On March 6, SB 5376, the Washington Privacy Act, passed the Washington Senate in an overwhelming 46-1 vote (with two members excused). Prior to its passage, the Senate adopted important revisions and clarifications that would provide important relief for businesses from some of the more onerous provisions of the legislation. As we reported in our blog post discussing the recently introduced legislation, the Washington Privacy Act anticipates that businesses will accord consumers certain GDPR-style rights and conduct risk assessments to weigh the potential privacy and security implications of data-processing activities. The revised legislation places important limitations and clarifications on the envisioned requirements of both consumer rights and risk assessments. In short, data processed for “business purposes” will be exempt from deletion, and such processing activities are presumptively permissible. Importantly, the legislation as amended still does not permit a private right of action, and still requires the attorney general to provide notice of alleged noncompliance and give businesses an opportunity to cure before bringing an enforcement action.
As originally proposed, the Washington Privacy Act provided for consumer rights and exceptions similar to those included under the GDPR. The revised legislation introduces additional exceptions to the deletion requirement when data is processed for business purposes. Borrowed largely from the CCPA, the bill defines “business purpose” as follows:
“Business purpose” means the processing of personal data for the controller’s or its processor’s operational purposes, or other notified purposes, provided that the processing of personal data must be reasonably necessary and proportionate to achieve the operational purposes for which the personal data was collected or processed or for another operational purpose compatible with the context in which the personal data was collected. Business purposes include:
(a) Auditing related to a current interaction with the consumer and concurrent transactions including, but not limited to, counting ad impressions, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards;
(b) Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity;
(c) Identifying and repairing errors that impair existing or intended functionality;
(d) Short-term, transient use, provided the personal data is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction including, but not limited to, the contextual customization of ads shown as part of the same characterization;
(e) Maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, or providing financing;
(f) Undertaking internal research for technological development; or
(g) Authenticating a consumer’s identity.
The revised legislation would exempt businesses from the obligation to delete consumer data under various circumstances if the business has a business purpose for retaining and processing the data. For example, if the processing in question requires consent and the consumer withdraws consent, a business may continue to process that data if the business has a business purpose for doing so. Similarly, if a consumer objects to processing, a business must delete the data if “(A) there are no business purposes for processing the personal data for the controller, the consumer whose personal data is being processed, or the public, for which the processing is necessary; or (B) the processing is for targeted advertising.”
Additionally, whether a business is processing data for business purposes will play a crucial role in evaluation of the permissibility of processing when a risk assessment is conducted. Under the Washington Privacy Act, businesses will have to conduct risk assessments for any processing activities about which an assessment was not previously conducted, and when the processing activity changes in a way that “materially increases the risk to consumers.” If, after the risk assessment, the business determines that the “potential risks of privacy harm to consumers are substantial and outweigh the interests of the controller,” the processing is only permissible with the consent of the consumer or if an exemption (such as processing to fulfill a contract with the consumer, to protect the vital interests of the consumer, or to detect and respond to security incidents) applies. Under the revised legislation, processing for business purposes is presumptively permissible unless:
- The processing involves sensitive data, defined as personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, genetic or biometric data, or data regarding children; and
- “[T]he risk of processing cannot be reduced through the use of appropriate administrative and technical safeguards.”
As reported in our original blog post, the legislation as initially proposed would limit organizations’ ability to make significant decisions about the consumer based upon profiling unless the processing is necessary for performing a contract with the consumer, permissible under law or based on the consumer’s consent. Additionally, the original bill would have required businesses to make disclosures regarding profiling at the same time or before obtaining the data. As with the GDPR, the original legislation would have required such notice to contain “meaningful information about the logic involved and the significance and envisaged consequences of the profiling.” The revised legislation largely eliminates the restrictions on profiling and the notice requirements contemplated in the original bill.
If the legislation’s path in the Senate provides any insight on its potential success in the House, the Washington Privacy Act may follow an expedited route to passage. Originally introduced on Jan. 18, 2019, the bill garnered nearly unanimous approval in the Senate in less than two months. Given that the Senate is designed to be the slower, more deliberative body, the speed with which the legislation passed demonstrates that the legislature is motivated to pass meaningful privacy legislation. Jay Inslee, Washington’s governor and a potential 2020 presidential candidate, has also expressed support for more robust privacy legislation. With similar legislation gaining traction around the country, all signs point to smooth sailing for the Washington Privacy Act.