Tough Data Privacy Law Proposed in Washington State

The 2020 legislative session is well underway in most states, and with it has come a flurry of proposed new privacy laws. Most noteworthy is Washington state’s reintroduction of a bill that didn’t make it through the last session because of perceived weaknesses in consumer protections.

Notably, the Washington Privacy Act (SB 6281; HB 2742) includes individual privacy rights beyond what is provided for in the California Consumer Privacy Act (CCPA). In addition, the proposed bill would impose obligations on businesses that go beyond any requirements currently enshrined in U.S. privacy law. Among those requirements is the obligation to conduct a privacy impact assessment.

The bill also has a section that focuses on the use of facial recognition technology in commercial applications, and would require affirmative opt-in consent as the default. Consent would not be required, however, for enrolling images for security or safety purposes if a person has engaged in, or is suspected of engaging in, criminal activity. Disclosing personal data to law enforcement is allowed only if required by a subpoena, warrant or legal order.

Nine other bills related to privacy have also been introduced in Washington, including one that would require all connected equipment to have a sticker informing consumers of the device’s ability to transmit user data to the manufacturer or a third party.

Other states introducing privacy bills include Virginia, New Hampshire, Illinois and Nebraska. Many of these bills are virtually identical to the CCPA or vary only marginally.

At the federal level, several privacy bills are under consideration. A draft bill produced by the House Consumer Protection and Commerce Subcommittee has bipartisan support and may have the best chance of advancing.

Kathleen Carroll ( is the managing partner at Seven Seas Consulting and serves as the chairwoman for SIA’s Data Privacy Advisory Board.