Washington State moved a little closer to creating strict privacy legislation that would mirror GDPR this month. In early march, its Senate voted through the Washington Privacy Act (SB 5376). It’s the second in a string of states taking privacy into their own hands as federal legislators fail to take action.
The Act forces companies to be transparent about how they process customer data. They must explain what kinds of data they are collecting and why, how they will use it, and whether it will be shared with third parties.
Users must give consent for companies to collect their data, and can also withdraw it at any time, asking them to modify or delete it.
An interesting addition is a clause on facial recognition technology, which requires companies selling that technology to stop customers from using it to discriminate against people.
“Washington residents should have the right to expect information about the capabilities and limitations of facial recognition technology and that it should not be deployed by private sector organizations without proper public notice,” the latest version of the bill said.
Amazon, one of the biggest employers in the State, supplies facial recognition technology to law enforcement, although it doesn’t seem to be going so well.
Under the law, companies doing business in Washington must also conduct risk assessments to ensure that they are protecting consumer data properly.
The State’s Attorney General will be able to sue companies under this law, imposing a maximum of $7500 in fines for each intentional violation and $2500 for any unwitting ones.
The Act isn’t law yet. Washington’s House of Representatives must now conduct its own vote. Nevertheless, the Senate vote was overwhelming at 46 to one, so things look good for privacy advocates in the State.
Washington is one of several states moving ahead with its own privacy legislation while a hamstrung Congress waits to pass a federal law. Next year will see the California Consumer Privacy Act come into effect. Passed in June 2018, it will impose strict regulations on companies doing business in Canada that look a lot like the ones imposed in Europe by GDPR.
Privacy legislation is also pending in Hawaii, Massachusetts, New Mexico, Rhode Island and Maryland. All these bills have been introduced since January.
The topic of Governance, Risk and Compliance will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Governance, Risk and Compliance here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.
