The Washington Privacy Act stalled this April in the state’s House of Representatives, and will likely not reappear again for discussion until the 2020 legislative session.

The bill overwhelmingly passed the Senate, but failed to come to a floor vote in the House of Representatives before the April 17th deadline for state lawmakers to consider non-budget related matters. This delay appears to stem from a lack of consensus on key issues, such as the regulation of facial recognition technologies and potential enforcement mechanisms.

If the House had passed the bill, Washington would have become the second state in the United States to enact significant privacy legislation. Mirroring the GDPR in several respects, the bill provided access, correction, and deletion rights to consumers, and imposed disclosure and risk assessment obligations on covered businesses.

Although state lawmakers failed to pass the Washington Privacy Act, they reached a consensus on a separate bill that expands Washington’s breach notification law. The Senate and the House of Representatives passed the bill in their respective chambers in the latter half of April. The bill amends the state’s data breach notification requirements in three ways:

  • Definition of Personal Information: The law expands the definition of “personal information” that triggers notification to include: full date of birth; private key to authenticate or sign an electronic record; biometric data; student, military, or passport ID numbers; certain health insurance information; medical histories; and online account credentials.
  • Timeline for Notification: The law reduces the timeline for issuing notifications from 45 days to 30 days after discovery of a breach.
  • Content Required for Notification: The law requires additional information to be included in breach notification letters, such as the date of the breach and the discovery date. In addition, for breaches of usernames and passwords, the notice must inform consumers to change their passwords and security questions and answers, and to take appropriate steps to secure their account. Notifications to the Attorney General also must include the types of personal information subject to the breach, the timeframe of exposure, and steps taken to contain the breach.

The new requirements are scheduled to take effect on March 1, 2020.