Washington State ‘People’s Privacy Act’ Bill Ups The Ante For Privacy Compliance

Odia Kagan
Fox Rothschild LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Fox Rothschild LLP

"Under no circumstances shall an individual's interaction with a covered entity's product or service when the covered entity has a terms of service or a privacy policy, including the short-form privacy notice, in and of itself constitute freely given, specific, informed, and unambiguous consent" (Section 5(2)(e)).

This statement is not taken from an European Data Protection Board guideline or an enforcement action by the French data protection authority CNIL, but rather from the People's Privacy Act (HB1433), a competing bill to the thrice-revived Washington Privacy Act, submitted by Washington State Rep. Shelley Kloba.

Key Points From the Bill

Scope

  • The act applies to entities that "conduct business in Washington" which "means to produce, solicit, or offer for use or sale any information, product, or service in a manner that intentionally targets, or may reasonably be expected to contact natural persons located in Washington state, whether or not for profit" and meet an annual revenue of $10 million through 300 or more transactions or processes personal information of 1,000 or more individuals in a year.
  • An individual is a person who is a Washington state resident with the location of a person in Washington state creating a presumption of residency.

Some Game Changers

  • Processing or changing personal information is prohibited without opt-in consent.
  • Duty of reasonable standard of care in using personal information.
  • Notice and opt-in consent requirement for surveillance/monitoring.
  • Private right of action and statutory damages including punitive damages and Attorney General enforcement.

Some 'Upgrades' on CCPA Concepts

  • The definitions of "personal information" and "deidentified" track those of CCPA.
  • Consumer rights: to know, to access information, to correct inaccurate information and to require deletion, but also to refuse nonessential processing of information.
  • Layered approach for notices: The bill requires both short form (not more than 500 words) and long form privacy notices. Disclosure is similar to CCPA but includes retention period and a listing of third parties with whom information is shared, by name.
  • A uniform short form notice and a uniform logo or button are being contemplated.
  • Duty of contractual requirements for data protection downstream plus requirement to exercise reasonable oversight and audits of the data security and processing activities of service providers and third parties with whom information is shared.
  • Obligations re: use of biometric information.
  • Prohibitions on discrimination.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fox Rothschild LLP | Attorney Advertising

Written by:

Fox Rothschild LLP
Fox Rothschild LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide