Following the GDPR, the California Consumer Privacy Act (CCPA) and other newly introduced state privacy legislation, the Washington Senate has proposed its own GDPR-like consumer privacy act. Washington Senate Bill 5376, the Washington Privacy Act, as first proposed on January 22, 2019 and substituted February 24, 2019 applies “not only to technologies and products of today but to technologies and products of tomorrow.” If approved, it will go into effect July 31, 2021.
The Act will apply to legal entities that conduct business in Washington or produce products or services that intentionally target Washington residents. These entities must also either (1) control or process data of at least 100,000 consumers or (2) derive 50 percent gross revenue from the sale of personal information and process or control personal information of at least 25,000 consumers. Under the Act, personal data is any information that is linked or reasonably linkable to an identified or identifiable natural person.
The Act is modeled after the European Union’s General Data Protection Regulation (GDPR) and it is drafted to ensure that Washington residents “enjoy the same level of robust privacy safeguards” found under the GDPR.
Washington consumers’ right to privacy is at the forefront of the Washington Privacy Act. Consumers are given the power to (1) request controllers of their personal data provide them with detailed information about their personal data that is held and processed, (2) request modification of incorrect personal data, (3) request deletion of their personal data, (4) withdraw consent for personal data processing, and (5) request controllers stop processing personal data for direct marketing purposes.
Controllers will have 30 days to respond to a consumer’s verified request. There can be a 60 day extension only when there is a complex request or if a controller needs more time due to multiple requests. Further, this information must be provided to the consumer free of charge unless a controller proves the request is unfounded, excessive, or repetitive in character.
Businesses need to be prepared to be transparent and accountable regarding the processing of personal data. Businesses must also conduct risk assessments for each of its processing activities involving personal data and additional risk assessments when there is a change in processing that materially increases the risk to consumers. Entities that control data or process data must exercise reasonable oversight when using data and must comply with any contractual commitments to protect consumer data.
The Washington Privacy Act places an emphasis on protecting consumer privacy from the increasing use of biometric facial recognition technology. Entities providing facial recognition services are required to provide information that explains the capabilities and limitations of the technology it uses to customers and consumers. The Act also seeks to protect consumers from discrimination by requiring processors that provide facial recognition service to use contracts to prohibit those that use its devices from using the facial recognition to unlawfully discriminate against individuals or groups of consumers. Data controllers must also obtain consent from consumers prior to deploying facial recognition services in physical premises open to the public.
The Act even has prohibition against law enforcement using facial recognition in certain instances. Washington state and local government agencies will be prohibited from using facial recognition technology to engage in ongoing surveillance of specific individuals in public space unless such surveillance is in support of law enforcement activities and there is a court order or emergency involving imminent danger or risk of death or serious physical injury to a person.
If the Act becomes law, violations could result in penalties of up to $2,500 per violation or up to $7,500 for an intentional violation of the Act.