On Jan. 11 Washington State Sen. Reuven Carlyle introduced SB 5062, the Washington Privacy Act (WPA). Its predecessors, SB 6281 and SB 5376, failed to pass in 2020 and 2019, respectively. A public hearing was held before the Environment, Energy & Technology Committee on Jan. 14, and the bill is scheduled for a committee executive session on Jan. 21. Sen. Carlyle thoughtfully released a draft of the legislation in September 2020.
The legislation contains many requirements found in the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), but also focuses on the roles and responsibilities of “controllers” and “processors” like the EU’s General Data Protection Regulation (GDPR). It addresses both data privacy and data security concerns as well as contact tracing.
The legislation “applies to legal entities that conduct business in Washington or produce products or services that are targeted to residents of Washington, and that satisfy one or more of the following thresholds:
- During a calendar year, controls or processes personal data of 100,000 consumers or more; or
- Derives over 25 percent of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.”
From 2020, this increases the number of entities that would be subject to the act by decreasing the gross revenue threshold from 50 percent to 25 percent.
For the most part, the WPA generally excludes from its provisions the same information and entities as the CCPA, including “[p]ersonal data collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley act. . .”
The legislation gives consumers certain rights regarding the processing of their personal data, defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person,” and “does not include deidentified data or publicly available information.”
Specifically, consumers are granted the right to access, correct, delete and receive their personal data as well as to opt-out of its processing for certain purposes, such as for targeted advertising, sale or profiling. A “sale” is “the exchange of personal data for monetary or other valuable consideration by the controller to a third party,” subject to a number of exclusions.
A consumer has the right to appeal any decision made by a controller with respect to a request, instructions for which must be “conspicuously available,” and the controller must also “provide the consumer with an email address or other online mechanism” for submitting the appeal, and any response, to the attorney general. Additionally, when informing a consumer of the results of the appeal, a consumer must be informed how to file a complaint with the Attorney General’s Consumer Protection Division.
A controller’s privacy notice must include:
- The categories of personal data processed;
- The purposes for which the categories of personal data are processed;
- How and where consumers may exercise the rights;
- The categories of personal data that the controller shares with third parties; and
- The categories of third parties with whom personal data is shared.
The legislation places restrictions on the processing of “Sensitive Data,” which is:
- Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status;
- Genetic or biometric data for the purpose of uniquely identifying a natural person;
- Personal data from a child; or
- Specific geolocation data.
Sensitive data cannot be processed without first obtaining consent from the consumer or, when applicable, a child’s parent or guardian.
Controllers & Processors
A processor must follow the instructions of the controller, which must be dictated by a contract that “sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties.” This requirement also applies to the relationship between processors and their subcontractors.
Without consumer consent, controllers “may not process covered data for purposes that are not reasonably necessary to, or compatible with, the covered purposes for which the personal data is processed.”
Controllers are required to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices” that are “appropriate to the volume and nature of the personal data at issue.” Additionally, they must conduct data protection assessments that must be provided to the Attorney General if requested in relation to an investigation. The assessments would not be available to the public.
The legislation does not create a private right of action, except as described below with respect to contact tracing.
Enforcement is vested with the Attorney General, but there is a 30-day cure provision. An uncured violation is considered “an unfair or deceptive act in trade or commerce, and an unfair method of competition for the purpose of applying the consumer protection act,” and may result in an injunction or a civil penalty up to $7,500 per violation.
The legislation also addresses contact tracing, or “covered purpose,” defined as “processing of covered data concerning a consumer for the purposes of detecting symptoms of an infectious disease, enabling the tracking of a consumer’s contacts with other consumers, or with specific locations to identify in an automated fashion whom consumers have come into contact with, or digitally notifying, in an automated manner, a consumer who may have become exposed to an infectious disease, or other similar purposes directly related to a state of emergency declared by the governor . . .”
Generally, contact tracing information cannot be processed unless an individual is provided with a privacy notice and gives consent, and controllers and processors have responsibilities similar to those with respect to personal data.
Unlike the enforcement provisions appliable to personal data, a violation of the contact tracing provisions allows for a private right of action.
The sections relating to the processing of personal data would take effect July 31, 2022. The sections pertaining to contact tracing would take effect immediately upon enactment.