Washington State is already shaping up as a center of state privacy legislation for 2020.
Last year, SB 5376 (also known as the Washington Privacy Act, or WPA) gained significant traction in the legislature, passing the state Senate almost unanimously but ultimately failing in the House due to discussions around facial recognition and compliance challenges. State Senator Reuven Carlyle (D), chair of the state’s Senate Energy, Climate & Technology Committee, has now released a revised draft of the WPA for 2020. If enacted as drafted, this new version of the WPA would come into effect on July 31, 2021.
The draft bill proposes a comprehensive set of privacy requirements that have been influenced by both the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). An example of the GDPR influence is the use of the terms “controllers” and “processors” to describe organizations that handle personal data in different ways with the imposition of contracting obligations between controllers and processors. The bill also tracks closely to the recently effective CCPA, while in some ways providing more flexibility and in other ways going beyond the requirements in California’s law. We provide a brief overview of the draft bill below.
The draft would apply to legal entities that:
- Conduct business in Washington or that produce products or services that are targeted to WA residents and
- Either (i) process personal data of 100,000+ WA residents or (ii) derive 50%+ of revenue from the “sale” of personal data and process personal data of 25,000+ WA residents.
Personal data under the bill is “any information that is linked or reasonably linkable to an identified or identifiable natural person.”
Unlike the CCPA, which has a private right of action for certain security breaches, the 2020 draft WPA prohibits all private rights of action but offers no cure period for violations (fines are roughly in-line with the CCPA, at a maximum of $7,500 per violation). The Washington law also places a greater emphasis on privacy expectations in public areas and would regulate the use of facial recognition technologies, imposing obligations on both processors and controllers using such technologies. Processors providing facial recognition technologies would need to, for example, allow third parties to access and test their systems for accuracy and unfair performance. Controllers using such technologies may need consent from consumers before adding facial templates to facial recognition systems.
The draft bill also defines “personal data,” “sensitive data,” “pseudonymous data,” and “de-identified data.” Personal data subject to HIPAA, FCRA, GLBA, FERPA, and certain other laws are exempted from the WPA.
Controller & Processor Obligations
Like the GDPR, the WPA characterizes organizations that process personal data as “controllers” or “processors” and imposes different responsibilities on each. For example, controllers would be required to have contracts with processors, and processors would be obligated to help controllers with certain compliance obligations. The bill defines controllers as persons that determine the purposes and means of processing personal data. Controllers would also be responsible for notifying consumers when they “sell” personal data or use it for targeted advertising; complying with purpose limitation, data minimization, and security obligations; and completing “data protection assessments” (DPAs) for each processing activity that involves personal data. Notably, controllers would also be required to obtain consent (a defined term under the WPA) before processing sensitive data.
Under the bill, processors are persons that process personal data “on behalf of a controller.” To qualify as a processor, an organization would need a written contract with a controller that contains specific terms to allow for information processing support.
The WPA grants consumers five rights:
- Access: The right to confirm whether a controller is processing data about that consumer and to access such data;
- Correction: The right to correct inaccurate personal data;
- Deletion: The right to delete personal data concerning the consumer;
- Portability: The right to receive data disclosed pursuant to the right of access in a portable and readily-usable format; and
- Opt out: The right to opt out of the processing of personal data for targeted advertising, some profiling, and “sales” (as defined by the WPA in a manner similar to the CCPA).
Although this is the first significant piece of draft state privacy legislation we have seen surface in 2020, we expect it will not be the last. A number of state legislators, inspired by recent laws in California and Nevada and influenced by some recent proposals at the federal level and the GDPR, are likely to make privacy a priority for 2020 legislative sessions. We are tracking drafts in a number of states and expect to remain engaged as bills work their way through state legislatures this year.
Sophie Baum, a Law Clerk in our Washington D.C. office, contributed to this entry.