On Sept. 9, 2020, Washington Sen. Reuven Carlyle, D-Seattle, released the draft Washington Privacy Act 2021 for review and comment. This draft bill is the third version of the act introduced by Carlyle in as many years. As reported by IAPP Staff Writer Jennifer Bryant, there was bipartisan support for the previous privacy bills, and the Washington Senate voted nearly unanimously in favor of the proposals, but it was not able to reach a consensus with the House of Representatives regarding proposed amendments, including the issue of a private right of action. While the 2021 draft bill is similar to the 2020 version (Senate Bill 6281), its scope is broader and certain provisions appear to signal an effort to compromise on some of the contested issues. The draft 2021 WaPA includes new sections for “data privacy regarding public health emergencies” related to COVID-19 and the processing of personal information for automated contact tracing.

Carlyle issued an overview with the draft bill that includes a comparison of part one of the 2021 WaPA to the 2020 WaPA, California Consumer Protection Act, and California Privacy Rights Act on the ballot this fall. It also contains a comparison of the bill’s public health emergency provisions (parts 2 and 3) to the federal COVID-19-related privacy legislation. The Future of Privacy Forum did a comparison of the 2020 WaPA earlier this year that incorporated the 2019 WaPA and EU General Data Protection Regulation. These analyses illustrate how the WaPA fits into the landscape of comprehensive data privacy legislation, even as it continues to change at the state and federal level.

2021 WaPA, Personal Data Privacy Regulations (Part 1)

Scope

Part one of the draft 2021 WaPA is similar to the 2020 WaPA and is titled “Personal Data Privacy Regulations — Private Sector.” It applies to “legal entities that conduct business in Washington or produce products or services that are targeted” to Washington residents and (1) control or process personal data of 100,000 consumers or more during a calendar year; or (2) derive more than 25% of their gross revenue from the sale of personal data and process or control personal data of 25,000 consumers or more. The 2020 bill had a 50% revenue threshold. Lowering the threshold to 25% is in line with an amendment approved last year by the Washington House Innovation, Technology & Economic Development Committee.

Like its predecessor, the 2021 WaPA exempts state agencies, local governments or tribes; municipal corporations; protected health information under the Health Insurance Portability and Accountability Act and other health information; personal data regulated under other federal and state statutes; and employment records. It also adds exemptions for nonprofits and institutions of higher education.

Rights and obligations

The rights and obligations in the updated WaPA are substantially the same. The draft bill provides consumers the right of access, right to correction, right to deletion, right to data portability and right to opt out of certain data processing. Notably, the right to opt out is broader than the CCPA’s sale of information opt-out and includes the processing of personal data “for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer.”

Similar to the EU General Data Protection Regulation, controllers under the 2021 WaPA draft bill, like the 2020 bill, are required to conduct and document data protection assessments for certain processing activities. These activities include (1) processing personal data for targeted advertising; (2) selling personal data; (3) processing personal data for certain profiling activities; (4) processing of sensitive data; and (5) a catch-all for processing activities involving personal data “that present a heightened risk of harm to consumers.”  

Enforcement and preemption  

One previous area of disagreement for the Washington Senate and House was the 2020 WaPA’s approach to enforcement and preemption. These provisions are different in the updated version of the draft bill. Section 112 of the 2021 WaPA, which addresses enforcement, includes a specific finding that “[a] violation of this chapter is not reasonable in relation to the development and preservation of business and is an unfair or deceptive act in trade or commerce and an unfair method of competition for the purpose of applying the consumer protection act.” However, it also states “[t]his chapter may be enforced solely by the attorney general under the consumer protection act.” The liability provision, Section 111, specifically precludes a private right of action, providing “[a]ny violation of this chapter shall not serve as the basis for, or be subject to, a private right of action under this chapter or under any other law.” The lack of a private right of action was a sticking point for legislators when the bill failed last March and presumably will continue to be an issue.

The 2021 WaPA enforcement provision includes a 30-day right to cure, similar to the right to cure provision in the CCPA. The potential damages remain the same — up to $7,500 for each violation of the act. 

As drafted, the 2021 WaPA enforcement section only refers to the attorney general providing notice to and initiating actions against controllers. However, the jurisdictional scope of the bill (Section 102) states it applies to entities that “control or process” personal data, and the liability section of the 2021 WaPA (Section 111) refers to both controllers and processors and allocating liability “among the parties according to principles of comparative fault.” Given these provisions, the enforcement mechanism against processors is unclear.

Preemption also has changed in the 2021 WaPA. While the act still preempts local laws, ordinances and regulations, unlike its predecessor, Section 114 now has a carve-out for “laws, ordinances, or regulations regarding the processing of personal data by controllers or processors” adopted by a “local entity prior to July 1, 2020.”

2021 WaPA, Data Privacy Regarding Public Health Emergency (Parts 2 and 3)

Parts two and three of the draft 2021 WaPA are new provisions that address privacy issues related to automated contact tracing in public health emergencies, like COVID-19. The legislative findings and intent of the draft bill refer to the present need for contact tracing for public health purposes but note “[t]he benefits of such technology, however, should not supersede the potential privacy risks to individuals.”

Generally, the public health emergency provisions limit how “covered data” — defined as personal data plus specific geolocation data, proximity data or personal health data — can be processed for a “covered purpose.” “Covered purpose” means processing covered data for automated contact tracing related to a declared state of emergency. Processing covered data for a covered purpose is prohibited unless there are notice and consent. These provisions further preclude disclosing “any covered data processed for a covered purpose” to law enforcement or selling or sharing such data.

Conclusion

Given WaPA’s history, the lack of a private right of action may make this draft a non-starter. Review and comment on the 2021 WaPA also are likely to be influenced by other developments in U.S. privacy law, including the new federal privacy law introduced last week and California’s vote on the California Privacy Rights Act this November. We will be monitoring any developments closely and reporting on the status of the draft bill.

Photo by oakie on Unsplash