The Washington State Senate showed some love to privacy rights on Valentine’s Day by overwhelmingly passing Senate Bill 6281, Senator Carlyle’s Washington Privacy Act (WPA), by a vote of 46-1. The next stop for the comprehensive privacy law will be the state House of Representatives.
This is the second attempt at passing the law, where it failed to pass the House vote in 2019. The House proposed their own version of the landmark bill, House Bill 2742, on February 7, 2020, which calls for significantly more relief than Senate Bill 6281 – proposing a private right of action with penalties up to $50,000 per violation, and up to $100,000 for intentional violations.
Taking a Cue from the CCPA & GDPR
Because the Washington Privacy Act builds on core elements of the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR), there are many familiar concepts and rights laid out in the law, including the right to know who is collecting consumers’ personal information (PI) and why it’s being collected, the right to delete your personal data, the right to opt-out of the processing of personal data in certain areas (specifically opting out of the sale of PI, targeted ads, and profiling as it relates to healthcare, housing, and employment opportunities), the right to correct inaccurate personal information, as well as the requirement for businesses to disclose their data management policies to demonstrate transparency.
Consumer Privacy Rights
There are 5 primary data privacy rights laid out in the law:
- Right to access personal data and to determine whether the consumer’s personal data is being processed;
- Right to correction of inaccurate data regarding the consumer;
- Right to deletion of personal data;
- Right to data portability of personal data regarding the consumer;
- Right to opt out of data processing.
Scope of the Law
The Washington Privacy Act applies to legal entities doing business in the state of Washington or targeting products and services to Washington residents. In addition, these businesses must process the personal information of at least 100,000 consumers a year or generate more than 50% of their gross revenue from the sale of personal data while also controlling or processing the personal information of at least 25,000 consumers.
The Washington Privacy Act places several additional obligations on controllers. Data minimization and purpose limitation are among the requirements found in the WPA and not in the CCPA. Controllers must have an internal process for consumers who want to appeal a refusal to act on a request. Controllers are also required to undertake data protection assessments in specific circumstances, such as the processing of sensitive data and processing activities that present a high risk to consumers and involve personal information.
The law carves out certain exemptions, including:
- Information gathered for research purposes
- Information subject to the Health Insurance Portability and Accountability Act (HIPAA)
- Information subject to the Federal Education Rights and Privacy Act (FERPA) or the Gramm-Leach-Bliley Act
- State and local governments
- Municipal corporations
- Voluntary participation in a bona fide loyalty rewards program (specifically relating to the discrimination of consumers exercising their rights)
The WPA has a proposed effective date of July 31, 2021 with enforcement being handled by the Washington Attorney General, a common trend in state privacy laws like the CCPA. The WPA would also preempt any other state or local laws or ordinances relating to the processing of personal data. It does not include a private right of action at this point and has outlined penalties not exceeding $7,500 per violation. However, a private right of action is something the Washington House has argued in favor of and included in their proposed version of the law, calling for the highest amount of statutory monetary penalties of any proposed U.S. state privacy law to date.