In early 2019 the Washington State Legislature was poised to enact a path-breaking statute addressing a wide range of privacy and security issues. The state senate easily passed a bill that would apply to businesses satisfying certain threshold criteria. It incorporated principles expressed in the GDPR and CCPA, such as a right of deletion, and also introduced novel elements, such as public disclosure of a compliance plan, statutory recognition of “privacy harm,” and statutory damages. A state house committee considered an alternative bill that initially would have applied to all businesses and included a private right action for violation of the statute. After initial indications that Washington would become the second state to adopt a general privacy statute, legislators did not reach a consensus on terms, and the proposals expired. Many expect a renewed attempt in 2020. This panel that would review the appropriateness of state regulation like that proposed in Washington, the most prominent features of the legislation considered, including provisions that address and attempt to solve the problem of standing, the reasons why the effort stalled, any proposed bills for the next session, and possibility of federal preemption.
Chris Hydak, Attorney, Global Privacy and Data Protection, Microsoft