Washington State Looks To Become Second State To Pass Comprehensive Data Privacy Legislation
On February 14, 2020, the Washington State Senate passed a comprehensive privacy bill that would give state residents new data rights. LB 6281, known as the Washington Privacy Act (the “Act”), passed the Senate on a 46-1 vote. The bill will now head to the House for consideration. A similar bill failed in that chamber in 2019.
If passed, the Washington Privacy Act would enact a data protection framework for Washington residents that includes individual rights that mirror the rights in the California Consumer Privacy Act (“CCPA”), as well as a range of other obligations on businesses that do not yet exist in any U.S. privacy law. The bill incorporates aspects of the EU’s General Data Protection Regulation (“GDPR”) and borrows the “controller” and “processor” concepts from the GDPR in identifying obligations for each role.
The following is our initial analysis of the Act:
To Whom Does it Apply?
Washington residents, except when “acting in a commercial or employment context.”
What Entities are Covered?
Legal entities that conduct business in Washington or produce products or services that are targeted to Washington residents, and that satisfy at least one of the following thresholds:
(a) control or process personal data of 100,000 or more Washington residents; or
(b) derive over 50 percent of their gross revenue from the sale of personal data and process or control personal data of 25,000 or more Washington residents.
The statute would not apply to state and local governments or municipal corporations. It also would not apply to information that is protected under other privacy statutes, including personal health information protected by HIPAA, certain information covered by the FCRA, and personal data collected, processed, sold, or disclosed pursuant to the GLBA.
What Information is Covered?
“Personal data” is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” Personal data does not include de-identified or publicly available information. Note that the Act’s definition of “personal data” is similar to the GDPR’s definition of personal data and stands in contrast to the CCPA’s definition of “personal information,” which separately lists each category of personal information to which the CCPA applies.
Similar to GDPR, the Act creates a “sensitive data” subset of personal data, which is defined as “(a) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status; (b) the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; (c) the personal data from a known child; or (d) specific geolocation data.”
What Rights are Created?
If enacted, the Act would create the following rights:
- Right of Access – consumers would have the right to both confirm whether or not a controller is processing personal data concerning them and to access such personal data.
- Right to Correction – consumers would have the right to correct inaccurate personal data held by controllers.
- Right to Deletion – consumers would have the right to delete their personal data.
- Right to Data Portability – when exercising the right to access personal data, consumers would have the right to obtain personal data concerning them in a portable and (to the extent technically feasible) readily usable format.
- Right to Opt Out – consumers would have the right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer.
Any Impact on Online Privacy Policies?
Yes. The Act would require data controllers to provide a privacy notice that identifies:
- The categories of personal data processed by the controller;
- The purposes for which the categories of personal data are processed;
- How and where consumers may exercise their rights, including how a consumer may appeal a controller’s action with regard to the consumer’s request;
- The categories of personal data that the controller shares with third parties, if any; and
- The categories of third parties, if any, with whom the controller shares personal data.
If a controller sells personal data to third parties or processes personal data for targeted advertising, it would need to disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing.
Who Will Enforce the Act?
The Washington Attorney General would have exclusive authority to enforce the Act, and could seek a civil penalty of up to $7,500 for each violation.
Would it Create a Private Right of Action?
No.
When Would it be Effective?
July 31, 2021.