Washington Privacy Act 2.0: State Lawmakers Take Another Stab at a Comprehensive Privacy Bill

Last year, the expectations were high for the Washington state to pass a Privacy Act which would have granted consumers broad privacy rights on par with the European Union’s General Data Protection Regulation (GDPR).  However, efforts to enact the new regulations failed in April when legislators could not reach a compromise with the resident tech companies before a legislative deadline.

On January 13, 2020, the state lawmakers introduced an updated version of the Washington Privacy Act, Senate Bill 6281.  According to State Senator Reuven Carlyle, one of the bill’s sponsors, since the original bill failed to pass last year, lawmakers have held talks with tech companies and consumer privacy groups. According to the Senator, there is now an “overwhelming consensus” on some components of the bill.

The Privacy Act takes its inspiration from the GDPR and the California Consumer Privacy Act and introduces certain rights previously unavailable to the U.S. consumers as well as novel obligations on controllers and processors of personal data.  Below are some of the highlights of the proposed legislation:

Jurisdictional Scope and Applicability

The Act will apply to legal entities that conduct business in the state of Washington or produce products or services that are targeted to Washington resident and (a) control or process personal data of 100,000 or more consumers; or (b) derive over 50% of gross revenue  from the sale of personal data and process or control personal data of 25,000 or more consumers.  Exempt from the law are state and local governments, municipal corporations, certain protected healthcare and consumer credit information, personal data subject to various state and federal regulations, as well as employment data.  Unlike the CCPA, the Act would not exempt non-profit organizations.

“Personal data” under the Act is broadly defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person,” but does not include deidentified or publicly available data.

Consumers, Controllers, Processors, and Third Parties

A “consumer” under the Act is defined as a natural person who is a Washington resident acting only in an individual or household context and does not include persons acting in a commercial or employment context.

Like the GDPR, the Privacy Act utilizes the concepts of a “controller” and “processor.”  A “controller” is defined as a natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data.  A “processor,” in turn, is defined as a natural or legal person who processes personal data on behalf of a controller.  A “third party” is defined as an entity that is neither a consumer, controller, processor, or their affiliate.

Consumer Rights

 Under the Privacy Act, consumer rights with respect to personal data include (1) right of access, which includes a right to confirm whether an organization is processing consumer’s personal information as well as the right to access that information; (2) right of correction; (3) right of deletion; (4) right to data portability; and (5) right to opt-out of processing for purposes of targeted advertising, sale of personal data, and profiling.  In terms of privacy rights, the Privacy Act is similar to the GDPR and exceeds the rights granted to consumers under the CCPA, namely the rights of access, deletion, and opt-out of sale of personal information.  Notably, the term “sale” under the Privacy Act is defined similarly to the CCPA as “the exchange of personal data for monetary or other valuable consideration.”

Responsibilities of Controllers

 Under the proposed Act, the responsibilities of a controller include:

• Transparency. Controllers will be required to provide reasonably accessible, clear, and meaningful privacy notices which disclose categories of personal data processed, purposes for which data is processed, how and where consumers may exercise their rights, categories of data controllers share with third parties, and categories of third parties with whom controllers share personal data.

• Purpose specification. Collection of personal data will be limited to what is reasonably necessary in relation to specified express purpose for which data is processed, as disclosed to consumer.

• Data minimization. Controller’s collection of personal data would need to be adequate, relevant, and limited to what is reasonably necessary in relation to the specified and express purpose for which such data is processed, as disclosed to the consumer.

• Avoidance of secondary use. Controller would not be allowed to process personal data for purposes that are not reasonably necessary to, or compatible with, the specified and express purposes for which personal data is processed, as disclosed to the consumer, unless a controller obtains consumer’s consent.

• Controllers would be required to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect confidentiality, integrity, and security of personal data.

• Controllers would not be permitted to discriminate against consumers for exercising their personal data rights.

• Sensitive data. Controllers would generally not be permitted to process sensitive data without obtaining consumer’s consent.  Sensitive data includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health, sexual orientation, or citizenship or immigration status; processing of genetic or biometric data for the purpose of uniquely identifying a natural person; personal data from a known child; or specific geolocation data.

• With respect to the data subject requests, controllers would be required to (1) take action on consumer requests within 45 days of receipt of the request; (2) notify third parties of consumer requests to correct, delete, and opt-out of the processing of personal data; and (3) establish an internal appeal process for cases where controller refuses to take action on a consumer request.

The obligations of purpose specification, data minimization, avoidance of secondary use, and prohibition on processing of sensitive data are similar to controllers’ obligations under the GDPR but would be new to most U.S. companies.

Responsibilities of Processors

Like the GDPR (and unlike the CCPA), the Act will impose certain obligations on the processors of personal data. Under the Act, processing of personal data will be governed by a written contract between a controller and a processor which will contain processing instructions and will specify the nature and purpose of processing, type of personal data subject to processing, duration of processing, and obligations and rights of both parties.  At the choice of the controller, the processor would be required to delete or return all personal data to the controller at the conclusion of its services. The processor would be required to make available to the controller all information necessary to demonstrate its compliance with the obligations under the Act, as well as to allow for reasonable audits and inspections.

In addition, the processor would be required to implement and maintain reasonable security practices and procedures to protect personal data, ensure that persons processing personal data are subject to confidentiality obligations with respect to personal data, and engage subcontractors only after providing a controller with an opportunity to object and pursuant to a written agreement which requires subcontractors to meet obligations imposed on processors with respect to personal data.  The processor will also assist the controller in meeting its various obligations and provide the controller with information necessary for the controller to conduct and document data protection assessments.

Data Protection Assessments

The Act would obligate controllers to initially conduct data protection assessments of each processing activity involving personal data and then any time when there is a change in processing that materially increases risk to consumers.  If the data protection assessment determines that the potential risks of privacy harm to the consumers are substantial and outweigh other applicable interests, the controller would be permitted to engage in processing only with the consent of the consumer.  Although U.S. government agencies are already required to conduct privacy impact assessments under the E-Government Act of 2002, this will be a new requirement for most private companies in the United States.

Liability and Enforcement

The Act does not provide for a private right of action.  The State Attorney General will have the exclusive authority to enforce the act and impose civil penalties in the amount of not more than $7,500 per violation.

Facial Recognition Provisions

The Act would also impose restrictions on the commercial use of facial recognition technology.  Among other things, controllers would be required to provide conspicuous notices whenever a facial recognition service is deployed in a physical premise open to the public and would be required to obtain consent from a consumer prior to enrolling an image of that consumer in a facial recognition service.  Controllers using a facial recognition service would not be permitted to discriminate against consumers or groups of consumers.  Furthermore, controllers that make decisions that produce legal or similarly significant effect on consumers would be required to ensure that the decisions are subject to human review.

To Be Continued . . .

The current session of the Washington State Legislature will continue through early March. We will closely follow the developments as the Privacy Act makes its way through the legislative process.  Considering that Washington-based Microsoft and Amazon will be subject to the Act, it has a potential to compete with the CCPA as the standard-setter for privacy legislation in the United States.  If enacted, the law will take effect on July 31, 2021.

Ask Clarip today how we can solve your biggest compliance pain points, Call Clarip at 1-888-252-5653