Keypoint: Washington lawmakers will be filing the 2020 version of the Washington Privacy Act on Monday, January 13, 2020.

Those who follow privacy law will remember that last year Washington state came close to becoming the second state (after California) to enact consumer privacy legislation. That legislation – called the Washington Privacy Act (WPA) – overwhelmingly passed the state senate but failed in the house, in part, based on disagreements as to how the statute would be enforced and its facial recognition provisions. The bill’s proponents; however, vowed to push the legislation again in 2020.

On Friday, January 10, 2020, the Washington Senate Democratic Caucus publicly released the 2020 version of the WPA. The release came in advance of the opening of the Washington legislature on Monday, January 13, 2020. The bill’s sponsors also will be holding a press conference on January 13, 2020, to discuss the bill.

Below is our analysis of the 2020 version of the WPA.

To Whom Does it Apply?

Washington residents, but not when “acting in a commercial or employment context.”

What Entities are Covered?

Legal entities that conduct business in Washington or produce products or services that are targeted to Washington residents and that satisfy at least one of the following thresholds: (a) control or process personal data of 100,000 or more Washington residents or (b) derive over 50% of their gross revenue from the sale of personal data and process or control personal data of 25,000 or more Washington residents.

The statute would not apply to state and local governments or municipal corporations. It also would not apply to information that is protected under other statutes such as personal health information protected by HIPAA, certain information covered by the FCRA, and personal data collected, processed, sold, or disclosed pursuant to the GLBA.

What Information is Covered?

“Personal data,” which is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” Personal data does not include deidentified or publicly available information. The definition is similar to the GDPR’s definition of personal data and stands in contrast to the CCPA’s definition of “personal information,” which lists each category of personal information to which it applies.

Similar to GDPR, the WPA creates a “sensitive data” subset of personal data, which is defined as “(a) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status; (b) the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; (c) the personal data from a known child; or (d) specific geolocation data.”

What Rights are Created?

The WPA would create the following rights:

• Right of access. Consumers would have the right to confirm whether or not a controller is processing personal data concerning them and access such personal data.
• Right to correction. Consumers would have the right to correct inaccurate personal data concerning them.
• Right to deletion. Consumers would have the right to delete their personal data.
• Right to data portability. When exercising the right to access personal data, consumers would have the right to obtain personal data concerning them in a portable and, to the extent technically feasible, readily usable format.
• Right to opt out. Consumers would have the right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer.

Controllers also would not be permitted to process sensitive data without obtaining the consumer’s consent, or, in the case of the processing of personal data concerning a known child, without obtaining consent from the child’s parent or lawful guardian.

Would Companies Need to Update their Online Privacy Policies?

Yes. The WPA would require controllers to provide a privacy notice that identifies:

• The categories of personal data processed by the controller;
• The purposes for which the categories of personal data are processed;
• How and where consumers may exercise their rights, including how a consumer may appeal a controller’s action with regard to the consumer’s request;
• The categories of personal data that the controller shares with third parties, if any; and
• The categories of third parties, if any, with whom the controller shares personal data.

If a controller sells personal data to third parties or processes personal data for targeted advertising, it would need to disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing.

How Would it be Enforced?

The Washington attorney general would have exclusive authority to enforce the WPA and could seek a civil penalty of up to $7,500 for each violation.

Would it Create a Private Right of Action?

No.

Does it Create Third-Party Transfer Obligations?

Yes. The processing of information by a processor must be controlled by a contract between the controller and processor. That contract must contain certain provisions regarding information security, confidentiality and proper use of the data. Those familiar with the GDPR’s Article 28 requirements will recognize many of the required provisions.

When Would it be Effective?

July 31, 2021

Anything Else?

The WPA would require controllers to conduct data protection assessments of each of their processing activities involving personal data.

In addition to Washington, consumer privacy bills already have been filed in Virginia, Illinois, New Hampshire and Hawaii. We will be providing an analysis of those bills over the coming days.