Keypoint: The Washington Privacy Act is back.
The Washington state legislature will once again consider consumer data privacy legislation when it convenes on January 11, 2021. On January 5, 2021, Senators Reuven Carlyle and Joe Nguyen pre-filed the 2021 version of the Washington Privacy Act (WPA) (Senate Bill 5062). The WPA is scheduled for a public hearing in the Senate Committee on Environment, Energy & Technology on January 14, 2021, which committee is chaired by Senator Carlyle.
In the past two years, versions of the WPA passed the Washington Senate without issue. However, in 2019, the bill failed in the Assembly. In 2020, the Assembly passed an amended version of the bill but the two chambers were unable to reach a compromise. Ultimately, both years, the WPA failed because the two chambers could not reach a compromise on the bill’s enforcement provisions.
The 2021 WPA is divided into four parts. Part 1 concerns the processing of personal data by the private sector. Parts 2 and 3, which are new to the WPA, concern the processing of personal data for public health emergencies, including contact tracing. Those parts were written in response to the COVID-19 pandemic. Part 4 contains miscellaneous provisions such as effective dates.
The below discussion focuses on Parts 1 and 4.
The law would apply to legal entities that conduct business in Washington or produce products or services that are targeted to Washington residents and that (1) during a calendar year, control or process the personal data of 100,000 or more Washington residents or (2) derive over 25% of their gross revenue from the sale of personal data and process or control the personal data of 25,000 or more Washington residents. Subject to certain exceptions, the WPA defines “sale” as “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.”
The WPA would not apply to many types of entities and data sets such as state agencies, HIPAA personal health information, and GLBA-regulated personal data. However, higher education institutions, air carriers, and nonprofits would be covered starting July 31, 2026.
“Personal data” is broadly defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person” but not deidentified or publicly available information. Further, the law would only apply to Washington residents acting in their individual or household context, and not in a commercial or employment context.
The WPA would provide consumers (i.e., Washington state residents) with the right to request that controllers (1) correct inaccurate personal data, (2) delete personal data, (3) confirm whether they are processing personal data about a consumer and, if so, allow the consumer to access the categories of personal data, (4) provide the personal data that a consumer previously provided to the controller in a portable and usable format, and (5) permit consumers to opt out of the processing of personal data that is processed for the purposes of targeted advertising, sold to third parties, or used for certain types of profiling decisions. Controllers would have 15 days to process opt out requests and 45 days to process other requests.
Controller / Processor Relationships
Similar to GDPR Article 28 and new provisions in the California Privacy Rights Act, the WPA would require data controllers to enter into written agreements with processors that, among other things, “set out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties.”
Processors also would need to secure approval from data controllers before using sub-processors and enter into appropriate sub-processing agreements.
Further, controllers and processors would be required to “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement such measures.”
Processors also would have to allow for, or contribute to, reasonable audits and inspections by the controller or the controller’s designated auditor or, alternatively, conduct an annual third-party audit subject to the controller’s consent to same.
Unsurprisingly, the WPA would require controllers to provide consumers with a privacy notice identifying, among other things, the categories of personal data the controller processes, the purposes for which the personal data are processed, how and where consumers may exercise their rights, the categories of third parties, if any, with whom the controller shares personal data, and whether the controller sells personal data or uses it for profiling.
Controllers also would be prohibited from processing personal data for purposes “that are not reasonably necessary to, or compatible with, the purposes for which the personal data is processed unless the controller obtains the consumer’s consent.”
Further, controllers would be prohibited from processing sensitive personal data without consent. Sensitive data is defined as “(a) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status; (b) the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; (c) the personal data from a known child; or (d) specific geolocation data.”
Data Protection Assessments
Similar to data processing impact assessments under GDPR Article 35, controllers would be required to conduct data protection assessments when processing personal data for certain functions such as targeted advertising, the sale of the data, certain types of profiling, the processing of sensitive data, and processing that presents a heightened risk of harm to consumers.
Data protection assessments would need to “identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks.”
The attorney general’s office would be entitled to request, and evaluate for compliance, data protection assessments as part of an investigation.
Section 111 of the 2021 WPA states that a violation “may not serve as a basis for, or be subject to, a private right of action under this chapter or under any other law.” However, in a change from the 2020 WPA, section 111 also states that “[r]ights possessed by consumers as of July 1, 2020, under chapter 19.86 RCW, the Washington state constitution, the United States Constitution, and other laws are not altered.” Chapter 19.86 RCW is Washington’s Consumer Protection Act.
Paragraph 8 of the Legislative Intent and Findings explains that the WPA would “exclusively empower the state attorney general to obtain and evaluate a company’s data protection assessments, to conduct investigations, while preserving consumers’ rights under the consumer protection act to impose penalties where violations occur, and to prevent against future violations.”
The above provisions would take effect on July 31, 2022. For context, the California Privacy Rights Act will become fully operative in January 2023 and enforceable on July 1, 2023.