Washington State Considering New Privacy Act – SB 5376
The Washington state legislature is now considering a new privacy law to address data privacy, provide data subject access rights and regulate the development of facial recognition technology. The Washington Privacy Act was introduced into the state senate last week as SB 5376.
The privacy bill allows consumers the right to access their data and find out if it has been sold to a data broker. If the data subject access request is made electronically, the information must be provided in a commonly used electronic form unless otherwise requested by the consumer. Consumers can also correct inaccurate information, delete personal information, and object to its use in direct marketing.
The deletion of personal data follows a request if one of six conditions is met. It then provides an additional five exemptions from the deletion request for processing necessary for free speech, compliance with a legal obligation, public health, archiving in the public interest or research purposes, and the establishment or defense of legal claims. If an organization is required to delete the personal information, they also need to inform any third parties who have received the information from the controller.
The law is detailed but here is a quick overview of some of the important parts:
Who is covered?
If passed, the law would apply to entities that conduct business in Washington or intentionally target Washington residents with products or services. It would only apply to those organizations that control or process data on more than 100,000 residents, or those that derive 50% of their gross revenue from the sale of personal information and have information on more than 25,000 residents.
The law specifically excludes data sets maintained for employment record purposes, or to the extent that they are regulated by HIPAA, the HITECH Act, or the GLB Act.
The bill borrows from GDPR in its use of the terms controllers and processors. SB 5376 puts the responsibility on controllers to comply with the law and requires controllers to have a contract with processors that sets forth the processing instructions which they must follow. This section is similar to Article 28 of GDPR, although it lays out the terms in less detail.
SB 5376 requires transparent processing of personal data through a clear, meaningful privacy notice with (1) the categories of personal data collected by the controller; (2) the purposes for which the categories of personal data is used and disclosed to third parties; (3) information about the rights that consumers may exercise; (4) the categories of personal data shared with third parties; and (5) the categories of third parties with whom the controller shares personal data.
Controllers must also disclose profiling to the consumer at or before obtaining personal data. Meaningful information about the logic involved and the significance of the processing must be included in the disclosure.
If a control processes personal data for direct marketing, or sells it to datra brokers, the processing and the right to object must be disclosed in a clear and prominent manner.
Privacy Risk Assessments
A controller must conduct a risk assessment on processing and document it on an annual basis. A privacy risk assessment must also be conducted and documented prior to processing personal data where there is a change that materially impacts the risk to individuals. Risk assessments must be made available to the Washington state attorney general upon request.
The risk assessments must identify and weight the benefits that may flow directly and indirectly from the processing against the potential risks to consumers, as mitigated by safeguards that can be employed to reduce the risk. If the risks outweigh the interests, then the controller must obtain the consent of the consumer.
The legislation would also regulate the development of facial recognition software. Microsoft and Amazon have both been leaders in the development of facial recognition and have their headquarters in Washington.
Consumers would need to be notified in areas – whether a physical location or a website – where facial recognition is in use. APIs created by the company allowing third-party developers to use the technology would need to be made public so it could be tested for accuracy and bias.
Enforcement, Effective Date & Support
The law is enforced by the state attorney general and provides for penalties of between $2,500 and $7,500 per violation. There is a 30 day cure provision similar to the one present in the CCPA. There is some curious language in the enforcement section which may or may not the power of the Attorney General to bring an enforcement action for some sections of the bill.
If passed, the law would go into effect on December 31, 2020.
The bill was proposed by State Senator Reuven Carlyle. Senator Carlyle is a Democrat that has represents the 36th legislative district which contains several Seattle neighborhoods. It is also supported by eleven other Senators and the Chief Privacy Officer of Washington State.
The Washington state legislature joins New Mexico and New York, both of which are also considering data privacy laws.
Contact Clarip for CCPA and GDPR Software
The Clarip privacy management software is ready to help improve your organization’s privacy practices. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo with a member of the Clarip team.
If your immediate need is California Consumer Privacy Act compliance, take a look at our CCPA software. From consent management to powerful DSAR Software, Clarip offers enterprise privacy management at an affordable price.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.