Washington state’s lawmakers started the 2020 legislative session with a renewed focus on consumer privacy through the introduction of ten privacy-related bills across the state House and Senate on January 13. Chief among these proposals was the comprehensive Washington Privacy Act (WPA), a new version of which was re-introduced in the Senate after the previous bill died in the House in 2019. The WPA continues to draw comparisons to the now-effective California Consumer Privacy Act (CCPA), and the EU’s General Data Protection Regulation (GDPR). It borrows the concepts of data controllers and processors from the GDPR and the right to opt out of personal data sales from the CCPA, among other similarities between these forerunners of far-reaching privacy regulation. In addition to the new version of the WPA, Washington’s House introduced nine accompanying bills covering various aspects of consumer privacy, including: (i) granting more rights over biometrics (for which Washington has an existing law); (ii) artificial intelligence in employment decisions; (iii) requiring transparency over device connectivity; (iv) mandating notice and consent for voice data collection; and (v) strengthening oversight through the state’s chief privacy officer. Each of these bills highlights various isolated issues that would complement the foundational framework for data protection that the WPA proposal seeks to establish.
Overview of the WPA
The jurisdiction and scope of the new version of the WPA would apply to entities: (i) conducting business in Washington or that provide services or produce products targeted to Washington residents; and (ii) controlling or processing data of 100,000 or more consumers, or that derive 50% or more gross revenue from the sale of personal data and that process or control personal data of 25,000 or more consumers. The bill includes the following core provisions with respect to consumers (defined as Washington state residents in the individual or household context) and applicable companies:
- Consumers would have rights to access, correct, move, or delete personal data.
- Consumers would have the right to opt out of personal data sales (defined as the exchange of personal data for monetary or other valuable consideration).
- Consumers would have the right to object to automated decision making/profiling and to opt out of processing of personal data for targeted advertising.
- Companies would need to establish, implement and maintain reasonable safeguards and security practices and set up processes to handle consumer requests, including taking action up to twice per year within 45-90 days and notifying third party recipients of consumer personal data from the previous year of such requests.
- Companies would also need to practice data minimization and purpose specification to limit personal data collection based on relevance and reasonable necessity for specified and express purposes, and contract such limitations with service providers.
- Consent would be required for any secondary usage of data (i.e., processing for purposes that are incompatible with the purpose for which data was processed as disclosed to the consumer) unless necessary or compatible with the express purpose of the initial collection, and affirmative, opt-in consent would be required for any processing of sensitive data (including genetic/biometric, racial, ethnic, religious, health, child data, or specific geolocation).
- Companies processing “pseudonymous data” would not be required to comply with the bulk of the core individual rights (access, correction, deletion, and portability) when they are “not reasonably capable” of associating the request with personal data.
- For each processing activity, controllers must conduct data protection assessments, weigh the risks and benefits, and avoid instances where the risks outweigh the benefits.
- Companies providing services involving facial recognition must comply with additional obligations to obtain affirmative consent as a default, test for unfairness and accuracy, and provide sufficient notice regarding public deployments of facial recognition technology.
These core provisions do go beyond the requirements of CCPA in a few notable ways, including providing the consumers with the prescribed “right to correct” as well the requirement for data minimization – as companies must limit personal data collection to relevance and reasonable necessity for “specified and express purposes.” While these concepts are certainly considered under privacy governance in the United States, they have not yet been part of any law. Finally, the additional layer addressing facial recognition leads to additional compliance obligations for companies implementing this technology beyond Washington’s previous biometric framework.
Notably, the WPA bill does not give Washingtonians a private right of action as it is currently drafted. However, it does empower the state attorney general to enforce civil penalties (up to $7,500 per violation) and injunctive relief, making effective attorney general outreach an important part of any company’s broader approach to government relations and compliance with a law as holistic as the WPA.
Implications of the WPA
The WPA bill faces a brief six-week timeframe to work through Washington’s legislature while in-session, but if passed, it will take effect on July 31, 2021. The legislative process has already had an impact, as a substitute version was proposed in the Senate on January 20. The new version (to be heard in an executive session on January 23) notably differs from the January 13 version in a few areas, including: (i) which processing activities require data protection assessments; (ii) removing the permissibility of sensitive data processing with consumer consent; (iii) exempting voluntary facial recognition used to verify aviation passenger identity from facial recognition regulations; and (iv) publicly available documentation on an appeals process from the attorney general would not be required. Even if the WPA (in whatever form it may take) or the other privacy-related House bills recently proposed do not pass, they are likely to catalyze other states into similar legislative action on growing trends in privacy legislation and consumer protection (for example, with biometrics). Along with the CCPA and other state privacy regulations, the WPA is also likely to influence (or contribute to persisting uncertainty about) the potential for a nationwide federal privacy law.