Keypoint: While the Washington Privacy Act appears poised to pass the Senate, a competing bill introduced in the House of Representatives would require opt-in consent for processing, create an Illinois-like biometric information privacy structure, and allow for a private right of action.
On January 28, 2021, Washington state Representative Shelley Kloba filed HB 1433, entitled the People’s Privacy Act (WPPA). According to the Washington legislative website, the WPPA will be formally introduced on February 1, 2020.
The WPPA, which is supported by the Washington ACLU, is a competing bill to the Washington Privacy Act (WPA) introduced by Senator Carlyle in the Washington Senate. Although the WPPA and WPA are intended to address the same issue (consumer privacy) they come about it in very different ways.
The introduction of the WPPA certainly draws into question whether Washington lawmakers will be able to reach a compromise and finally pass consumer privacy legislation this year. At a minimum, it signals that the same obstacles that have prevented a bill from passing in the 2019 and 2020 are still present.
Below is a brief overview of the WPPA. For a summary of the WPA, see our article here. In addition, members of Husch Blackwell’s Data Privacy & Cybersecurity team will host a webinar to discuss all of the CCPA-like privacy bills proposed across the country, including the WPA and WPPA. To register, click here.
The WPPA would apply to “covered entities” which is defined as “a person or legal entity that is not a governmental entity and that conducts business in Washington state, processes captured personal information, and (a) has earned or received $10,000,000 or more of annual revenue through 300 or more transactions or (b) processes and/or maintains the captured personal information of 1,000 or more unique individuals during the course of a calendar year.” The bill defines “individual” as a Washington resident.
As currently drafted, the WPPA would set a lower threshold for entities than the WPA. As discussed in our prior post, the WPA does not contain a revenue threshold and would apply to organizations that annually control or process the personal information of 100,000 or more Washington residents or derive over 25% of their gross revenue from the sale of personal data and process or control the personal data of 25,000 or more Washington residents.
The WPPA defines “captured personal information” as “personal information about a Washington resident that is captured in an interaction in which a covered entity directly or indirectly makes available information, products, or services to an individual or household. Covered interactions include but are not limited to posting of information, offering of a product or service, the placement of targeted advertisements, or offering a membership or other ongoing relationship with an entity.”
In turn, “personal information” is defined as “any information that directly or indirectly identifies, relates to, describes, is capable of being associated with, or could reasonably be linked to a particular individual, household, or device. Information is reasonably linkable to an individual, household, or device if it can be used on its own or in combination with other information to identify an individual, household, or device.”
The WPPA would provide Washington residents with the rights to:
- know what personal information a covered entity processes about the individual;
- access and obtain the individual’s personal information processed by a covered entity, in a machine-readable format;
- refuse consent for any processing of the individual’s captured personal information that is not essential to the primary transaction;
- correct inaccurate personal information;
- require a covered entity and/or data processor to delete all captured personal information of the individual; and
- not be subject to surreptitious surveillance.
Privacy professionals will no doubt recognize rights 1 through 5; however, right 6 (the right not to be subject to surreptitious surveillance) is new. The WPPA explains that a covered entity would be forbidden from activating the “microphone, camera, or any other sensor on a device in the lawful possession of an individual that is capable of collecting or transmitting personal information, without providing” a proper privacy notice and obtaining consent. Consent only would last for 90 days.
Unsurprisingly, the WPPA would require entities to provide privacy notices; however, the WPPA would require both a long form and short form privacy notice.
The short form privacy notice would be limited to no more than 500 words, excluding a list of third-party entities to whom information is disclosed. The WPPA discusses at length what would be required in a short form notice. The bill also would charge the Washington state department of commerce with providing a standardized short form notice. Interestingly, other than stating that entities must provide a long form privacy notice, the bill does not identify what that notice must state.
In a pointed divergence from the WPA, the WPPA would require opt-in consent for the processing of captured personal information. Similar to GDPR, the WPPA defines consent as “freely given, specific, informed and unambiguous.” For continuing interactions, covered entities would need to obtain consent annually. As with GDPR, consent could be freely withdrawn at any time. The WPPA would create certain exceptions to obtaining consent, such as if the collection is necessary to prevent death or serious physical injury. Covered entities would also be forbidden from discriminating against individuals if they fail to provide their opt-in consent or exercise their rights.
Covered entities would be required to “use practices that at least satisfy the reasonable standard of care within the covered entity’s industry for protecting captured personal information from disclosure.” The Washington department of commerce would be charged with developing appropriate security standards for captured personal information.
Before disclosing information to a third party, covered entities would be required to contractually bind the third party to “meet the same privacy and security obligations as the covered entity.” Covered entities also would be required to “exercise reasonable oversight and take reasonable actions, including auditing the data security and processing practices of third parties [they provide] captured personal information to at least once annually and ensure the third party’s compliance with such contractual provisions.” Notably, covered entities would be required to publish the results of the audit publicly on their websites.
Contracts also would need to (1) prohibit the data processer from processing the captured personal information for any purpose other than the purposes for which the individual provided the captured personal information to the covered entity; (2) require the data processor to meet the same privacy and security obligations as the covered entity; and (3) prohibit the data processor from further disclosing or processing captured personal information it has acquired from the covered entity except as explicitly authorized by the contract and consistent with the WPPA.
The WPPA would establish specific requirements for the collection and use of biometric information similar to those of the Illinois Biometric Information Privacy Act. This includes requiring covered entities to develop a written policy for retaining and destroying biometric information and obtaining informed consent for the processing of biometric information. Notably, Washington already has a biometric information privacy law, which law is not referenced in the WPPA.
Private Right of Action
In another sharp contrast with the WPA, the WPPA would allow individuals to bring a civil action for violations of the WPPA. Individuals would be entitled to receive $10,000 per violation or actual damages and attorneys’ fees. The WPPA also would allow for other enforcement mechanisms such as Attorney General and city attorney enforcement.