On March 6, the Washington state Senate voted 46-1 to approve the Washington Privacy Act (WPA or the Act), otherwise known as SB 5376. If the bill passes the House, the bill would become the second comprehensive state privacy legislation behind the California Consumer Privacy Act (CCPA), which goes into effect January 1, 2020. The bill would provide consumer rights, impose obligations on businesses collecting and selling personal information, and create an office of privacy and data protection to interface with state agencies on data privacy and data protection policy matters. The bill draws from the CCPA and the European Union’s General Data Protection Regulation (GDPR).
Overview of the WPA
The WPA would apply to legal entities that (1) do business in Washington state or (2) target Washington state residents if the legal entity:
- Controls or processes the personal data of one hundred thousand (100,000) or more consumers or
- Derives over fifty percent (50%) of gross revenue from controlling or processing such data of twenty-five thousand (25,000) or more consumers.
The obligations imposed by the WPA would not apply to:
- State and local governments;
- Data sets to the extent that they are regulated by the Health Insurance Portability and Accountability Act, the Federal Health Information Technology for Economic and Clinical Health Act, or the Gramm-Leach-Bliley Act of 1999; or
- Employment records.
2. Key Obligations of Private Legal Entities
The WPA would impose the following requirements:
- Consumer Rights:
- Right to Information: confirm whether personal data is being processed and sold.
- Right of Access: provide the consumer access to personal data being collected and sold.
- Right of Rectification: correct inaccurate personal data.
- Right of Deletion: delete personal data.
- Right of Restriction: refrain from processing personal data when:
- The consumer contests the accuracy of personal data;
- The processing is unlawful and the consumer requests restriction rather than deletion; or
- The consumer objects to processing based on a particular situation until the controller verifies whether legitimate grounds to process exist;
- The consumer provides consent to process;
- Processing is necessary for the “establishment, exercise, or defense of legal claims”;
- Processing is required for the protection of another natural or legal person’s rights; or
- Processing is required for public interest reasons related to federal, state, or local law.
- Right of Portability: transfer personal data to another controller.
- Right of Objection: refrain from processing personal data when:
- The controller is using personal data for direct marketing purposes; or
- Any other purpose provided that the controller cannot demonstrate a “compelling legitimate ground” to continue processing.
- Right against Automated Decision-making: refrain from making decisions using profiling concerning legal and similarly significant affects (e.g., those related to financial services).
- Transparency: provide a privacy notice.
- Document Risk Assessments: perform a risk assessment annually or when change in processing “materially impacts risk to individuals.”
- Deidentified data: exercise “reasonable oversight” to monitor obligations under contractual commitments.
- Third Parties: the controller must inform third parties when consumers have exercised their rights and third parties are responsible for following the instructions of the controller and helping the controller to meet its obligations.
- Facial Recognition Technology: employ “meaningful human review” if using facial recognition technology to profile upon which decisions producing legal or similarly significant effects are made (e.g., those related to housing).
Enforcement responsibilities would fall to the Attorney General, who could seek:
- An injunction; and
- A maximum civil penalty of:
- $2,500 per violation; or
- $7,500 per intentional violation.
Private Right of Action: the WPA states that the “chapter does not serve as the basis for private right of action under this chapter or any other law.” Accordingly, consumers do not have a private right of action under the WPA.
4. Washington State and Local Government Agencies
The WPA would create the Office of Privacy and Data Protection within the Office of State Chief Information Officer to support state agencies and the public by:
- Conducting an annual privacy review
- Conducting privacy training for state agencies and employees
- Articulating privacy principles and best practices
- Coordinating data protection;
- Assisting Office of the State Chief Information Officer in reviewing state agency projects involving personally identifiable information; and
- Educating consumers about personally identifiable information on mobile and digital networks.
Facial Recognition Technology: Washington state and local government agencies would be precluded from using such technology to engage in ongoing surveillance of individuals provided that a court order has not been obtained or there is not an “emergency involving imminent danger or risk of death or serious physical injury.”
Comparison to CCPA and GDPR
The WPA borrows many provisions from the CCPA and GDPR. The chart below provides a high-level comparison.
Given that the law has not passed Washington’s House of Representatives, the bill is still subject to change. If it passes the House, the Act will go to the governor’s desk for signature. We will continue to monitor the progress of this bill and will report on new developments.