Washington and New York Introduce Consumer Privacy Bills
Washington
The Washington Privacy Act is back. In both 2019 and 2020, versions of the Washington Privacy Act were introduced in and passed by the Washington Senate, but the bills eventually stalled in the Assembly. Ultimately, the Washington Privacy Act failed because the two chambers could not reach a compromise on the bill’s enforcement provisions.
On January 11, the Washington Senate introduced the 2021 version of the Washington Privacy Act (SB 5062), which again is a comprehensive privacy bill modeled after many requirements found in the California Consumer Privacy Act and California Privacy Rights Act. But unlike the California legislation, the Washington Privacy Act focuses on the roles and responsibilities of “controllers” and “processors” – similar to the European Union’s General Data Protection Regulation – and addresses both data privacy and data security concerns.
If passed during this legislative session, the law would apply to legal entities that conduct business in Washington or produce products or services that are targeted to Washington residents and that (1) during a calendar year, control or process the personal data of 100,000 or more Washington residents, or (2) derive over 25% of their gross revenue from the sale of personal data and process or control the personal data of 25,000 or more Washington residents. Subject to certain exceptions, the Washington Privacy Act defines “sale” as “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.”
“Personal data” is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person,” but does not include data that has been deidentified or that is publicly available. Additionally, the law would only apply to Washington residents acting in their individual or household context, and not in a commercial or employment context.
The Washington Privacy Act would not apply to many types of entities and data sets such as state agencies, HIPAA personal health information, and GLBA-regulated personal data. However, higher education institutions, air carriers, and nonprofits would be covered by the law starting on July 31, 2026.
A public hearing was held before the Environment, Energy & Technology Committee on January 14, and the bill was scheduled for a committee executive session on January 21.
New York
Nearly a dozen consumer privacy bills were introduced on the first day of the 2021-22 New York State legislative session. A number of the proposals, including the New York Privacy Act and the Right to Know Act, are carbon copies of bills that were introduced in the 2019-20 legislative session but did not make it out of committee. And as is the case with the majority of privacy bills introduced by state legislatures in the last two years, most of the bills closely resemble the California Consumer Privacy Act and have broad applicability to consumer privacy and are generally industry agnostic.
Given the numbers of bills introduced, we will continue to monitor the New York legislative actions and provide updates in future Technology Updates on those bills that gain traction.
Chair, Technology and Intellectual Property Section