First California, Now Washington? US Western States Tackle Data Privacy Rules Using GDPR Framework

It seems like just yesterday that the European Commission passed the General Data Protection Regulation (GDPR) laws, which bolstered a regulatory framework for data privacy and retention across the European Union. (It also was the cause of the proliferation of cookie notification pop-ups you’ve likely seen while visiting new websites lately.) Both leading up to passage of the law in 2016 and afterward, our APCO team partnered closely with U.S.- and Europe-based companies across technology, health, insurance and other sectors to help provide feedback to legislators as well as support smooth implementation of the new requirements, which aim to strengthen the rights of consumers to control and secure their own data.

Here on the West Coast, leaders and big thinkers in technology also are taking action in response to growing concerns about the use of consumer information and major data breaches. Across the country and the aisle, Americans increasingly see a pressing need for some degree of regulatory action on online privacy: in 2018 Pew Research found that 60 percent of Americans favor stronger internet privacy laws than those already on the books.

In June of last year, the state of California signed the California Consumer Privacy Act (CCPA) into law. This act, motivated by GDPR laws, provides California residents with the right to know what personal information is being collected about them, as well as access that information when desired. The act also permits consumers the right to deny companies the sale of their personal information and ensures that companies provide equal services and pricing, regardless of whether customers choose to exercise their online privacy rights. California’s CCPA won’t go into effect until January of next year, meaning there is still time to advocate for changes and clarifications – exactly how the law is implemented is likely to dominate the conversation over the next nine months.

At the same time. the Washington State Senate is actively considering a so-called Washington Privacy Act (WPA), a suite of legal changes that would also raise the bar on customer online protections. If enacted, Senate Bill 5376 will have significant implications for companies and consumers, alike, including a requirement that companies alert customers whether and how their data is being used, and provide them with access to it, as well as, when notified, correct any inaccurate personal data or delete unwanted personal data “without undue delay.” Consumers would obtain the right to object to the use of their personal data, including for direct marketing and targeted advertising.

These provisions closely parallel the language in California’s law, but the proposed Washington Privacy Act would add two additional components. If enacted, companies in Washington could not use consumer data to profile consumers, notably in such cases as decisions regarding financial, housing, insurance, education, employment or healthcare services. In addition, Senate Bill 5376 includes a first-of-its-kind provision with significant implications for the use of facial recognition technology, asserting that, “Washington residents should have the right to a reasonable expectation of privacy in their movements and thus should be free from ubiquitous and surreptitious surveillance using facial recognition technology.” The bill goes on to specify that companies providing facial recognition technologies must receive informed consent from consumers, must make use of “meaningful human review” to prevent bias, and must not be used to “unlawfully discriminate … against individual consumers or groups of consumers.”

Whether Washington’s legislature will vote this act into law and, if so, in what form remains to be seen. What is clear is that momentum continues to grow toward expanded regulation relating to the use of consumer data and information. Companies operating along the West Coast should prioritize advocacy and engagement on this topic while there is still opportunity to shape the discussion – and outcomes – of U.S. data privacy laws.

Please feel free to contact me at to discuss the impact issue will have on your company and your stakeholders.