Comparing the Washington Privacy Act (WPA) to the California Consumer Privacy Act (CCPA)

Print Friendly, PDF & Email

February 15, 2019

Washington Privacy Act

A new bill, titled the “Washington Privacy Act” (“WPA”), was introduced in the Washington State Senate on January 18, 2019. If enacted, Washington would follow California, which passed the California Consumer Privacy Act (“CCPA”) on June 28, 2018, as the second state to adopt a comprehensive privacy law.

Several key provisions of the WPA track the requirements set forth in the CCPA, but while the CCPA is scheduled to go into effect on January 1, 2020, the WPA is still being debated in the legislature and has not been signed into law.  Nevertheless, businesses currently working toward compliance with the CCPA should be cognizant of the WPA as well, due to the fact that, if passed, the WPA will apply to most businesses that collect consumer data from Washington State residents.  In particular, the WPA applies to businesses that: (1) control or process data of 100,000 or more Washington State consumers; or (2) derive fifty percent (50%) or more in gross revenue from the sale of personal information of residents of any state, and process or control personal information of 25,000 or more Washington State consumers.

What Steps Should I Take to Comply with the Washington Privacy Act (WPA)? 

Key Elements of the Washington Privacy Act (WPA)

The WPA, like the CCPA and the European Union’s General Data Protection Regulation (“GDPR”), follows a worldwide trend compelling businesses through legislation to provide consumers with more information about, and control over, the collection, use and sharing of their personal data.  Below is a partial list comparing some of the notable provisions of the WPA and the CCPA, together with some of the similarities and differences between the two laws:

  • The definition of personal data/information under the WPA has similarities to, and significant differences from, the way personal information is defined under the CCPA.  “Personal Data” is defined under the WPA as “any information relating to an identified or identifiable natural person. Personal data does not include deidentified data.”  The CCPA establishes a more expansive standard, which includes information that is linked to a given “household,” which could include a physical address that is not directly linked to an individual;
  • Both the WPA and CCPA require that businesses inform consumers about what categories and specific types of personal data that such entities collect from/about consumers, and how that information will be used;
  • Both the WPA and CCPA grant consumers similar rights in terms of accessing, and obtaining copies of, the personal information that businesses process.  Accordingly, businesses that are already compliant with the CCPA’s requirements to track the sharing of personal data will likely not need to take additional steps to ensure compliance with the WPA’s data mapping requirements beyond extending the scope of their data mapping to include Washington State residents;
  • Under both the WPA and CCPA, businesses must provide consumers with the ability to opt out of any sale of personal information. However, the WPA has a slightly narrower definition of “sale” which is limited to the exchange of personal data to a third party “for purposes of licensing or selling personal data at the third party’s discretion to additional third parties,” while excluding any exchange that is “consistent with a consumer’s reasonable expectations considering the context in which the consumer provided the personal data to the controller.”  Similarly, both Acts grant consumers the right to have their personal information deleted;
  • The WPA has two features that are not present in the CCPA. First, businesses may not make decisions based on profiling a consumer’s economic situation, health or other specific factors unless: (1) that consumer consents to such profiling in advance; (2) the profiling decision is necessary for the performance of a given contract with the consumer; or (3) the profiling is otherwise expressly permitted by State or federal law. Second, the WPA includes provisions restricting the use of facial recognition technology, absent prior consent;
  • Both the WPA and CCPA require that businesses adopt organization-wide security protocols that are appropriate to safeguard collected consumer data.  However, the WPA places additional requirements on businesses to safeguard (and abstain from using) “sensitive data” which is defined as “personal data revealing racial or ethnic origin, religious or philosophical beliefs, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning a minor, data concerning health, or data concerning a natural person’s sex life or sexual orientation”; and
  • Both the WPA and CCPA grant consumers the right to have businesses delete all copies of the consumer’s personal information from those businesses’ respective databases, and the databases of third parties with which they have shared such information (other than where such businesses are required by law, or the applicable contractual relationship with the consumer, to maintain copies of same).

Liability Under the WPA

The penalty provisions of the WPA closely mirror those set forth in the CCPA.  The Washington State Attorney General is responsible for enforcing the WPA, with no private right of action available to consumers (whereas the CCPA allows for a limited private right of action where businesses fail to “implement and maintain reasonable security procedures and practices”).  Businesses that violate the WPA can be fined Two Thousand Five Hundred Dollars ($2,500.00) for each violation, and up to Seven Thousand Five Hundred Dollars ($7,500.00) for each intentional violation.  While the WPA has yet to be signed into law, given the prevailing consumer data privacy law trends in this country (and globally), businesses should consult with experienced marketing and privacy counsel in order to ensure that their businesses are fully compliant with the latest state, federal and international legal requirements.

If you are interested in learning more about this topic or require assistance in connection with consumer data privacy compliance for your business, please e-mail us at, or call us at (212) 246-0900.

The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney.  Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.

Attorney Advertising

Similar blog posts:

GDPR: The EU’s New Data Protection Law

Does the California Consumer Privacy Act Apply to Your Business?

Comparing the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR)

David O. Klein

David O. Klein

David Klein is one of the most recognized attorneys in the telemarketing, technology, Internet marketing, sweepstakes and telecommunications fields. Skilled at counseling clients on a broad range of technology-related matters, David Klein has substantial experience in negotiating and drafting complex licensing, marketing and Internet agreements.

Schedule a Call
In The Know

Trending Topics

Creating a Viral and Legally Compliant "Pin to Win" Contest- Klein Moynihan Turco

Creating a Viral (And Legally Compliant) “Pin to Win” Contest

Print Friendly, PDF & Email

We have frequently written about the marketing benefits associated with the use of promotional contests and sweepstakes.  Promotional contests and sweepstakes often appear on social media platforms, which provide companies with a free and effective means to increase the number of consumers participating in their respective contests. While companies must

Facebook Decision defines a TCPA Autodialer- Klein Moynihan Turco LLP

Facebook Aftermath: Courts Clarify Definition of TCPA Autodialer

Print Friendly, PDF & Email

On April 1st, the U.S. Supreme Court released its opinion in Facebook, Inc. v. Duguid, marking a newly clarified definition of “autodialer” within the meaning of the Telephone Consumer Protection Act (“TCPA”). In the two weeks that followed, two federal courts have directly addressed the definition of TCPA autodialer as

Critical Role that TCPA Plays in Outbound Telemarketing- KMT

The Critical Role that the TCPA Plays in Outbound Telemarketing

Print Friendly, PDF & Email

If you’re running any sort of outbound telemarketing campaign – phone calls, voicemail drops, or text messaging – you need to understand the Telephone Consumer Protection Act (TCPA) and its enabling regulations. Call center operators are not the only businesses that employ outbound telemarketing to reach out to consumers. Using

How to Use Promotional Marketing the Legal Way: Klein Moynihan Turco LLP

How To Use Promotional Marketing The Legal Way

Print Friendly, PDF & Email

The use of promotional contests, games and sweepstakes marketing can be a dynamic and cost-effective way to increase sales, build a database of interested consumers and otherwise increase brand awareness and buzz. Consumers are more easily attracted to your marketing message by the opportunity to win prizes than with more

Share on facebook
Share on google
Share on twitter
Share on linkedin