Proposed Washington Privacy Act modeled after California privacy law, with some key differences

Consumer-privacy legislation reintroduced in Washington state is closely modeled after California's sweeping new privacy law, giving residents the right to access, delete and correct their personal data, as well as the right to opt out of the collection of their personal data. But there are several notable differences when it comes to regulating facial-recognition technology and giving consumers the right to sue.

Last year, Washington appeared poised to become the second US state to pass a comprehensive consumer privacy law, after the state Senate passed a similar bill last year. But the proposal failed in the House, largely due to disagreements over how it would be enforced and over its facial-recognition provisions.

Washington state is trying again, and now there's "overwhelming" support for the resurrected Washington Privacy Act, despite some lingering disagreements, the bill's sponsor, Reuven Carlyle, a Democrat from Seattle, said.

Like the California Consumer Privacy Act, the Washington Privacy Act would be enforced by the state attorney general, who could impose fines of up to $7,500 per violation.

But unlike in California, Washington residents would have no right to sue companies for violations under the latest proposal. Under the CCPA, California residents can sue companies for damages if their personal information was exposed in a data breach, and if the companies' security practices were negligent.

Washington legislators doesn't want to "unleash" lawyers on businesses, Carlyle said. Instead, by relying on the state attorney as the sole enforcement entity, the state will be able to closely study patterns of abuse "on a global scale," Carlyle said.

Carlyle said he isn't opposed to reconsidering the issue later on, but for now, "I don't think it accomplishes the goal of consumer protection."

Still, Washington's proposal goes even further than the CCPA when it comes to facial-recognition technology, Carlyle said. It sets boundaries for the commercial use of facial-recognition technology, which the CCPA doesn't, he said.

Businesses would also need permission before using an image captured in a public place and would need to notify Washington residents in advance about how their likeness would be used, he said.

Independent neutral third parties would also be allowed to test the accuracy and quality of facial recognition technology under the bill, Carlyle said. The state wouldn't examine proprietary algorithms, but would look closely at the results of facial technology, and "that's very different than California as well," he said.

Privacy rights groups agreed that Washington state's bill goes further than the CCPA, with it's provisions on data minimization, purpose limitations, anti-discrimination requirements and limits on automated profiling.

"The Washington Privacy Act is the most comprehensive state privacy legislation proposed to date," Future of Privacy Forum CEO Jules Polonetsky said in a statement. "The bill addresses concerns raised last year and proposes strong consumer protections that go beyond the California Consumer Privacy Act."