A new bill, titled the “Washington Privacy Act” (“WPA”), was introduced in the Washington State Senate on January 18, 2019. If enacted, Washington would follow California, which passed the California Consumer Privacy Act (“CCPA”) on June 28, 2018, as the second state to adopt a comprehensive privacy law.
Several key provisions of the WPA track the requirements set forth in the CCPA, but while the CCPA is scheduled to go into effect on January 1, 2020, the WPA is still being debated in the legislature and has not been signed into law. Nevertheless, businesses currently working toward compliance with the CCPA should be cognizant of the WPA as well, due to the fact that, if passed, the WPA will apply to most businesses that collect consumer data from Washington State residents. In particular, the WPA applies to businesses that: (1) control or process data of 100,000 or more Washington State consumers; or (2) derive fifty percent (50%) or more in gross revenue from the sale of personal information of residents of any state, and process or control personal information of 25,000 or more Washington State consumers.
What Steps Should I Take to Comply with the Washington Privacy Act (WPA)?
Key Elements of the Washington Privacy Act (WPA)
The WPA, like the CCPA and the European Union’s General Data Protection Regulation (“GDPR”), follows a worldwide trend compelling businesses through legislation to provide consumers with more information about, and control over, the collection, use and sharing of their personal data. Below is a partial list comparing some of the notable provisions of the WPA and the CCPA, together with some of the similarities and differences between the two laws:
- The definition of personal data/information under the WPA has similarities to, and significant differences from, the way personal information is defined under the CCPA. “Personal Data” is defined under the WPA as “any information relating to an identified or identifiable natural person. Personal data does not include deidentified data.” The CCPA establishes a more expansive standard, which includes information that is linked to a given “household,” which could include a physical address that is not directly linked to an individual;
- Both the WPA and CCPA require that businesses inform consumers about what categories and specific types of personal data that such entities collect from/about consumers, and how that information will be used;
- Both the WPA and CCPA grant consumers similar rights in terms of accessing, and obtaining copies of, the personal information that businesses process. Accordingly, businesses that are already compliant with the CCPA’s requirements to track the sharing of personal data will likely not need to take additional steps to ensure compliance with the WPA’s data mapping requirements beyond extending the scope of their data mapping to include Washington State residents;
- Under both the WPA and CCPA, businesses must provide consumers with the ability to opt out of any sale of personal information. However, the WPA has a slightly narrower definition of “sale” which is limited to the exchange of personal data to a third party “for purposes of licensing or selling personal data at the third party’s discretion to additional third parties,” while excluding any exchange that is “consistent with a consumer’s reasonable expectations considering the context in which the consumer provided the personal data to the controller.” Similarly, both Acts grant consumers the right to have their personal information deleted;
- The WPA has two features that are not present in the CCPA. First, businesses may not make decisions based on profiling a consumer’s economic situation, health or other specific factors unless: (1) that consumer consents to such profiling in advance; (2) the profiling decision is necessary for the performance of a given contract with the consumer; or (3) the profiling is otherwise expressly permitted by State or federal law. Second, the WPA includes provisions restricting the use of facial recognition technology, absent prior consent;
- Both the WPA and CCPA require that businesses adopt organization-wide security protocols that are appropriate to safeguard collected consumer data. However, the WPA places additional requirements on businesses to safeguard (and abstain from using) “sensitive data” which is defined as “personal data revealing racial or ethnic origin, religious or philosophical beliefs, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning a minor, data concerning health, or data concerning a natural person’s sex life or sexual orientation”; and
- Both the WPA and CCPA grant consumers the right to have businesses delete all copies of the consumer’s personal information from those businesses’ respective databases, and the databases of third parties with which they have shared such information (other than where such businesses are required by law, or the applicable contractual relationship with the consumer, to maintain copies of same).
Liability Under the WPA
The penalty provisions of the WPA closely mirror those set forth in the CCPA. The Washington State Attorney General is responsible for enforcing the WPA, with no private right of action available to consumers (whereas the CCPA allows for a limited private right of action where businesses fail to “implement and maintain reasonable security procedures and practices”). Businesses that violate the WPA can be fined Two Thousand Five Hundred Dollars ($2,500.00) for each violation, and up to Seven Thousand Five Hundred Dollars ($7,500.00) for each intentional violation. While the WPA has yet to be signed into law, given the prevailing consumer data privacy law trends in this country (and globally), businesses should consult with experienced marketing and privacy counsel in order to ensure that their businesses are fully compliant with the latest state, federal and international legal requirements.