Washington Privacy Act Proposal Increases Pressure for Federal Legislation


In the wake of the EU GDPR and the California Consumer Privacy Act (CCPA), Washington State has recently become the next in a series of U.S. states to discuss proposals for data privacy legislation. The bill introduced in January 2019 would apply to businesses controlling or processing the data of at least 25,000 consumers and shares various aspects, including the definition of personal data, with the GDPR and/or the CCPA. Like the latter, it covers consumers’ rights to access, portability, correction and deletion of their data as well as the right to object to processing. It also stipulates fines in the event of violations.

In addition, the proposed Washington Privacy Act focuses on obligations regarding digital profiling and facial recognition—and in these areas it differs significantly from other existing and proposed acts. The same applies to the lack of any private right to action under the bill.

Despite agreeing in principle with the need for greater privacy protection, stakeholders from industry and public have expressed concern regarding the compliance burden for smaller businesses as well as the unclear consequences of overlapping with existing federal privacy obligations. Most notably, however, the recent proposal in yet another state adds to the growing fear of a confusing and expensive patchwork of different privacy regulations across the U.S., and thus to the urgency of calls for federal-level legislation on the issue that would harmonize and supersede—or at least provide a minimum basis for—individual states’ laws.

While the pressure—especially by major cloud and data industry players—to get a nationwide privacy act underway has been mounting in recent months, a comprehensive data privacy bill covering all important elements including punitive consequences has yet to be introduced to Congress. Given the speed at which the wheels of lobbying and lawmaking in the capital turn, it may still be some time until appropriate federal data privacy regulations are in place—but their eventual arrival seems all but inevitable considering the developments of the past months.

Many lawyers specializing in data privacy are already advising their customers to begin to undertake general preparations for compliance with rules similar to those in existing data privacy laws if they have not already done so: systematic assessments of current privacy and data-handling practices, risk evaluations, implementation of robust data security policies, and considering how to comply with requests in exercise of consumer rights.

It is certainly advantageous to start engaging with these concepts now in order to achieve a high level of readiness for whatever specific obligations will ultimately be imposed.

What is also apparent here is the pioneering role played by the European GDPR. With this fundamental regulation, the EU has provided a best practice example of how to address the topic of protecting personal data in a comprehensive, serious and standardized fashion—all in all a great achievement of European economic policy that was thankfully successful despite the many attempts to prevent it.

It is clear that many issues arising in connection with the digital transformation can only be meaningfully regulated at the superregional level. Nationalistic attempts to secure local legal, economic or tax advantages in the context of global developments have regularly turned out to be detrimental for the affected citizens and economies.

Unfortunately, many of the currently most vociferous politicians do not seem to understand the damage they are causing.