While the federal government continues to work on a national program of consumer privacy safeguards, Washington is on the brink of joining California in a West Coast wave of consumer privacy legislation. In January 2020, a bipartisan group of Washington legislators presented new legislation for a privacy act that looks to surpass the recent California Consumer Privacy Act (“CCPA”) as the most protective consumer privacy act in the country.
The Washington legislation – the simply titled (and easy to remember) Washington Privacy Act (“WPA”) – proposes comprehensive baseline protections for consumer privacy protection concerning corporate responsibility for the collection, use, and disclosure of consumer data in Washington. For those of you who have already taken steps to comply with the CCPA, don’t count on duplicating your CCPA compliance protocols for WPA compliance. In several areas, the WPA provides greater protection and more obligations than the CCPA. We highlight some of these important differences below.
What’s Different Between the WPA and the CCPA?
The WPA provides rights to residents of Washington, and places obligations on a wide swath of entities that either do business in Washington, or target Washington residents as consumers of their services and products. Specifically, the WPA applies to all non-government legal entities that conduct business in Washington or produce products or services that are targeted to residents of Washington, and that meet one of the following criteria:
- Controls or processes personal data regarding 100,000 or more consumers during a calendar year; or
- Derives over 50% of gross revenue from the sale of personal data and processes or controls personal data of 25,000 or more consumers.
Notably, this casts a wider net of covered entities than the CCPA, which only applies to “for-profit companies” that do business in California. This means that, under the WPA, even if your company does not conduct business in Washington, if your services or products are targeted to Washington residents – for example, through advertising – your company will be required to comply with the WPA.
However, employers may be relieved to find that in contrast to the CCPA, the WPA’s definition of consumer explicitly excludes “a natural person acting in [an] employment context.”
Rights to Correction
Consumers under both statutes have similar rights regarding their personal data. For example, under both laws, consumers have the right to access the personal data collected by covered entities, the right to have personal data deleted, and the right to opt out of the sale of personal information.
However, the WPA goes further in providing additional rights to consumers. Primary among them is the right to correction. Consumers under the WPA have the right to correct inaccurate personal data. This ability to correct personal data is not available to consumers under the CCPA.
Right to Data Portability
Another significant difference between the WPA and CCPA as it pertains to consumer rights is the right to data portability. Under the WPA, a consumer has the right to obtain personal data in a portable and readily usable format that allows the consumer to transmit the data to another controller. This right does not exist for personal data under the CCPA.
Right to Appeal
The WPA also goes beyond the CCPA in requiring that covered entities establish an internal process for consumers to appeal a refused request regarding the rights discussed above as to personal data. Depending on the appeal, this may involve a back and forth correspondence with a consumer explaining the decision, and even a report of the refusal decision to the Washington attorney general. This is in contrast to the CCPA’s mainly one-sided, entity to consumer communications for refused requests.
What Does This Mean For My Business?
Although Washington legislators proposed a similar bill last year that just missed passing into law in 2019, the legislature shows no signs of slowing down on pushing through some form of consumer privacy protection bill. To the extent you are a company (or non-profit entity) that either does business in Washington or targets Washington residents as potential consumers, you should consult with legal counsel sooner rather than later to ensure you are able to meet the WPA’s requirements if the bill passes.
For those businesses who have already taken steps to comply with the CCPA, do not assume that your CCPA compliance steps will automatically protect you under the WPA – or any other state consumer privacy legislation that emerges over the next few years (such as the currently active bills in Florida, Massachusetts, New York, and Virginia, among other states).
Keep a close eye on this space for further developments as the 2020 WPA approaches a vote in the Washington legislature.