Think the GDPR only matters to the EU? Not for long. U.S. states are starting to explore legislation that seeks to protect the data privacy rights of individuals in a similar way that the GDPR does. One of the most well-known of these laws was passed in California in June 2018. Like the GDPR, it grants customers the right to know what kinds of information companies are storing about them, what’s being done with that data, and to request that companies delete their information or restrict the way they use it.
More recently, a GDPR-like piece of legislation, called the Washington Privacy Act, was approved by Washington senators with overwhelming positive support. Approved by the Washington Senate in early March, this piece of legislation is evidence of the continuing spread of data privacy laws across the U.S.
Overview of the Washington Privacy Act
The Washington Privacy Act, SB 5376, is very similar to the GDPR in that it aims to return the control of personal data to individuals instead of companies. According to K5 News, the bill, which was proposed in January 2019:
“Would give consumers the right to see what data is collected about them and find out whether that information is being sold to a third party. It would require companies to allow consumers to correct inaccurate information, delete their personal data, and object to their personal data being used in direct marketing.”
The bill would also place restrictions on facial recognition software.
The Washington Senate approved the law 46-1 on March 6; the next step is for the Washington House of Representatives to vote on it. If passed, the Washington Privacy Act will go into effect in 2021. In addition to the change in Washington state data privacy laws, other states that have begun to discuss this type of legislation include New Mexico, Massachusetts, Hawaii, Rhode Island, and Maryland.
What does this mean for you?
The official GDPR may only apply to the EU, but clearly, the idea of the legislation is catching on in many other locations. Our stance has long been that the best practice is to act ethically when it comes to customer data regardless of whether you’re required by law to do so. In the words of FormAssembly CEO and Founder Cedric Savarese:
“Disclosing what you do with the data you collect, being transparent about yourself, asking for explicit consent, avoiding dark patterns, like tricking people into agreeing to things they aren’t aware of or understand—those are good practices that companies should be doing regardless of the GDPR.”
Like this article? Read: 8 Data Security Resolutions for Your Organization in 2019.