Washington state may be leading the charge on privacy legislation in 2020. The state legislature introduced several privacy bills during the first week of its 2020 legislative session, including an updated version of the Washington Privacy Act (“WPA” or “Act”)—a comprehensive data protection framework modeled after the California Consumer Privacy Act (“CCPA”) and the European Union General Data Protection Regulation (“GDPR”).
The reintroduction of the Act comes on the heels of the January 1, 2020 effective date of the CCPA. Although consistent with the CCPA in many ways, the Act would provide Washington consumers with rights that extend beyond those granted to Californians under the CCPA and would impose GDPR-like requirements on both controllers and processors. The WPA also includes new requirements not found in the GDPR or CCPA, such as an entire detailed section focused exclusively on facial recognition technology.
The WPA is likely to undergo at least a few revisions before a final vote, and has already seen some changes this session—a substitute bill replaced the original version following a committee hearing on January 23rd. Although the substitute bill contains some minor revisions, the core provisions of the Act remain fundamentally the same. Below are some notable aspects of the WPA as amended on January 27, 2020.
1. Expansion of Consumer Rights
In addition to access and deletion rights, the WPA grants consumers a right to correct inaccurate personal information. The Act also has broader opt-out rights—giving consumer the ability to opt out of (i) the use of their data for certain forms of targeted advertising, (ii) “profiling” in furtherance of decisions that produce significant effects on them, and (iii) the “sale” of their data, which is defined somewhat differently than in the CCPA.
2. Increased Responsibilities for Controllers
Controllers would face an increase in responsibilities under the WPA. Like the CCPA, the WPA requires that controllers provide privacy notices that contain information such as the categories of personal data processed by the controller, the purposes for which the data is processed, and the categories of third parties with whom consumers’ personal data is shared. The WPA further requires, however, that controllers “clearly and conspicuously disclose” whether they process personal data for targeted advertising and that they provide for an appeals process in instances where the controller denies a consumer’s request to exercise WPA rights. Controllers are also subject to purpose specification and data minimization requirements and must conduct data protection assessments of certain processing activities, such as the sale of personal data or the use of personal data for targeted advertising. These assessments, which must weigh the benefits against the risks to consumers, must be provided to the Washington Attorney General on demand. The law’s consent requirement for processing “sensitive data,” which includes health information, ethnicity, citizenship status and somewhat precise geolocation data (accuracy better than 1,750 feet), has arguably narrower exceptions than the GDPR.
3. Increased Responsibilities for Processors
Under the WPA, processors would be subject to a number of direct responsibilities—including a requirement to maintain “reasonable security procedures and practices” for consumers’ personal data and to ensure that individuals within the company who process personal data are subject to a duty of confidentiality. Processors must also assist controllers with their obligations to consumers, provide controllers with data necessary for controllers to perform their data protection assessment requirements, and allow for periodic audits of processors’ policies and practices. Contracts with processors must contain more provisions than what the CCPA requires. The requirement is closer to that found in the GDPR. Similar to the GDPR, it appears that both controllers and processors would be responsible for having such contracts in place.
4. No Private Right of Action
While the CCPA contains a limited private right of action for certain data breaches, the WPA contains no private right of action. Instead, all suits must be brought by the Washington Attorney General, rather than directly by consumers. Both controllers and processors that are found to have violated a provision of the Act are subject to an injunction or penalties of up to $7,500 per violation.
5. Accountability for Facial Recognition Technology Companies
The WPA significantly increases accountability for companies that provide and use facial recognition services. Notably, under the Act, processors must make the technology available for controllers and third parties to conduct “reasonable” tests for accuracy across different subpopulations, such as those defined by race, skin tone, ethnicity, gender, age, disability status. Where the tests result in a negative outcome—and the processor can confirm the validity of that outcome—the processor must create and implement a plan for addressing the discrepancies. Processors must also provide documentation that explains the “capabilities and limitations” of the service in clear language, and contractually prohibit controllers that engage their services from unlawfully discriminating against individuals through the use of facial recognition technology. Moreover, with the exception of a limited carve-out, controllers must provide a conspicuous notice wherever a facial recognition service is deployed, obtain consent from consumers before placing their image in a database, develop a process through which consumers can correct or challenge their inclusion in a facial recognition database, and conduct periodic employee trainings on facial recognition service operation.
The WPA contains a partial exemption for voluntary facial recognition services that are used to verify an airline passenger’s identity, but it still imposes data retention limits and consent requirements in this airline context that will likely be challenged as preempted by the federal Airline Deregulation Act.
In addition to its comprehensive data protection bill, the Washington state legislature introduced ten other pieces of privacy-related legislation, including a bill that would give individuals a property right in their biometric identifiers, and a bill that would increase oversight into government uses of facial recognition technology and limit use of the technology for certain purposes.
It is currently unclear whether any of Washington’s recently introduced privacy bills will become law. However, despite the uphill battle state legislators often face with privacy legislation, the growing number of recent privacy bills introduced at the state level may galvanize Congress to move faster on federal privacy legislation.