On March 6, 2019, the Washington State Senate passed Senate Bill No. 5376, the Washington Privacy Act (“WPA”). Citing the rapid growth in the volume and variety of personal data being generated, collected, stored, and analyzed, as well as the recently effective EU General Data Protection Regulation (“GDPR”), the Washington State Senate voted to enact significant obligations and restrictions on certain businesses that handle the personal data of Washington residents or use facial recognition technology.
Obligations Under the WPA
The WPA borrows the controller-processor designations from the GDPR and identifies obligations for each role. A “controller” determines the purposes and means of the processing of personal data, whereas a “processor” collects, uses, stores, discloses, analyzes, deletes, or modifies personal data on behalf of the controller.
If signed into law, the WPA would require controllers to facilitate verified requests to:
- confirm if a consumer’s personal data is being processed and provide access to such personal data;
- correct inaccurate consumer personal data;
- delete the consumer’s personal data if no exceptions apply;
- restrict the purposes for which personal data is processed; and
- provide consumers with their personal data in a portable format.
The WPA also imposes additional restrictions on certain uses of facial recognition technology. Processors that provide facial recognition services must contractually prohibit controllers from using such services to unlawfully discriminate against individuals or groups of consumers. In addition, controllers must obtain consumer consent prior to deploying facial recognition technology in physical premises open to the public. If a controller posts conspicuous notices in these physical premises, then consent may be implied.
Applicability and Enforcement
The WPA would apply to entities that conduct business in Washington or produce products or services that are intentionally targeted to residents of Washington, and either:
- process or control the personal data of at least 100,000 Washington consumers; or
- derive fifty percent of their gross revenue from the sale of personal data, and process or control the personal data of at least 25,000 Washington consumers.
“Personal data” means any information relating to an identified or identifiable natural person, except for deidentified data and publicly available information from federal, state, or local government records. And, similar to the California Consumer Privacy Act (“CCPA”), a “consumer” under the WPA includes a natural person that is a resident of the state. But, unlike the CCPA, the WPA expressly excludes natural persons acting in a commercial or employment context.
As for enforcement, the Washington Attorney General would have the power to enforce the WPA and obtain up to $2,500 for each violation or $7,500 for each intentional violation. There is currently no private right of action.
What This Means For You
The WPA is now pending before the Washington House of Representatives. If the bill is signed into law, Washington will be the first state to adopt comprehensive privacy legislation after last year’s enactment of the CCPA. Several other states are currently considering comprehensive privacy legislation of their own, while Congress is considering a comprehensive federal privacy law. Whether the next comprehensive privacy law passes at the state or federal level, companies should stay informed of these legislative developments and adjust their compliance strategies accordingly.