Summary of Washington Privacy Act After State Senate Passes
The Washington state Senate voted 46-1 this week to adopt the Washington Privacy Act (SB 5376). The bill was introduced by Senator Reuven Carlyle (D-Seattle) in January. If adopted by the House, Washington would become the second state to adopt a major addition to its consumer privacy law since Cambridge Analytica last March. It follows the lead of California which passed the California Consumer Privacy Act (CCPA) last June although it is in some ways more similar to aspects of the European Union’s General Data Protection Regulation (GDPR).
The Washington Privacy Act applies to legal entities that (1) either conduct business in Washington or produce products/services intentionally targeted at Washington residents, and (2) satisfy one of the thresholds: (a) controlling or processing personal data of 100,000 consumers, or (b) derives fifty percent of gross revenue from the sale of personal data and controls or processes personal data of at least 25,000 consumers. It has dropped the revenue threshold which applies in
It contains a handful of exclusions in Section 4 including an express exemption for employee data. The GLBA exclusion, interestingly, requires the collection, processing, sale or disclosure to be in compliance with that law in order for it to be a valid exclusion. There is also a long list of exemptions in Section 10.
(scroll below the image for more details)
Controller and Processor Obligations
The Washington Privacy Act specifies that controllers are responsible for meeting its requirements and processors must follow the instructions of the controller and assist them in meeting their obligations. It creates a requirement for processing to be governed by a contract that sets out the processing instructions.
Consumers are provided with six rights upon delivering a verified request to the business. Information must be provided by the controll on a verified request without undue delay and in any event within thirty days of receipt. Where reasonably necessary taking into account the complexity and number of requests, the period may be extended by sixty days provided that the controller informs the consumer of the extension within thirty days and
– Right to Access – Confirm processing including whether personal data has been sold to data brokers and provide a copy of the identifiable personal data maintained and undergoing processing. Electronic requests that do not ask for the information by another means must be provided in a commonly used electronic format. A data broker is defined as a business without a direct consumer relationship that knowingly collects and sells or licenses to third parties brokered personal information.
– Right to Correct – Controllers must correct inaccurate personal data and complete incomplete personal data (taking into account the business purposes of processing) including by providing a supplementary statement where appropriate.
– Right to Delete – Businesses must delete without undue delay the consumer’s personal data if maintained in identifiable form and one of five grounds apply. These grounds include the personal data is no longer necessary for a business purpose, the consumer withdraws consent, the consumer object to processing and there is either the processing is for targeted advertising or there is no business purpose for continued processing, the personal data has been unlawfully processed, or it must be deleted to comply with a legal obligation. The controller is required to take reasonable steps to inform others who are processing such personal data on behalf of the controller, taking into account available technology and cost of implementation. However, deletion is not required to the extent processing is necessary for exercising free speech, compliance with a legal obligation, certain reasons of public interest, for the establishment or defense of legal claims, to detect or respond to security incidents (as well as protect against fraudulent or illegal activity), and for a data broker to prevent the information from reappearing in the future.
– Right to Restrict Processing – Controllers must restrict processing if a consumer requests it and if the purpose of processing is not consistent with the purpose of collection, not disclosed at the time of collection or authorization, or unlawful.
– Right to Data Portability – Controllers must provide personal data maintained in an identifiable form concerning the consumer, if technically feasible and commercially reasonable, upon request for automated processing where consent is required, processing is necessary pursuant to a contract, or as part of the steps prior to entering into a contract.
– Right to Object to Processing – Objections to the processing of personal information for targeted advertising must be honored and must take reasonable steps to communicate the objection to third parties where the personal data was sold for such purposes. Third-parties must honor the objection received from the controller. If the objection is for another purpose, the controller may continue processing if there is a legitimate ground that overrides the potential risks to the consumer’s rights, or another exemption applies.
– categories of personal information collected;
– purposes of use and disclosure to third parties of the categories of personal data;
– the consumer data rights provided by Section 6 of the Washington Privacy Act;
– categories of personal data shared with third parties; and
– categories of third parties with whom the controller shares personal data.
The Washington Privacy Act does not specify categories of personal information. This will either be left up to the businesses or will be clarified under the rulemaking authority of the office of privacy and data protection in consultation with the attorney general.
Controllers must conduct a risk assessment of each processing activity involving personal data and an additional risk assessment any time there is a change in processing that materially increases the risk to consumers. The risk assessments must be made available to the Washington state attorney general upon request.
Processing for a business purpose that does not involve sensitive data or where the use of appropriate administrative and technical safeguards can reduce the risk are presumed permissible. Business purposes include auditing, detecting security incidents, protecting against fraud, certain short-term uses, providing customer service, fulfilling orders, processing payments, internal research for tech development, or customer identity authentication.
The risk assessments must identify the direct and indirect benefits of the processing to the controller, consumer, public and other stakeholders and weight it against the potential risks to the consumer, mitigated by any safeguards that can be employed to diminish the risks. The context of the processing and relationship with the consumer must also be factored into the assessment, along with the reasonable expectations of the consumer and the use of deidentified data. They must also take into account the type of personal data involved, including whether it is sensitive. Sensitive data includes personal data revealing race or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, genetic or biometric data to identify a natural person, or the data of a known child.
If the potential risks of privacy harm to consumers are substantial and outweigh the benefits, the controller must obtain the consent of the consumer, which shall be as easy to withdraw as to give, in order to undertake such processing (or find another exemption).
The law requires the exercise of reasonable overight by controllers or processors to monitor compliance with contractual commitments around deidentified data. These organizations must take appropriate steps to address breaches of their contractual commitments.
The Washington Privacy Act also regulates facial recognition services. Facial recognition is defined as technology that analyzes facial features for the identification of natural persons in still or video images.
Facial recognition services deployed by a controller in public must place a conspicuous notice in the premises that conveys that facial recognition is being used and a consumer that enters the premises has consented to it.
There must be meaningful human review by controllers before making final decisions using facial recognition for profiling that produces legal effects or similarly significant effects. There is a nonexclusive list of decisions that are implicated by this section, including denial of financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities and health care services.
Processors of facial recognition services must prohibit unlawful discrimination under federal or state law against individuals or groups of consumers. Providers of commercial facial recognition online for developers and customers must make available an API to enable legitimate, independent third party testing for accuracy and bias.
It further prohibits the use of facial recognition technology for ongoing public surveillance of specific individuals unless law enforcement has obtained a court order or there is imminent danger or risk of serious physical injury (or death) to a person.
In addition to the threshold requirements which are designed to protect small businesses which do not hold sufficient personal data to trigger them, the office of privacy and data protection has also been given authority to create exemption eligibility requirements for small businesses.
The law permits the attorney general to bring an enforcement action. It specifically law defines violations as an unfair or deceptive act and an unfair method of competition under the state’s consumer protection act. Any controller or processor that violates the Washington Privacy Act is subject to a civil penalty of not more than $7500 for each intentional violation and $2500 for each other violation. It does not authorize a private right of action.
There is a cure provision for sections 6 through 10. Organizations are only in violation of these sections if they fail to cure the alleged violation within thirty days of receiving notice of suspected noncompliance. Sections 6 through 10 cover the consumer rights, transparency obligations, required privacy risk assessments and reasonable oversight of compliance with contractual commitments around deidentified data.
Other Relevant Posts:
Maine Considering LD 946 to Protect Privacy of ISP Customers
Illinois House Passes Data Transparency and Privacy Act; Senate Passes KIDS Act
Texas Considers Consumer Privacy Act and Privacy Protection Act
Update: Special Session of Appropriations Committee Saves Washington Privacy Act for Another Week
No Washington Privacy Act This Year?
Washington Privacy Act – Initial Look at the Current House Version
Summary of Connecticut SB 1108 on Data Privacy
Summary of Public Hearings on Maryland Online Consumer Protection Act
Florida Legislature Considers Biometric Information Privacy Act
Maryland Considering SB613 / HB0901 – Online Consumer Protection Act
With SD341, Massachusetts Joins States Considering CCPA-like Data Privacy Laws
Public Hearing on Washington Privacy Act (SSB 5376) in Senate Ways & Means – More Work to Be Done?
State CCPA Privacy Bills in Rhode Island, Hawaii and New Jersey
North Dakota Considers Study on Privacy Practices of Data Brokers
Ready for the new California privacy law coming on January 1, 2020? Learn more about CCPA compliance and contact us to see a demo of the Clarip privacy management platform used by Fortune 500 clients.