Press "Enter" to skip to content

Washington Privacy Act Reintroduced – Third Time’s the Charm?

privacyOn Jan. 11 Washington State Sen. Reuven Carlyle introduced SB 5062, the Washington Privacy Act (WPA). Its predecessors, SB 6281 and SB 5376, failed to pass in 2020 and 2019, respectively.  A public hearing was held before the Environment, Energy & Technology Committee on Jan. 14, and the bill is scheduled for a committee executive session on Jan. 21.  Sen. Carlyle thoughtfully released a draft of the legislation in September 2020.

The legislation contains many requirements found in the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), but also focuses on the roles and responsibilities of “controllers” and “processors” like the EU’s General Data Protection Regulation (GDPR).  It addresses both data privacy and data security concerns as well as contact tracing.


The legislation “applies to legal entities that conduct business in Washington or produce products or services that are targeted to residents of Washington, and that satisfy one or more of the following thresholds:

  • During a calendar year, controls or processes personal data of 100,000 consumers or more; or
  • Derives over 25 percent of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.”

From 2020, this increases the number of entities that would be subject to the act by decreasing the gross revenue threshold from 50 percent to 25 percent.


For the most part, the WPA generally excludes from its provisions the same information and entities as the CCPA, including “[p]ersonal data collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley act. . .”

Consumer Rights

The legislation gives consumers certain rights regarding the processing of their personal data, defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person,” and “does not include deidentified data or publicly available information.”

Specifically, consumers are granted the right to access, correct, delete and receive their personal data as well as to opt-out of its processing for certain purposes, such as for targeted advertising, sale or profiling.  A “sale” is “the exchange of personal data for monetary or other valuable consideration by the controller to a third party,” subject to a number of exclusions.

A consumer has the right to appeal any decision made by a controller with respect to a request, instructions for which must be “conspicuously available,” and the controller must also “provide the consumer with an email address or other online mechanism” for submitting the appeal, and any response, to the attorney general.  Additionally, when informing a consumer of the results of the appeal, a consumer must be informed how to file a complaint with the Attorney General’s Consumer Protection Division.

Privacy Notice

A controller’s privacy notice must include:

  1. The categories of personal data processed;
  2. The purposes for which the categories of personal data are processed;
  3. How and where consumers may exercise the rights;
  4. The categories of personal data that the controller shares with third parties; and
  5. The categories of third parties with whom personal data is shared.

Sensitive Data

The legislation places restrictions on the processing of “Sensitive Data,” which is:

  1. Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status;
  2. Genetic or biometric data for the purpose of uniquely identifying a natural person;
  3. Personal data from a child; or
  4. Specific geolocation data.

Sensitive data cannot be processed without first obtaining consent from the consumer or, when applicable, a child’s parent or guardian.

Controllers & Processors

A processor must follow the instructions of the controller, which must be dictated by a contract that “sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties.”  This requirement also applies to the relationship between processors and their subcontractors.

Data Minimization

Without consumer consent, controllers “may not process covered data for purposes that are not reasonably necessary to, or compatible with, the covered purposes for which the personal data is processed.”

Data Security

Controllers are required to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices” that are “appropriate to the volume and nature of the personal data at issue.”  Additionally, they must conduct data protection assessments that must be provided to the Attorney General if requested in relation to an investigation.  The assessments would not be available to the public.


The legislation does not create a private right of action, except as described below with respect to contact tracing. 

Enforcement is vested with the Attorney General, but there is a 30-day cure provision.  An uncured violation is considered “an unfair or deceptive act in trade or commerce, and an unfair method of competition for the purpose of applying the consumer protection act,” and may result in an injunction or a civil penalty up to $7,500 per violation.

Contact Tracing

The legislation also addresses contact tracing, or “covered purpose,” defined as “processing of covered data concerning a consumer for the purposes of detecting symptoms of an infectious disease, enabling the tracking of a consumer’s contacts with other consumers, or with specific locations to identify in an automated fashion whom consumers have come into contact with, or digitally notifying, in an automated manner, a consumer who may have become exposed to an infectious disease, or other similar purposes directly related to a state of emergency declared by the governor . . .”

Generally, contact tracing information cannot be processed unless an individual is provided with a privacy notice and gives consent, and controllers and processors have responsibilities similar to those with respect to personal data. 

Unlike the enforcement provisions appliable to personal data, a violation of the contact tracing provisions allows for a private right of action.

Effective Dates

The sections relating to the processing of personal data would take effect July 31, 2022. The sections pertaining to contact tracing would take effect immediately upon enactment.

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.