Privacy Bill Essentials: Washington

* Update on April 28, 2021: The Washington Legislature closed on April 25, 2021 without voting on the Washington Privacy Act (WPA), thus Washington has failed to pass a privacy bill for the third straight year. The deadline for the vote was April 11, 2021, but the bill’s author, Senator Carlyle, tried to keep it alive by holding out until the close of legislation. With that having ended as well, the WPA is dead for 2021. 

The state of Washington is making another attempt at passing a privacy bill. Earlier this month, the Washington Privacy Act passed the Senate and has now moved to the House of Representatives. Although it has the support of large tech companies like Microsoft and Amazon, it is facing pushback from consumer groups who are demanding a private right of action be included.

To whom would it apply?

The Washington Privacy Act would apply to all legal entities that conduct business in Washington or produce products or services that are targeted to Washington residents (referred to as "consumers") who meet one or both of the following criteria:

• Control/process the personal data of 100,000 or more consumers in a given calendar year; or
• Derive more than 25% of the gross revenue from the sale of personal data AND process/control the data of 25,000 or more consumers

The Act exempts certain entities such as state agencies and local governments.

What types of information would it cover?

The Act would cover any information that is linked or reasonably linkable to an identifiable person. It would not include deidentified (anonymized) data or publicly available information. Certain types of information, such as information subject to HIPAA and GLBA, would not be covered by the Act.

What rights would it create?

The bill would create a number of consumer rights, including the right to:

• Confirm whether or not an entity is processing the consumer's personal information;
• Access the categories of information an entity is processing;
• Access a transferrable copy of the information the consumer has already provided to the entity up to twice a year;
• Correct any inaccurate data concerning the consumer;
• Delete any data concerning the consumer;
• Opt-out of the processing, or sale of consumer data;
• Opt-out of any profiling done using the consumer's personal data; and
• Appeal any denials for copies of a consumer's personal information.

What obligations would it impose?

Under the bill, businesses would be required to:

• Provide at least one secure means for consumers to request their personal information;
• Respond to consumer requests regarding their data within 45 days;
• Provide reports of consumer data free of charge unless it is clear the request is unreasonable;
• Work with vendors to ensure appropriate compliance and confidentiality methods are in place;
• Provide a privacy notice that shares what if anything is sold along with what is stored and how;
• Limit data collection to only the amount that is absolutely necessary;
• Take reasonable steps to maintain the confidentiality of information collected; and
• Conduct regular data protection assessments.

How would it be enforced?

The rights provided by the Act would only be enforced by the attorney general. No private right of action is provided for. If a violation is discovered, the attorney general would be required to provide the entity with 30 days to resolve the issue prior to filing any complaint. After that, an entity found in violation of the act could be fined up to $7,500 per violation plus any costs the state incurred in enforcing the act. Further, the bill would create an exception for any contracts that a consumer may enter into with the business that negates anything set forth in the bill. It does not however, specifically define how the term "contract" will be interpreted. Finally, some of the language seems to imply liability only for knowing violations of the Act, so it is unclear if and what consequences there would be for unintended data breaches.

When would it go into effect?

The Act is slated to take effect on July 31, 2022. Certain sections would not apply to higher education or nonprofit organizations until July 31, 2026.

Where does it stand?

The Washington Privacy Act is currently being considered by a House committee, and is scheduled to be reviewed on March 26, 2021.