If nature abhors a vacuum, then apparently so too does legislation. Between the EU General Data Protection Regulation and the still-evolving California Consumer Privacy Act (CCPA), there has been much discussion amongst us privacy wonks as to whether this is the time for a comprehensive federal privacy law to succeed. Whether this is the future, state legislatures are not standing by waiting patiently for Congress to act. On January 17th, Washington State legislators introduced Senate Bill 5376 (with a companion bill introduced concurrently in the House, HB 1854), which aims to achieve many of the CCPA’s goals with the hindsight of the CCPA’s current weaknesses.
Organizations throughout the US (and potentially beyond) would be well-served to track developments in California and other states closely as these laws are not limited to activities occurring within their jurisdictions.
The Washington Privacy Act has clearly taken its lead from the principles evident in the GDPR as well as operational demands in both the GDPR and the CCPA. The foundation of these three is a desire to give consumers more control over their personal data.
One of the striking aspect to the CCPA is the unusually broad (at least for US legislation) definition of personal information, including a litany of potential links to individuals such as IP address or biometric. Washington State eschewed the list approach and simply adopted the EU model and vocabulary. Specifically, “personal data” means any information relating to an identified or identifiable natural person. Personal data does not include deidentified data.” (To cloud the issue, at least in the Northwest United States, Oregon is considering legislation banning the unauthorized sale of deidentified health information). The WPA, like the CCPA, excludes data sets that are already regulated by federal law, such as health care data (under HIPAA) or financial data.
Largely mirroring the GDPR and the CCPA, if the WPA becomes law, individuals will have the right under certain circumstances to:
- Access: Consumers may obtain a copy of the data that an organization possesses about them.
- Deletion: Consumers may request that organizations delete data about them.
- Correction: Consumers may request that companies correct inaccurate data.
- Restriction: Consumers may request that organizations restrict the purposes for which data is processed.
- Portability: On request, organizations must provide consumers with their data in a “structured, commonly used, and machine-readable format” to enable the consumer to switch to another organization/service provider.
- Objection: Consumers may object to their data being processed for direct marketing, or for any other purpose, so long as the organization processing the data does not have overriding legitimate grounds for continuing the processing.
- Profiling: Organizations may not make decisions based on profiling a person’s economic situation, health or other specific factors unless the consumer consents, the decision is necessary for the performance of a contract with the consumer, or the profiling is permitted by state or federal law.
Under the WPA, companies would have 30 days to respond to requests from consumers in most cases, with the potential extension for another 60 days for difficult or voluminous requests. These obligations will potentially apply to any organization handling the data of over 100,000 Washington State residents or possessing data on 25,000 residents and deriving 50% of their revenue from the sale of personal information. As we have seen from recent state laws targeting data brokers, the purchase and resale of consumer data garners special attention.
The WPA is currently scheduled go into effect December 31, 2020.
As in the GDPR, companies must conduct risk assessments to determine if the security of personal information might be compromised by a particular practice or use. As readers will expect, many American companies are already required to do this for EU personal data. Washington legislators simply seek equal protection for their constituents and in the recitals of the WPA the legislators state that “the European Union recently updated its privacy law through the passage and implementation of the general data protection regulation, affording its residents the strongest privacy protections in the world. Washington residents deserve to enjoy the same level of robust privacy safeguards.
The WPA is still at the early stages of consideration, but already demonstrates improvements over the CCPA. For example, “consumer” does not include a personal in their role as an employee; and there is no private right of action in the current draft.
So with an absence of federal legislation in such a topical subject area, the states are leading the way. Stay tuned to see how the legislative details evolve and how they might affect your business.