Washington Senate Passes Comprehensive Data Privacy Law
V&E Cybersecurity and Data Privacy Insights, March 14, 2019
On March 6, 2019, the Washington State Senate passed Senate Bill No. 5376, the Washington Privacy Act (“WPA”). Citing the rapid growth in the volume and variety of personal data being generated, collected, stored, and analyzed, as well as the recently effective EU General Data Protection Regulation (“GDPR”), the Washington State Senate voted to enact significant obligations and restrictions on certain businesses that handle the personal data of Washington residents or use facial recognition technology.
Obligations Under the WPA
The WPA borrows the controller-processor designations from the GDPR and identifies obligations for each role. A “controller” determines the purposes and means of the processing of personal data, whereas a “processor” collects, uses, stores, discloses, analyzes, deletes, or modifies personal data on behalf of the controller.
If signed into law, the WPA would require controllers to facilitate verified requests to:
- confirm if a consumer’s personal data is being processed and provide access to such personal data;
- correct inaccurate consumer personal data;
- delete the consumer’s personal data if no exceptions apply;
- restrict the purposes for which personal data is processed; and
- provide consumers with their personal data in a portable format.
The WPA also imposes additional restrictions on certain uses of facial recognition technology. Processors that provide facial recognition services must contractually prohibit controllers from using such services to unlawfully discriminate against individuals or groups of consumers. In addition, controllers must obtain consumer consent prior to deploying facial recognition technology in physical premises open to the public. If a controller posts conspicuous notices in these physical premises, then consent may be implied.
Applicability and Enforcement
The WPA would apply to entities that conduct business in Washington or produce products or services that are intentionally targeted to residents of Washington, and either:
- process or control the personal data of at least 100,000 Washington consumers; or
- derive fifty percent of their gross revenue from the sale of personal data, and process or control the personal data of at least 25,000 Washington consumers.
“Personal data” means any information relating to an identified or identifiable natural person, except for deidentified data and publicly available information from federal, state, or local government records. And, similar to the California Consumer Privacy Act (“CCPA”), a “consumer” under the WPA includes a natural person that is a resident of the state. But, unlike the CCPA, the WPA expressly excludes natural persons acting in a commercial or employment context.
As for enforcement, the Washington Attorney General would have the power to enforce the WPA and obtain up to $2,500 for each violation or $7,500 for each intentional violation. There is currently no private right of action.
What This Means For You
The WPA is now pending before the Washington House of Representatives. If the bill is signed into law, Washington will be the first state to adopt comprehensive privacy legislation after last year’s enactment of the CCPA. Several other states are currently considering comprehensive privacy legislation of their own, while Congress is considering a comprehensive federal privacy law. Whether the next comprehensive privacy law passes at the state or federal level, companies should stay informed of these legislative developments and adjust their compliance strategies accordingly.
The Washington State Legislature ended its regular session on April 28, 2019 without passing the WPA. Although the Washington Senate passed the bill in a near-unanimous vote, the Washington House of Representatives failed to vote on the bill prior to its deadline for non-budgetary legislation. Key contentions reportedly included the lack of a private right of action and the scope of restrictions for the use of facial recognition technology. One of the bill’s sponsors, Senator Reuven Carlyle, indicated that that legislators would try again in 2020.
V&E regularly assists companies in implementing programs for compliance with the GDPR and the CCPA, including information regarding data inventories, privacy notices, and responses to data access requests. If you have any questions or would like to discuss these matters in more detail, please contact V&E attorneys, Devika Kornbacher, Ben Cukerbaum, or Larry Huang.