Washington House Committee likely sinks state Privacy Act with private right of action

A private right of action and changes to the rules for facial recognition use have been added to Washington State’s proposed privacy bill by the Washington House Innovation, Technology & Economic Development Committee (ITED), Security Magazine reports.

The Washington Privacy Act failed to make it out of the legislature in 2019, and the lack of a private right of action is one of the main reasons why, according to the report, with privacy advocates refusing to endorse a law they perceived as lacking teeth.

The committee lowered the threshold for jurisdiction to include companies that make a quarter of their gross revenue from selling personal data, down from half in the Senate version.

The WPA would originally have pre-empted local laws, ordinances and regulations around facial recognition, but the updated version drops that section. It also removes a provision enabling controllers to enroll a person’s facial image in a biometric service without consent, and adds demographic differences to training requirements for the technology. Law enforcement would have to obtain a warrant, rather than a court order, subpoena or summons, as in the earlier version, to perform a facial recognition search.

The committee also changed the definition of “consumer,” and modified data minimization and consumer rights sections.

The editorial board of the Seattle Times, meanwhile, has published an opinion calling for lawmakers to pass the Senate version saying it “could be a standout accomplishment of this year’s Legislature.”

The Times board says SB 6281 would increase consumer protections and empower the State Attorney General to address violations, and that the changes made in committee make it unlikely to pass. The editors laud the restrictions the original version places on facial biometrics.

“Providers of facial-recognition technology would be required to open their services up for third parties to evaluate accuracy and identify whether they unfairly treat different populations. If unfairness is established, the bill requires providers to mitigate the problem,” the editors write.

“The bill also requires public notice when facial-recognition technology is being used. It prohibits sharing of such data with law enforcement unless consumer consent is provided or disclosure is required by a court warrant, needed for an emergency response or to the National Center for Missing and Exploited Children.”

In addition to undermining a compromise that took two years of negotiations with the state’s business community to achieve, the house version, by including a private right of action, could unleash a torrent of lawsuits (as it has in Illinois), which the paper fears could be weaponized against small business and publications such as itself.

With the legislature’s current period closing March 12, the House version of the bill moves on the appropriations committee.

Article Topics

biometrics  |  commercial applications  |  data protection  |  facial recognition  |  law enforcement  |  legislation  |  privacy  |  United States