On Jan. 17, 2019, a new privacy law was proposed in the Washington state Senate. If passed, the Washington Privacy Act would impose far-reaching responsibilities on companies to protect the privacy of “personal data.” Lifting many provisions almost entirely from the text of the European Union’s General Data Protection Regulation (GDPR), the legislation would arguably make Washington one of the most privacy-protective states in the nation. In this article, we explore the contours of the Washington Privacy Act and the practical implications for organizations subject to the legislation, if enacted.
The proposed legislation broadly mandates that consumers are entitled to certain rights with regard to their data. Largely mirroring the GDPR, if enacted, individuals will have the right under certain circumstances to:
- Access: Consumers may obtain a copy of the data that an organization possesses about them.
- Deletion: Consumers may request that organizations delete data about them.
- Correction: Consumers may request that companies correct inaccurate data.
- Restriction: Consumers may request that organizations restrict the purposes for which data is processed.
- Portability: On request, organizations must provide consumers with their data in a “structured, commonly used, and machine-readable format” to enable the consumer to switch to another organization/service provider
- Objection: Consumers may object to their data being processed for direct marketing, or for any other purpose, so long as the organization processing the data does not have overriding legitimate grounds for continuing the processing.
- Profiling: Organizations may not make decisions based on profiling a person’s economic situation, health or other specific factors unless the consumer consents, the decision is necessary for the performance of a contract with the consumer, or the profiling is permitted by state or federal law.
Under the Privacy Act, companies would have 30 days to respond to requests from consumers in most cases, but would have 60 additional days for particularly difficult or voluminous requests.
If enacted, the Privacy Act would mandate that companies include information in their privacy notices regarding the types of personal data collected, the purposes for which that data is used and disclosed, the rights consumers may exercise under the Privacy Act, the categories of personal data shared with third parties, and the categories of third parties with which the company shares data. The Privacy Act would require companies that use consumers’ data for direct marketing or that sell consumer data to data brokers to prominently disclose those uses and inform consumers how to object. Organizations that engage in profiling would be required to disclose the profiling at or before the point of data collection, “including meaningful information about the logic involved and the significance and envisaged consequences of the profiling.” Additional disclosures would be required for organizations that provide services utilizing facial recognition technology.
The Privacy Act would require companies to undertake an assessment to evaluate the potential privacy or security impact of processing personal data. Companies would also be required to conduct risk assessments whenever the processing changes in a way that “materially impacts the risk to individuals” and at least annually.
Policing Vendors and Service Providers
The responsibility for complying with the Privacy Act rests with the data controller, defined as “the natural person or legal person which alone or jointly with others, determines the purpose and means of the processing.” The Privacy Act sets an expectation that controllers will enter into agreements with service providers that receive data about individuals, for the purpose of setting data privacy and security standards for processing that data.
If enacted, the Privacy Act will apply to organizations that control or process the data of 100,000 or more consumers or that derive more than 50 percent of their gross revenue from the sale of personal data, and that process data regarding at least 25,000 consumers. Regulated entities such as financial institutions and healthcare facilities would be exempt under the legislation. More notably, employee data is exempted under the legislation, marking an important distinction from the scope of the GDPR, which applies to consumer and employee data alike.
Personal data is defined broadly in the Privacy Act as “any information about an identified or identifiable natural person[,]” borrowing from the definition of “personal data” used in the GDPR. The Privacy Act’s definition of “personal data” is notably broader than the definition of “personal information” under Washington’s data breach notice statute. Thus, the Privacy Act attempts to establish a baseline level of protection for all consumer personal data, while pragmatically leaving in place Washington’s data breach law, which requires notice to individuals only when the most sensitive types of data (such as Social Security numbers and credit card numbers) are affected.
The Privacy Act would place additional restrictions on organizations attempting to use facial recognition technology. Organizations employing this technology would be required to provide notice to consumers in easy-to-understand language and obtain consent. If an organization notifies consumers by conspicuous posting in the physical premises or on a website where facial recognition technology is used, consent may be implied if the consumer enters the premises or continues to utilize the online service. These requirements would supplement Washington’s existing biometric privacy law, which requires companies to provide notice and obtain consent before selling, leasing or disclosing any type of biometric data for a commercial purpose.
Organizations that would be subject to the Washington Privacy Act are likely to be subject to a patchwork of statutory requirements in various states. The California Consumer Privacy Act is set to take effect on Jan. 1, 2020, and a suite of new privacy bills has recently been proposed. As more states pursue comprehensive privacy legislation, the prospect of a federal privacy framework that pre-empts state regulation may be more realistic than ever, with several major tech companies recently voicing support. Whether imposed at the state or federal level, a trend toward GDPR-like privacy rights is underway, and compliance with these laws will require companies to have a strong grasp of the data that they process and the third-party organizations that process data on their behalf. Good data hygiene will be imperative for operating across jurisdictions in a borderless data economy.