On March 26, with less than a month left in the Washington Legislature’s 2021 session, the House Civil Rights and Judiciary Committee (CRJC) passed the Washington privacy act (2SSB 5062), with amendments, on a straight party-line vote of 11-6 (with all six Republican committee members voting no). As the act gets closer to passing, we’ll revisit the bill to highlight how it compares to its predecessors in California and Virginia. For now, this post focuses on differences between the Senate and House versions and how those might affect its passage.
The amended bill, which now includes a private right of action, moves next to the House Appropriations Committee before moving to the full House for consideration. If passed by the House (as currently amended or with other amendments), the amended bill must then be reconciled with the Senate’s version. Which puts us in about the same place we were in last year before the Washington privacy act failed – but with a few notable differences discussed below.
House tries for a private right of action, again
As in past years, the private right of action inserted by the CRJC’s majority will be the bill’s sticking point. But the CRJC’s amendments restrict the private right of action in two ways. First, the new provision would allow private lawsuits against businesses alleged to have violated only two of the act’s sections: the consumer rights section (providing rights of access, correction, deletion, and portability and the right to opt out of processing for targeted advertising, sales, or certain profiling activities) and its anti-discrimination section. This excludes other sections from the private right of action (such as the section requiring a controller to limit personal data collection to that which is reasonably necessary). Second, the provision denies litigants a right to receive damages (statutory or otherwise) and limits remedies to injunctive relief, attorneys’ fees and costs. But even with these limitations, Rep. Jim Walsh, the CRJC’s Republican ranking member, urged members to vote against the amended bill, expressing concern it “will open flood gates of legal actions but not effectively guarantee or improve any Washingtonian’s digital privacy.” Notably, even though the right is limited to certain provisions and remedies, it is far broader than the private right of action in the California Consumer Privacy Act (CCPA), which limits the right to lawsuits alleging that a data breach occurred because of a business’s failure to implement reasonable security, and the new Virginia privacy law, which contains no private right of action. The federal privacy law introduced by Rep. Susan DelBene of Washington on March 10 also contains no private right of action and would, if passed as introduced, preempt conflicting provisions in the Washington privacy act and similar state laws.
Beyond the private right of action, the CRJC’s amendments include:
- Nonprofit coverage – would permanently (instead of temporarily) exempt nonprofits that are organized as a nonprofit and do not sell information (where, similar to the CCPA’s definitions, “sale” is defined as the “exchange of personal data for monetary or other valuable consideration by the controller to a third party”).
- Minors – would change the definition of “minors” to those age 13 – 16 and require a minor’s consent for targeted advertising.
- Privacy notice – would modify requirements for a company’s privacy notice, so that the notice must “use clear and plain language,” meet language requirements, and be understandable to the “least sophisticated consumer.”
- Consumer rights – would:
- allow consumers access to the specific personal data a controller is processing, not only categories of personal data; and
- add a time limit of 45 days for businesses to respond to a right-to-access request.
- Opt-out – would:
- allow the use of designated and authorized agents for consumer rights; and
- require compliance with a global privacy control that communicates a request to opt out.
- Enforcement – would:
- cause the right to cure violations to expire one year after the act’s effective date (the Washington Attorney General’s Office requested this change so it would not be required to send warning letters before enforcement after one year of awareness – the AG’s office argued that one year was long enough for businesses to become aware of what was required); and
- remove statutory penalties from AG enforcement and require courts imposing a penalty to consider a company’s good-faith efforts to comply with the law or cure violations before an enforcement action is filed.
What’s different this year
Although Walsh’s position suggests that the Washington privacy act may still fail on disagreement over the private right of action, several nuances suggest this year presents its best chance at passage:
- Longer legislative session. Washington’s legislative sessions are relatively short, but odd-year sessions are longer (lasting 105 days compared to 60-day sessions in even years). This gives the House and Senate more time to reconcile their differences before the session adjourns on April 25.
- New players in the House. Although this year’s Senate bill is again sponsored by Sen. Reuven Carlyle, this is the first time the House’s CRJC has considered the measure (in prior years, it went through the House’s Innovation, Technology, and Economic Development Committee, which the House disbanded at the end of 2020). Rep. Drew Hansen, the CRJC’s chair, noted when passing the CRJC’s amendments that the law was before his committee for the first time and that he had personally spent considerable time working on it with Carlyle.
Despite the CRJC amendment’s limitations on the private right of action and business-friendly provisions on enforcement, Walsh’s concern about a flood of litigation may still poison the act’s passage this year. We’ll continue following developments and provide updates as the bill moves through full passage in the House and reconciliation with the Senate.