of the most significant loopholes and provided individual consumers the ability to access justice should their rights—as declared in the bill—be violated.” Smith argued that “the Senate wanted both big loopholes and weak enforcement…[a]nd that is why the bill died today.”
“I continue to believe that strong attorney general enforcement to identify patterns of abuse among companies and industries is the most responsible policy and a more effective model than the House proposal to allow direct individual legal action against companies”Senator Carlyle
Earlier this month, the House finished its consideration of SB 6281 and passed the bill by a 56-41 vote, sending the changed bill back to the Senate. However, the Senate refused to concede to the House amendments and asked that the House recede. A conference committee was ultimately convened but to no effect as the effort to pass a bill fell apart. The House’s bill had a private right of action, which was opposed by stakeholders in the Senate. However, one of SB 6281’s primary Senate sponsors suggested the Senate may be open to a private right of action provided that it is tightened. Notably, the House’s amended bill had stricken all the provisions on facial recognition technology, which is not surprising considering that it was similar language last year that sank the Senate’s privacy bill in the House.
As explained by House staff, the House’s version of SB 6281 differs from the Senate’s passed bill in these ways:
- Modifies the jurisdictional scope threshold that makes the obligations of the bill applicable to legal entities that derive over 25 percent, rather than 50 percent, of gross revenue from the sale of personal data and control, or process personal data of at least 25,000 or more consumers.
- Provides that controllers must allow guardians to exercise consumer personal data rights on behalf of consumers.
- Removes provisions prohibiting this chapter to serve as the basis of a private right of action and allocating liability.
- Modifies enforcement by providing that violations are enforceable under the Consumer Protection Act.
- Specifies that local laws, ordinances, or regulations regarding the processing of personal data that are adopted prior to the effective date of the bill are not superseded or preempted.
- Specifies in the definition of consumer that acting in an individual or household context includes buying and selling in an individual or household context.
- Modifies the definition of deidentified data to include data that cannot reasonably be used to infer information about or linked to a household.
- Requires the Office of Privacy and Data Protection to produce a public report regarding the data protected and not protected under the bill.
- Specifies that certain transactions do not count as consumers for purposes of the thresholds that a legal entity must meet in order for the provisions of the bill to apply.
- Removes all provisions regarding facial recognition.
In mid-February, the Senate passed an altered version of SB 6281 after the Senate Ways and Means Committee altered the bill, and among the notable changes made were:
- Delaying the effective date for colleges and non-profits for three years to July 31, 2024
- The state agencies and tribes were included among those entities exempted from meeting the requirements of the new privacy and data security mandates
- Clarifying that one may exercise her right to data portability without also having to also exercise her right of data access
- The provisions on nondiscrimination are expanded to make clear that controllers may not charge different prices or offer lesser services or products if a person exercises his rights under the bill
- Controllers may not “enroll a consumer in a facial recognition service in connection with a bona fide loyalty, rewards, premium features, discounts, or club card program.”
- Tightens one of the exceptions allowing controllers and processors to disregard the requirements of the bill but only if it is “essential for the life of the consumer or another natural person” as opposed to being important to their “vital interests.”
- Tightens another such exemption by clarifying that controllers and processors may process data for only internal operations
- Expands the definition of “verification” in the context of the new regulatory scheme for facial recognition