Washington’s New Data Privacy Law: What It Means for Businesses

Colburn Law

Posted in Blog,Personal Injury on April 5, 2023

In today’s data-driven world, privacy concerns have become more critical than ever before. The collection and use of personal data by businesses have become a common practice, raising questions about how this data is being protected and used. In response to these concerns, lawmakers across the United States have been working to establish regulations that protect consumers’ privacy rights. 

One such effort is the Washington Privacy Act, which was introduced in 2018. If enacted, this law would grant consumers various rights regarding their personal data, including access, correction, portability, and deletion. This could significantly alter how businesses manage data and the extent of their liability for any mismanagement.

What Is the Washington Privacy Act? 

The Washington Privacy Act is a proposed state-level regulation aimed at addressing the currently unregulated handling of personal data in Washington. This law is modeled after the General Data Protection Regulation (GDPR) implemented by the European Union and follows in the footsteps of the California Consumer Privacy Act (CCPA) passed into law in 2018.

If passed, the Act would give Washington consumers the right to access, edit, transfer, and delete their personal data held by companies, including major corporations such as Google and Facebook. The law would also provide consumers with the right to understand how their personal data are collected and used, as well as the ability to correct, delete, and opt out of the sale of personal data and targeted advertisements directed toward Washington residents.

Who Is Required to Follow the Washington Privacy Act

As it stands, the Washington Privacy Act will apply to private sector businesses that are based in Washington or provide products/services to individuals residing in Washington. To be subject to the act, the controller must meet one of the following conditions:

• They control or process the personal data of 100,000 or more consumers
• They derive over 50% of their gross revenue from the sale of personal data
• They process or control the personal data of 25,000 or more consumers.

These regulations will not apply to government agencies, air carriers, or entities that process protected healthcare regulations. However, these criteria may change as the bill is amended and moves through the legislative process.

How the Washington Privacy Act Will Impact Businesses

The WPA will require businesses to take a more proactive approach to protect consumer data and provide consumers with greater control over their personal information. Affected companies will need to provide consumers with information about the personal data they hold and respond promptly to requests from consumers to modify or delete that data.

For example, businesses will need to introduce an opt-out process for consumers. This process allows consumers to prevent companies from using their personal data for marketing purposes and from selling it to third parties. Businesses will likely need to restructure their data governance processes to meet this requirement, which will require significant time, labor, and investment.    

While the impact of the Act on businesses will depend on the specific provisions of the final legislation, businesses should be prepared to review their data handling practices and ensure compliance with any new requirements. Additionally, consumers will need to be aware of their rights and to speak with an attorney promptly if they believe that their data has been mishandled.