Washington State Privacy Act Demonstrates the Need for Federal Preemption

Ashley Johnson January 22, 2021
January 22, 2021

(Ed. Note: The “Innovation Fact of the Week” appears as a regular feature in each edition of ITIF’s weekly email newsletter. Sign up today.)

The Washington State Legislature is trying for the third time to pass a statewide privacy bill, after failing to do so in 2019 and 2020. Washington is one of several states currently considering comprehensive privacy legislation after California passed its flawed but influential California Consumer Privacy Act in 2018. The strengthening momentum behind these state efforts demonstrates the need for Congress to pass comprehensive federal data privacy legislation to create a single national standard for data privacy that balances consumer welfare and innovation.

The current version of the Washington Privacy Act, S.B. 5062, was introduced in the Washington State Senate on January 5, 2021 and passed the Senate Committee on Environment, Energy, and Technology with a 12-1 vote on January 20. The 2021 bill would give consumers in Washington the right to obtain, access, correct, and delete personal data collected on them, as well as the right to opt out of the collection of personal data for sale, targeted advertising, or profiling. It would apply to entities that conduct business in Washington, process the personal data of at least 100,000 consumers, and either earn over 25 percent of their revenue from selling personal data or control the personal data of at least 25,000 consumers.

Notably, the 2021 bill does not include a private right of action that would allow consumers to sue entities that violate their privacy rights under the bill. Instead, the state attorney general would have the power to enforce the bill, with potential fines of up to $7,500 for each violation. The Washington State Legislature was divided over this issue in 2020, and the House and Senate’s failure to reach a consensus on the issue ultimately sunk the bill. The 2021 bill also includes a 30-day right to cure. If an entity is in violation of the Act, it has 30 days to cure the alleged violation before the attorney general can bring action against it.

The lack of a private right of action, the 30-day cure period, and the inclusion of an opt-out rather than an opt-in provision for consumers make the current version of the Act less burdensome on businesses (and ultimately consumers) than the CCPA, especially after California’s Proposition 24 passed in November 2020 and removed the CCPA’s 30-day notice and cure period. However, the Washington Attorney General’s office has already advocated for the addition of a private right of action and a sunset date on the right to cure. It is also unlikely that the bill will pass the Washington State House of Representatives without a private right to action, as it failed to do so last year.

Whether or not Washington passes a privacy bill this year, Congress should move quickly to pass a comprehensive, bipartisan federal data privacy law. Three states—California, Nevada, and Maine—have already passed comprehensive state privacy laws, and several more have introduced bills. Consumers and businesses are both better off with a single federal law than 50 inconsistent state laws, especially given the cross-border nature of the Internet. This would streamline regulation for the entire country, and a balanced federal privacy law would avoid imposing high costs that businesses inevitably will  pass on to consumers.

With a new administration and new leadership in Congress, now is the perfect time for federal action on data privacy. Congress should move forward with a narrow approach to privacy that addresses the most important consumer needs while safeguarding innovation and setting reasonable obligations for businesses.