It’s been a turbulent journey for the Washington Privacy Act (WPA). When initially proposed in 2019, the legislation seemed like Washington’s answer to the California Consumer Privacy Act (CCPA), establishing a stricter approach to state-level data privacy.
However, the bill narrowly failed to pass in 2019, meeting the same fate when reworked in 2020. Though the bill was bipartisan, disagreements over enforcement mechanisms and a private right to action held it back.
Upon its second failure, state legislators stressed that the dream wasn’t dead. In a statement, representative Norma Smith promised “a better bill…that will truly empower consumers in a big data economy.”
On the heels of 2021, that bill has arrived. If passed, it will take effect on July 31, 2022– about a year before the California Privacy Rights Act (CPRA) becomes enforceable. Here’s what you need to know about the third version of the WPA.
New Rights for Washington Residents
The big thing on the agenda is the creation of certain data rights for Washington consumers, bringing the state closer to the standard set by California. The bill notably includes the right to data portability, which means organizations must provide personal data to subjects in a usable format that they can reuse for their own purposes. And this version of WPA only includes a private right to action for violations related to public health emergencies, meaning consumers can’t seek damages if their personal data is improperly used in other cases.
Under WPA, organizations are obligated to correct and delete personal data upon request from the consumers. Consumers have the right to know if their personal data is being processed and organizations are required to be transparent about what categories of data they collect.
All the aforementioned requests must be processed within 45 days.
More Transparency for Consumers
One of WPA’s priorities is increased transparency from data controllers. To attain this, controllers will be required to issue a readable and accessible privacy notice informing consumers of how their data will be used. This includes information on the purposes of processing, the categories of data processed, and who the data is shared with.
The notice must also include information on what rights the consumers have and how they can exercise them. If the data is used for profit or profiling, this must be made explicit in the notice.
Consent Isn’t Always Necessary
Consent is not a prerequisite for most data activity under WPA. Instead, the onus would be on consumers to opt-out of data collection. However, this right only applies if the data is used for targeted advertising and profiling decisions, or if it is sold to third-parties. In other cases, consumers have little say over what happens to their data. Collectors will have 15 days to process opt-out requests.
However, consent is mandatory in cases involving sensitive personal data. This encompasses data revealing the subject’s race, ethnicity, religious beliefs, health conditions, sexual orientation, location, citizenship, or immigration status. Genetic or biometric data processed for the purpose of identifying the subject (such as fingerprints or face scans) are also classified as sensitive. The same restrictions apply to any personal data from a child.
Organizations must obtain consent in circumstances where data activity differs from the purposes listed in the privacy notice. However, for all other data activity that doesn’t involve sensitive personal data, transparency in the privacy notice is sufficient for the activity to proceed, unless the consumer opts out.
New Rules for Data Processors and Controllers
Under WPA, the relationship between data controllers and third-party processors will become more stringently regulated. To do business with a controller, processors would have to enter a binding written agreement with the controller that describes the types of data processed, and the purpose for and duration of processing activity, as well as other obligations. This includes corporate safeguards ensuring a reasonable level of security in data activity relative to risk.
This would remove processors’ ability to use sub-processors without the controllers’ approval. Additionally, processors would be subject to heavy auditing and inspection from controllers.
Controllers are also obliged to conduct impact assessments for any data activity that poses a substantial risk of harm to consumers, as well as sensitive data or data used for profiling, targeted advertising, and sales.
These reports must include a risk assessment weighing the benefits of the activity against the risks. If the risk is substantial, the assessment must detail the safeguards in place to mitigate or reduce potential harm. These assessments must be accessible to the Attorney General upon request.
Will This Apply to Me?
As expected, WPA will apply to organizations that conduct business in Washington. Additionally, any company that targets its products or services to Washington residents will be held accountable if they process the personal data of over 100,000 Washington residents annually. That threshold falls to 25,000 for companies that make over 25 percent of their revenue from selling personal data.
Like CCPA, personal data is defined as data where the subjects’ identity can be reasonably discerned–meaning de-identified data is off the hook. Certain state agencies will not be subject to the regulations and the law doesn’t apply to data processing required by other laws, such as the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA).
Though the private right of action would be limited, the WPA would grant the attorney general power to conduct investigations, impose penalties, and take preventative measures against future violations. The nature of such enforcement activity, as well as the size of the penalties, is left ambiguous. By contrast CPRA, will create a state enforcement agency to more effectively pursue violations.
This ambiguity is unsurprising due to the divisive nature of enforcement in past iterations of the bill. Analysts are saying that without a private right to action, it’s unclear what, if anything, companies have to lose by violating consumer privacy rights under WPA.