Another state may join the movement towards adopting General Data Protection Regulation (GDPR)-like privacy protections. A new privacy bill was introduced in the Washington Legislature on January 17, 2019, called the Washington Privacy Act (SB 5376). The Act would give consumers rights that are similar to those under the GDPR, such as the right to access their data, to update and correct their data, to port their data, to request deletion of their data under some circumstances, to restrict processing, and to object to certain processing, including for direct marketing.
Some of the Act’s text is taken verbatim from the GDPR, including parts of the definitions of consent and processing, and the Act adopts GDPR terms such as “controller” and “processor.” As with the GDPR, the Act would require processors to comply with controller processing instructions, which must be incorporated into the parties’ contracts.
The Act would apply to companies that control or process the data of over 100,000 Washington residents or which control or process data of 25,000 Washington residents and also obtain over 50% of their gross revenue from the sale of personal information. There are also additional privacy notice disclosure requirements and special provisions and limitations for facial recognition technology. There would be no private right of action—enforcement would be through the Washington Attorney General.
This bill appears to have support of important members of the tech community and may move quickly. The bill text is available here.