Skip to Content

California and Washington Privacy Law Updates

on Thursday, 30 May 2019 in Technology & Intellectual Property Update: Arianna C. Goldstein, Editor

Last month, we updated you on the proposed Washington Privacy Act (SB 5376) and the fact that the law, if passed, would mirror the European Union’s General Data Protection Regulation (“GDPR”). Despite passing the Washington Senate almost unanimously and being supported by the technology industry, the bill hit a roadblock in the Washington House of Representatives. House members proposed significant amendments aimed at increasing consumer privacy, including enhanced obligations related to facial recognition. Due in large part to the amendments, the bill failed to achieve passage out of committee by the deadline for consideration of bills originating in the opposite house, and was returned to the Senate. The bill’s sponsor, Sen. Reuven Carlyle, tweeted that bill would be shelved until 2020.

While the GDPR-like obligations would have provided Washington residents with more privacy protections than most US citizens have, some privacy advocates, including the ACLU, opposed the Senate bill as not going far enough, arguing that exemptions in the bill would create loopholes that would render the legislation’s privacy protections useless. These groups instead supported several amendments to the bill. The amendments proposed in the House would have applied the law to all for-profit entities, rather than just those above certain revenue or number-of-customers thresholds, and included a private right of action that allowed individual consumers, not just the attorney general, to sue to enforce the law. The proposed amendments would have also imposed stricter controls on the use of facial recognition technology, including a requirement that companies obtain consent prior to the use of such technology on consumers’ personal data, and would not have allowed conspicuous notice in the place where facial images are gathered to suffice as valid consent. The amendments would also have required companies using facial recognition technology to obtain an independent audit to confirm that “no statistically significant variation occurs in the accuracy of the facial recognition technology on the basis of race, skin tone, ethnicity, gender, or age of the individuals portrayed in the testing images” and would have prohibited the use of profiling to make decisions that produced “legal effects concerning consumers or similarly significant effects concerning consumers.”

While the Washington Privacy Act has come to a halt, amendment bills to the California Consumer Privacy Act (“CCPA”) continue to make their way through the California legislature. Two CCPA amendment bills (AB 25 and AB 874) are headed to a floor vote with unanimous support from the Appropriates Committee. If ultimately signed into law, AB 25 would carve employees out of the definition of “consumers” by exempting a person’s personal information only to the extent that their personal information is collected and used solely within their employee role (or similar roles within the employment context). AB 874 would create a clear and full public record exemption from the definition of “personal information.” The bill also would clarify that “personal information” does not include consumer information that is de-identified or aggregate consumer information.

Grayson J. Derrick
Chair, Technology and Intellectual Property Section

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500

Law Firm Website Design