A new version of the Washington Privacy Act, a privacy and data protection bill aimed to make businesses “responsible custodians of data,” proposes one of the most comprehensive state privacy laws.
Introduced featuring elements of the California Consumer Privacy Act (CCPA) and new requirements of its own.
The act was introduced Jan.13 and, if passed, would go into effect on July 31, 2021.
Following the progress of the bill is important for any business because it affords expansive rights to consumers and businesses face obligations under it, including some that are not required under the CCPA.
The act protects consumers who are Washington residents acting in an individual or household context, not in a commercial or employment context. It regulates businesses that process personal data, which it defines broadly as “any information that is linked or reasonably linkable to an identified or identifiable natural person.”
Companies are required to give consumers rights to their personal data, safeguard personal data, provide clear information to consumers about how their personal data is used, and undergo data protection assessments in the collection and use of personal data.
The act does not apply to information that is already subject to certain laws, including the Health Insurance Portability and Accountability Act of 1996, assuming compliance.
Does the Act Apply to Your Business?
Does your business conduct business in Washington state or sell products or services targeted to Washington residents? If so, the act would apply if your business:
- controls or processes data of at least 100,000 consumers; or
- derives more than 50% of its gross revenue from the sale of personal data and processes or controls personal data of at least 25,000 consumers.
Generally, the act gives consumers the right to access their personal data in a portable format, and to correct, amend, or delete it. Consumers, like under CCPA, can ask a business to stop processing their personal data for the purposes of selling it, but unlike the CCPA, can also ask if the purpose is for targeted advertising or use in profiling.
The act does not have any specific opt-out method like the CCPA’s “Do Not Sell My Information” button on websites, but requires any method be clear and conspicuous.
Going beyond the CCPA, businesses must provide an internal appeals process for denied requests that includes providing any action taken or not taken in response to an appeal with a written explanation to the Washington state attorney general (assuming consumer consent).
Consent Needed for ‘Sensitive Personal Data’
The CCPA labels all protected information as personal information. The Washington act takes a different approach by requiring companies to obtain opt-in consent before processing sensitive personal data that reveals:
- Racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status;
- Genetic or biometric data for the purpose of uniquely identifying a natural person;
- Personal data from a known child; or
- Specific geolocation data.
Notably, the act defines a child as a person under the age of 13, unlike the CCPA that considers a teenager a child.
The Responsibility to Be Transparent
The act requires a business to have a “reasonably accessible, clear, and meaningful” privacy notice for consumers that includes:
- The categories of personal data processed;
- The purposes for which the categories of personal data are processed;
- How and where consumers may exercise their rights,including the right to appeal;
- The categories of personal data that a business shares with third parties; and
- The categories of third parties with whom the business shares personal data.
Data Protection and Data Protection Assessments
The act requires businesses to establish, implement, and maintain reasonable administrative, technical, and physical data security practices. There is no one-size fits all model of what constitutes appropriate data security practices. Rather, the act considers the volume and nature of the personal data.
Businesses must also conduct a data protection assessment of its processing activities involving personal data and any time there is a change to such processing that materially increases risks to consumers. A business must weigh the benefits it receives from processing against the potential risks to the rights of the consumer and to the public, and to what extent it can mitigate those risks. This level of analysis is not required under the CCPA.
Facial Recognition Services
A significant portion of the act relates to facial recognition services (technology that analyzes facial features and is used for identification, verification, or persistent tracking of consumers in still or video images).
Businesses providing the technology must provide a way for it to be tested for fairness and accuracy, a conspicuous notice in public spaces that explains that facial recognition services are used and why, and obtain consent from consumers prior to enrolling their image in a service used in public premises, among other obligations. The CCPA does not have specific requirements for facial recognition technology.
Penalties for Noncompliance
The bill does not give consumers the ability to sue a business directly. The attorney general enforces the act and can impose civil penalties capped at $7,500 per violation. Potentially more impactful, the act also permits the attorney general to obtain a court order to prevent a business from engaging in activity to prevent future violations.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Mark G. McCreary is co-chair of the privacy and data cecurity Practice at Fox Rothschild LLP. He focuses his practice on compliance with privacy-related laws, rules and regulations as well as responses in the event of a data breach.
Caroline A. Morgan is an attorney with Fox Rothschild LLP who focuses her practice on business litigation, insurance, cybersecurity and privacy matters.