Washington State legislators continue in their effort to pass only the second comprehensive privacy legislation in the U.S., the Washington Privacy Act (WPA). Introduced on January 11, 2021, the WPA is currently making its way through committee hearings. The debate continues, with the Washington State Senate Ways & Means Committee recently holding a public hearing to discuss the enforcement provision proposed in the WPA. Currently, $1.4 million is proposed to the Washington State Attorney General’s office for enforcement of the WPA. Some are calling for an increased budget, others for private right of action.
Current enforcement proposal
Enforcement will have a big impact on the effectiveness of any privacy regulation, as was the case in the EU with GDPR’s record‑setting enforcement mechanism which included governmental enforcement and private right of action, along with large potential fines. The current draft of the WPA provides for no private right of action, leaving enforcement solely to the Office of the Attorney General. The February 9th hearing was focused on the adequacy of the enforcement mechanism and the initial budget allocation of $1.4 million to the AG’s office. Privacy advocates argue that this is inadequate, as the Attorney General will be hard pressed for the resources required to properly investigate and prosecute violations. For comparison, EU member states with populations smaller than Washington State have an enforcement budget 16 times that proposed in the WPA. For example, Luxemburg, which has 1/10th of the population of Washington State, had an annual Data Protection Authority budget of roughly $6.2 million.
The fiscal concerns are leading some, including the Office of the Attorney General, to call for private right of action, which would allow enforcement through private law suits. The technology industry, on the other hand, emphasizes that the law’s aim is to provide privacy protections, rather than enable costly private litigation. Given this, the thought is that a larger budget is unnecessary, especially in light of the WPA’s “right to cure,” which gives a violating business 30 days to fix violations before the Attorney General can bring an enforcement action. Yet others are calling for a phase-out for the right to cure, which could lead to an increase in enforcement (and a need for a larger budget in the AG’s office).
A private right of action would drastically change the reach of the law, possibly opening the door to a wave of litigation, such as that seen in Illinois in the recent years. Along with it, will come complex, lengthy, and expensive litigation along with potential large liability exposure, especially in class action context.
Summary of WPA
The WPA is a comprehensive legislation that mirrors the EU’s GDPR and California’s CCPA (and CPRA). As a threshold matter, the WPA, as currently drafted, would apply to businesses that operate in Washington, or target Washington residents, and process personal data of more than 100,000 individuals, or derive at least 25 percent of their revenue from sale of personal data (and process such data for more than 25,000 individuals). As previously discussed, the WPA creates certain consumer rights, such as the right to confirm, correct, or delete personal data, and provides special rules for a “public health emergency” (read COVID-19). Finally, the Act also requires data controllers to conduct a Data Protection Assessment with respect to the various types of data they process.
The final version of the WPA remains a heated debate. The Washington State legislature continues to debate the Act and seek input from consumers and the tech industry. Companies that may ultimately be subject to the WPA should keep a close eye on how the Act changes as it makes its way through the Washington Senate, and whether federal legislation may ultimately pre-empt state level regulations.