Senate bill passed; House bill in committee
Washington is increasingly looking like it will become the second state in the U.S. to pass a comprehensive privacy statute, following California’s Consumer Privacy Act. Drafting the statute was a two-plus-year process, during which the CCPA was passed and the EU General Data Protection Regulation went into effect. Washington’s proposed privacy statute shares many foundational principles with these two privacy regimes, but it has notable distinctions. Importantly, it represents a new model for other states to consider as they draft their own comprehensive privacy laws.
The statute is not finalized, but the state Senate passed a bill with bipartisan support and a companion bill was introduced in the House. The House bill is currently going through the committee process, and committees are considering amendments — some significant, like the addition of a private right of action. It is unclear what the final statute will look like if and when it heads to the governor’s desk for signature, but the majority of the bill’s framework is in place. When the House passes its version of the bill, it will head to a conference committee to reconcile any differences between the bills passed by the two chambers. The House Innovation, Technology & Economic Development Committee published a comparison document last week that outlines the differences between the Senate bill and proposed amendments to the House bill currently in front of the committee.
The following is a summary of the Washington Privacy Act, as represented by the only bill to pass a legislative chamber at this point, the Senate bill.
The act’s most notable provisions include:
-
- Broad scope.
- A controller versus processer distinction.
- Consumers’ rights similar to the GDPR, and more than the CCPA — including rights to access, to correction, to erasure/deletion, to restrict processing, to portability, to object to processing, and against solely automated decision making.
- Enhanced transparency and documentation requirements.
- Specific deidentification and facial-recognition provisions.
- Penalties including injunction and monetary fines; currently, no private right of action (see discussion below) — attorney general enforcement only.
Scope
The WaPA has a broad jurisdictional scope with explicit exclusions:
Broad scope. The statute applies to “legal entities that conduct business in Washington or produce products or services that are intentionally targeted to residents of Washington” and satisfy at least one of the following:
- Controls or processes data of 100,000 or more consumers.
- Derives more than 50 percent of gross revenue from the sale of personal information and processes or controls personal information of 25,000 or more consumers.
A consumer is:
- A natural person.
- Who is a Washington resident.
- Acting only in an individual or household context.
Controller. “The natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
Processor. “A natural or legal person that processes personal data on behalf of the controller.”
Explicit exclusions, including employment records. Notably, the following are explicitly excluded from the WaPA’s scope: state and local governments; personal data sets regulated by the Health Insurance Portability and Accountability Act, Health Information Technology for Economic and Clinical Health Act, and the Gramm-Leach-Bliley Act; and employment records — (the act excludes “data maintained for employment record purposes” from its jurisdictional scope and “a natural person acting in a commercial or employment context” from the definition of “consumer”).
Consumers’ rights
Under the WaPA, a controller must facilitate a consumer’s ability to make a request to exercise one of seven rights created by the statute.
A consumer may make a request for the:
Right to access. A controller must confirm whether personal data is being processed about a consumer and provide a copy of the personal data undergoing processing.
Right to correction. A controller must correct inaccurate personal data and may need to complete incomplete data.
Right to erasure/deletion. A controller must delete a consumer’s personal data if certain requirements are met and must take reasonable steps to inform third parties to which the data was disclosed.
Right to restrict processing. A controller must restrict the processing of a consumer’s personal data under certain circumstances. The data may be processed only with the consumer’s consent or for other limited reasons.
Right to portability. A controller must provide a consumer’s personal data — if it is maintained in an identifiable form — in a structured, commonly used, and machine-readable format. Controllers are required to transmit the personal data requested directly to another controller where technically feasible.
Right to object to processing. A consumer may object to the processing of personal data concerning that consumer. If the objection is made to processing for direct marketing purposes, the controller must cease the processing and communicate the consumer’s objection to third parties.
Right against solely automated decision making. A consumer may not be subject to a decision that produces “legal ... or similarly significant” effects based solely on automated processing. Such processing is not prohibited if it is necessary for certain business purposes, authorized by law, or to which the consumer consented. It is incumbent on controllers to implement the processes required to safeguard this consumer right.
Controllers’ obligations
Two additional obligations for controllers and processors flow from the seven consumers’ rights:
An obligation to communicate changes to personal data or the exercise of a consumer’s rights to third parties. Controllers must communicate corrections, deletions or restrictions to processing requested by a consumer to each third-party recipient of the effected personal data. A consumer may also request information about third-party recipients from a controller.
An obligation for prompt response. A controller must inform a consumer about actions taken in response to a consumer request within a specified time period, which may be extended based on the complexity and number of requests. Responses to requests must be provided to a consumer free of charge unless the requests are excessive or repetitive.
Transparency and documentation
The WaPA includes transparency and detailed risk-assessment documentation requirements:
A meaningful privacy notice. A controller must make available a meaningful privacy notice that is reasonably accessible to consumers. It must include the categories of personal data collected by the controller; the purposes for which the categories of personal data are used and disclosed to third parties, if any; consumers’ rights, if any; the categories of personal data the controller shares with third parties, if any; and the categories of third parties with which the controller shares personal data, if any.
Profiling must be disclosed at or before the point personal data is obtained. Such disclosure includes meaningful information about the logic involved in the profiling and its significant and “envisaged” consequences.
A clear and prominent disclosure of the sale of personal data to data brokers and/or the processing of personal data for direct marketing purposes. The disclosure must include the manner in which a consumer may exercise the right to object to such processing.
Documented risk assessments. Controllers must conduct and document risk assessments covering the processing of personal data prior to such processing when there is a change in processing that materially impacts the risks to individuals. Risk assessments must be conducted and documented annually even if there is no change to processing. The statute provides factors that must be included in a risk assessment. And, it directs a controller to identify and weigh the benefits and risks to the controller, consumer, other stakeholders and the public that flow from the processing against the risks to the relevant rights of the consumer in the context of any mitigating safeguards that may be employed. If the risks outweigh the other factors, the processing may only occur with the consent of the consumer.
Penalties and enforcement
The statute provides for statutory damages and places enforcement responsibility on the attorney general. There is no private right of action in the Senate bill.
Attorney general enforcement. The attorney general holds the only enforcement authority found in the statute. A violation of the statute is explicitly under the attorney general’s purview as a violation of the state’s unfair or deceptive acts and practices statute — plainly, as a violation of the public interest under the state’s UDAP statute and an unfair or deceptive act in trade or commerce or an unfair method of competition.
30-day cure period. The statute provides for a 30-day cure period that starts at notice of alleged noncompliance. It is not clear what constitutes notice: formal communication from the attorney general, allegation by a consumer, or something else.
Penalties include injunction and statutory damages. The attorney general can seek an injunction to stop noncompliant activity and can impose fines of:
- $2,500 per violation.
- $7,500 per intentional violation.
The statute does not define criteria for what constitutes an intentional violation. If multiple parties are deemed liable, fines are distributed according to the principles of comparative fault unless otherwise allocated by contract between the parties.
Notable provisions
Facial recognition. The WaPA includes two subsections dedicated to facial-recognition technology. The first provides requirements for controllers and processors deploying facial-recognition technology. Most notably, that meaningful human review must be included where profiling includes facial-recognition technology that may result in legal or similarly significant effects for consumers — for example, “the denial of consequential services or support, such as financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, and health care services.” In addition, processors must include contractual prohibitions on the use of facial-recognition technology to discriminate, and processors must provide documentation to consumers that describes the capabilities and limitations of the technology. Controllers must obtain consent from consumers to deploy facial-recognition services, and facial-recognition technology available online for developers must provide technical capability for third parties to engage in independent testing.
The second facial-recognition subsection limits the ability of government agencies to use facial-recognition technology. It requires a law enforcement purpose and either a court order or an emergency for the technology to be deployed for ongoing surveillance in public spaces.
Deidentified data. Controllers and processors must “exercise reasonable oversight to monitor compliance with any contractual commitments to the deidentified data is subject, and must take appropriate steps to address any breaches of contractual commitments.” Such “reasonable oversight” may extend to contracts beyond the controller-processor relationship, but the extension appears narrow: Controllers and processors are not liable for the noncompliance of third-party controllers or third-party processors if they did not have actual knowledge of the third party’s intent to commit a violation of the statute at the time personal data was disclosed to the third party. This non-liability applies to all subsections of the statute. Controllers and processors are expressly exempted from any requirement to reidentify deidentified data.
Conclusion
The WaPA is likely to become the second state-level comprehensive privacy statute in the U.S. It grants rights to consumers that mimic the GDPR — beyond those granted by the CCPA — and it takes steps to guide the use of certain types of data and technology, including deidentified data and facial-recognition technology. The Washington State Legislature still has work to do to reconcile competing bills in the House and Senate, but with bipartisan support throughout the capitol, steady progress can be expected.