The Washington Senate Democratic Caucus announced the Washington Privacy Act, Senate Bill 6281, Jan. 13, 2020. It is an updated version of the

Personal data versus personal information

The WaPA protects consumer personal data, defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person,” and classifies entities as either controllers or processors.

The CCPA protects consumer personal information, defined as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,” and classifies entities as either businesses, service providers or third parties.

The terminology varies between the two frameworks, but both leverage a broad definition of covered information to capture a wide range of data types and sources of data.

Scope

Both the CCPA and WaPA have a broad scope that spans industries and captures various data-processing activities. The WaPA streamlines the elements of a covered entity as compared to the CCPA — and omits the CCPA’s revenue threshold — but the effect of both approaches is similar; nearly all businesses of reasonable size must contend with the requirements of the framework. The nuances of each framework are shown below.

Both frameworks govern a broad range of entities.

The Washington Privacy Act governs:
Legal entities that conduct business in Washington OR target Washington residents
AND
a) control or process personal data of ≥ 100,000 consumers
OR
b) derive > 50% of gross revenue from the sale of personal data AND process or control personal data of 25,000 consumers
The California Consumer Privacy Act governs:
Legal entities operated for profit that collect consumer personal information AND determine the purpose and means for processing the personal information AND do business in California
AND
a) have annual gross revenues > $25 million
OR
b) annually interact for a business purpose with the personal information of ≥ 50,000 consumers, households or devices
OR
c) derive ≥ 50% of annual revenue from selling consumer personal information

Both frameworks include similar exclusions.

The WaPA excludes certain entities and types of information from the scope of the bill that will be familiar to those who have spent time on compliance with the CCPA. These exclusions include the following entities and types of data: state and local governments, municipal corporations, public health information governed by the Health Insurance Portability and Accountability Act and other health-related information, covered entities or business associates that must comply with HIPAA, activities relating to a consumer’s credit worthiness, personal data governed by the Gramm-Leach-Bliley Act, personal data governed by the Family Educational Rights and Privacy Act, employment records data, and compliance with consumer requests to deidentified or pseudonymized data (notably, the right to opt out is not included in this exclusion). The WaPA does not specifically exclude nonprofits, but the jurisdictional scope section states it applies to entities "conducting business in" or that "target Washington residents," so we may see some clarification during the legislative process. 

The WaPA explicitly preempts local ordinances.

Notably, unlike the CCPA, the WaPA also preempts local laws, ordinances, regulations or the equivalent regarding the processing of personal data by controllers or processors. This prevents any cities in Washington from passing facial-recognition technology restrictions or permissions at the municipal level, for example.

Consumer rights and business obligations

The WaPA creates additional consumer rights not found in the CCPA. It creates five fundamental consumer rights: (1) a right of access; (2) a right to correction; (3) a right to deletion; (4) a right to data portability; and (5) a right to opt out.

Right of access. The right to confirm whether a controller is processing personal data about the consumer and to access that personal data.

Right to correction. The right to correct inaccurate personal data concerning the consumer.

Right to deletion. The right to delete personal data concerning the consumer.

Right to data portability. Related to the right of access, a consumer has the right to obtain personal data in a portable and readily usable format that allows the consumer to transmit the data to another controller.

Right to opt out. The right to opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data or profiling in furtherance of decisions that produces legal or similarly significant effects.

In comparison, the CCPA includes three fundamental consumer rights: (1) the right to know/access; (2) the right to delete; and (3) the right to opt out of the sale of personal information.

Controller obligations

Both the WaPA and CCPA place obligations on covered entities that flow directly from the different consumer rights, and independent obligations to notify third parties about consumer requests received, not to discriminate against a consumer for exercising any rights found in the frameworks, and to provide updated notice and disclosure of data collection and use practices. The WaPA, however, adds obligations not found in the CCPA.

The WaPA includes additional obligations for controllers not found in the CCPA.

The WaPA requires controllers establish an internal process for consumers to appeal a refused request. This goes beyond the CCPA’s primarily one-side obligations for communication from a business to a consumer. Here, the WaPA mandates an internal appeal process that may involve multiple correspondences with a consumer and a report of the refusal decision to the Washington state attorney general.

In addition, the WaPA includes purpose limitation (purpose specification), data minimization and processing limitation ("avoid secondary use") obligations for controllers that are reminiscent of the GDPR and absent from the CCPA. And, similar to the CCPA, the WaPA carves out from the obligations of the bill the collection, use and retention of personal data for internal uses.

The WaPA requires controllers conduct data protection assessments.

The WaPA incorporates the GDPR concept of processing assessments and requires a controller conduct data protection assessments for each processing activity that involves personal data and an additional assessment anytime there is a change in processing that creates a material increase in risk to consumers. Each assessment must weigh the various benefits and risks not only to an individual consumer, but to the public, as well. This level of detailed review and documentation of processing activities does not exist in the CCPA.

Enforcement

Unlike the CCPA, which includes a private right of action for consumers whose personal information is involved in a data breach, the WaPA does not include a private right of action in any capacity. The Washington state attorney general would be solely responsible for enforcement of the statute.

A focus on facial-recognition tech

A key factor in the WaPA’s failure to pass in 2019 was strong opposition from privacy advocates who criticized provisions of the bill specific to the deployment of facial-recognition technology. Advocates were wary of the permissive nature of the FRT provisions, specifically with regard to its use by government agencies. The 2020 version of the bill dedicates nearly three pages and multiple definitions to FRT (approximately 20% of the text of the bill), including the following requirements:

  • Processors that offer FRT services must make an application programming interface available to third parties for testing.
  • Processors must explain the capabilities and limitations of their FRT service and enable testing.
  • Processors offering FRT services must contractually prohibit unlawful discrimination.
  • Controllers that deploy FRT must provide conspicuous notice.
  • Requirements for consumer consent prior to enrolling consumers’ images into an FRT service.
  • Decisions that produce legal or similarly significant effects must be subject to meaningful human review.
  • Controllers must test an FRT service in operational conditions before deployment.
  • Controllers must provide periodic training of individuals who conduct/use FRT.
  • Controllers may not knowingly disclose personal data obtained from an FRT service to law enforcement except for specific circumstances.
  • Both controllers and processors that deploy an FRT service have an obligation to respond to consumer requests and fulfill obligations.

These technology-specific requirements are not part of the CCPA framework and indicate that Washington state intends to lead the country on FRT legislation. In addition, the Washington Legislature is considering a separate bill to address government use of FRT, House Bill 2644.

One of many

2019 saw a marked increase in state-level legislative efforts to protect consumers’ privacy. Washington is one of many states that have reintroduced carryover comprehensive privacy legislation from 2019 or new proposals for 2020. Currently, there are active bills in Florida, Hawaii, Massachusetts, Minnesota, Nebraska, New Hampshire, New York and Virginia.

No doubt, there will be a flurry of state-level activity in the coming year. 

Photo by Raquel Martínez on Unsplash