The Washington state legislature is again trying to pass privacy legislation after an effort to do so last session fell short. If passed, this would constitute the second major privacy and data security bill enacted in the U.S. after the “California Consumer Privacy Act” (CCPA) (AB 375) and the revised bill contains significant differences from California’s now effective privacy regime. The “Washington Privacy Act” (SB 6281) generally provides protections and limits on how the personal data of Washington residents can be collected, processed, and disclosed and would apply to many companies in Washington state or doing business in the state.
Last week, the Senate Environment, Energy & Technology marked up and reported out the “Washington Privacy Act” (here are the links for the hearing agenda, documents, and video.) It is unclear whether this effort will succeed whereas last year’s bill stalled in the legislature largely over provisions on facial recognition technology. Nonetheless, some of the same key stakeholders in the legislature who pushed for privacy and data security legislation are again trying to get a bill enacted even though this year’s legislative session is only 60 days long.
According to the “Bill Report,” SB 6281:
- Provides Washington residents with the consumer personal data rights of access, correction, deletion, data portability, and opt out of the processing of personal data for specified purposes.
- Specifies the thresholds a business must satisfy for the requirements set forth in this act to apply.
- Identifies certain controller responsibilities such as transparency, purpose specification, and data minimization.
- Requires controllers to conduct data protection assessments under certain conditions.
- Authorizes enforcement exclusively by the attorney general.
- Provides a regulatory framework for the commercial use of facial recognition services such as testing, training, and disclosure requirements.
This bill, as currently drafted, would take effect on July 31, 2021, and the intent seems to be that it would become effective 18 months after passage and so this date may be pushed back depending on when it is enacted.
Personal data is defined broadly to include all information that can be linked or can reasonably be linked to a person aside from deidentified data and publicly available information. Undoubtedly, these two exceptions will be interpreted as widely as possible, so they bear further discussion. “Deidentified data” are “data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable natural person, or a device linked to such person, provided that the controller that possesses the data:
(a) Takes reasonable measures to ensure that the data cannot be associated with a natural person;
(b) publicly commits to maintain and use the data only in a deidentified fashion and not attempt to reidentify the data; and
(c) contractually obligates any recipients of the information to comply with all provisions of this subsection.”
These deidentification provisions track with language in other federal and state privacy bills, and the inclusion of inference strengthens the standard entities must meet before data are considered deidentified.
And, “publicly available information” is “information that is lawfully made available from federal, state, or local government records.” Some states allow the sale or accessing of information provided to the agency that licenses drivers and cars, and if Washington is one of these states, some personal information such as height, weight, ethnicity, and other data could be obtained through this exception.
Like most privacy legislation, there is an even more sensitive set of information. The “Washington Privacy Act” creates a category of “personal data:” “sensitive data,” which are:
(a) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status;
(b) the processing of genetic or biometric data for the purpose of uniquely identifying a natural person;
(c) the personal data from a known child [defined in the bill as all people 12 years of age and younger]; or
(d) specific geolocation data.
This category of personal data would be subject to extra protection in many but not all instances.
The Washington Privacy Act’s definition of process or processing data is very broad and would cover almost all activities undertaken by an entity manipulating data: “any operation or set of operations which are performed on personal data or on sets of personal data, whether or not by automated means, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.” Therefore, unlike a number of other bills which discuss collection and processing as separate terms, any such references to processing will encompass all the collection activities of entities covered by the bill.
A final definition to examine. The legislation defines “sale,” “sell,” or “sold” as “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.” The latter phrase is crucial, for many entities do not collect money for disclosing or sharing data but rather receives data in return or other things of value. Consequently, folding into the definition of sale those transactions in which personal data is given to another entity in exchange for something of value would ensure that many data transfers are considered sales. However, a sale would not include the following:
(i) The disclosure of personal data to a processor who processes the personal data on behalf of the controller;
(ii) the disclosure of personal data to a third party with whom the consumer has a direct relationship for purposes of providing a product or service requested by the consumer;
(iii) the disclosure or transfer of personal data to an affiliate of the controller;
(iv) the disclosure of information that the consumer
(A) intentionally made available to the general public via a channel of mass media, and
(B) did not restrict to a specific audience; or
(v) the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.
Obviously exception (iv) would place outside the definition of sell anything a person transmits from a public account on social media such as Twitter, Facebook, and the like.
Like other privacy bills such as the CCPA, data collection and processing related to employment would be exempt. The definition of “consumer” provides for this exemption but seems to go further in stipulating that Washington state residents “acting in a commercial…context” are also outside the scope of the definition. The definition of consumer is used throughout the bill and is the term upon which a number of the rights, protections, and obligations turn. Therefore, these employment and commercial exemptions may become the avenue by which some argue that their data collection and processing activities are outside the scope of some of the bill’s requirements.
Like the General Data Protection Regulation (GDPR), the bill divides those entities covered by its requirements into two groups: controllers and processors. The former are entities that determine the purposes and means of the processing of personal data and the latter are those that process data on behalf of controllers. However, the scope of those controllers and processors subject to the bill hinges on whether the entity has a presence in Washington or is selling products and services to Washington state residents. Moreover, an entity must also satisfy one of two other criteria before they are subject to the law. They must either have collected or processed the personal data of 100,000 or more Washingtonians in a calendar year or earn 50% or more their gross revenue from selling personal data and also control or process the personal data of 25,000 or more people.
Moreover, the bill makes clear that controllers and processors working together will not automatically be deemed liable for the misdeeds of the other should there be alleged violations of the statute. By the same token, when a controller and processor are “involved in the same processing…in violation of this chapter, the liability must be allocated among the parties according to principles of comparative fault.” Moreover, the bill requires that “[p]rocessing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties.” What’s more, a processor and controller may not be held liable for a third party’s violations in processing personal data sold by one of the former to the latter “provided that, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation.” It bears noting that “actual knowledge” is a higher standard than a should have known or constructive knowledge standard, opening the possibility that some controllers or processors may sell personal data in situations where a reasonable person would have known that violations by a third-party were likely.
However, a number of entities are carved out of the bill’s scope. For example, activities subject to “Health Insurance Portability and Accountability Act” (HIPAA) Gramm-Leach-Bliley, “Fair Credit Reporting Act” (FCRA), or “Family Educational Rights and Privacy Act” (FERPA) regulations are exempted to the extent they are in compliance. However, a closer read of these provisions suggest that just because an entity may be subject to and compliant with these and other federal privacy statutes does not mean all their data collection and processing activities are exempted. Rather, it appears any such activities outside the scope of those laws may be covered by the Washington state privacy and data security statute.
In terms of new responsibilities for covered entities, controllers must draft and make available “reasonably accessible, clear, and meaningful” privacy notices that inform people of
- The categories of personal data processed by the controller;
- The purposes for which the categories of personal data are processed;
- How and where consumers may exercise the rights…including how a consumer may appeal a controller’s action with regard to the consumer’s request;
- The categories of personal data that the controller shares with third parties, if any; and
- The categories of third parties, if any, with whom the controller shares personal data.
Controllers would only be allowed to collect the bare minimum of personal data necessary for processing in light of notice provided to people and the activities the controller is undertaking. Generally, a controller “may not process personal data for purposes that are not reasonably necessary to, or compatible with, the purposes for which such personal data are processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent.”
Controllers would be barred from processing personal data in ways that violate federal and Washington state laws prohibiting discrimination. However, controllers may discriminate with respect to “offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offering is in connection with a consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.” There are limits on when and how controllers may sell personal data with third parties (who are defined under the bill to be neither controller, processor, nor a subsidiary of either) unless the sale of personal data is clearly disclosed in the privacy notice, is reasonable necessary “to enable the third party to provide a benefit to which the consumer is entitled,” and “the third party uses the personal data only for purposes of facilitating such benefit to which the consumer is entitled and does not retain or otherwise use or disclose the personal data for any other purpose.”
And yet, controllers “may not process sensitive data concerning a consumer without obtaining the consumer’s consent, or, in the case of the processing of personal data concerning a known child, without obtaining consent from the child’s parent or lawful guardian, in accordance with the children’s online privacy protection act requirements.” As noted earlier, sensitive data include information indicating the race, national origin, sexual orientation, biometric data, and specific geolocation data. And while controllers and processors may not process in ways that violate federal and state law prohibiting discrimination, once consent is fairly obtained from a Washington state resident, they may process in virtually any way short of discrimination.
Finally, people cannot be forced to waive their rights. The Washington Privacy Act makes clear that “[a]ny provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer’s rights under this chapter shall be deemed contrary to public policy and shall be void and unenforceable.”
As noted, like many privacy bills, there are myriad exceptions to the obligations placed on controllers and processors which do not block either’s ability to:
- Comply with federal, state, or local laws, rules, or regulations;
- Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
- Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations;
- Investigate, establish, exercise, prepare for, or defend legal claims;
- Provide a product or service specifically requested by a consumer, perform a contract to which the consumer is a party, or take steps at the request of the consumer prior to entering into a contract;
- Protect the vital interests of the consumer or of another natural person; or
- Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action;
There are additional carve outs to the standards controllers and processors must meet under the Washington Privacy Act with respect their “ability to collect, use, or retain data” including
- Conducting internal research to improve, repair, or develop products, services, or technology;
- Identifying and repairing technical errors that impair existing or intended functionality; or
- Performing internal operations that are reasonably aligned with the expectations of the consumer based on the consumer’s existing relationship with the controller, or are otherwise compatible with processing in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.
Such an exemption may result in the acquisition and processing of personal data against the wishes of people in a number of circumstances given how expansive the conditions under which the normal obligations do not apply.
Nonetheless, the legislature included language to limit processing under an exception and the controller bears the burden of demonstrating that the processing fits an exception.
Moreover, “[c]ontrollers must conduct and document a data protection assessment of each of the following processing activities involving personal data:
- The processing of personal data for purposes of targeted advertising;
- The sale of personal data;
- The processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk of:
- Unfair or deceptive treatment of, or disparate impact on, consumers;
- financial, physical, or reputational injury to consumers;
- a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or (iv) other substantial injury to consumers;
- The processing of sensitive data; and
- Any processing activities involving personal data that present a heightened risk of harm to consumers.”
Controllers would have to keep these on file and then turn them over to the attorney general if requested during an investigation.
Under the “Washington Privacy Act” consumers would be given a number of rights they could exercise by contacting controllers who hold their personal data:
(1) Right of access. A consumer has the right to confirm whether or not a controller is processing personal data concerning the consumer and access such personal data.
(2) Right to correction. A consumer has the right to correct inaccurate personal data concerning the consumer, taking into account the nature of the personal data and the purposes of the processing of the personal data.
(3) Right to deletion. A consumer has the right to delete personal data concerning the consumer.
(4) Right to data portability. When exercising the right to access personal data pursuant to…a consumer has the right to obtain personal data concerning the consumer, which the consumer previously provided to the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means.
(5) Right to opt out. A consumer has the right to opt out of the processing of personal data concerning such consumer for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer.
The last right bears further elucidation on account of the use of a key phrase: “decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer.” The bill defines this to mean “decisions that include, but are not limited to, the denial of consequential services or support, such as financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services, and access to basic necessities, such as food and water.” These provisions would seem to be aimed at practices deemed “digital redlining” by the Obama Administration top describe practices or policies that would use data collected and processed to discriminate against people on the basis of real or perceived characteristics. Consequently, if an insurance company is processing the personal data of Washington state residents and on the basis of this processing is offering different rates to similarly situated people, a person could opt of the processing on the front, presumably because the controller disclosed these practices in its privacy notice.
Controllers must respond to the individual on the action taken regarding the request within 45 days but they may delay responding for an additional 45 days where “reasonably necessary.” There is to be an internal appeals process at the controller for requests that are denied and at a certain point in that process the individual or the controller may inform the state attorney general’s office.
However, as with many of the federal privacy bills, there are a number of circumstances under which these, and other consumer rights, do not have to be respected, including but not limited to complying with federal or state law or a government inquiry, protecting the “vital interest” of a person, protecting against fraud or theft and a range of other crimes, and other stated reasons or purposes.
Like an increasing number of federal privacy bills, there are provisions requiring controllers and processors to implement and maintain data security for the personal data being held. Controllers “shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such data security practices shall be appropriate to the volume and nature of the personal data at issue.” Likewise, processors would need to “[i]mplement and maintain reasonable security procedures and practices to protect personal data, taking into account the context in which the personal data are to be processed.” Additionally, processors must “[e]nsure that each person processing the personal data is subject to a duty of confidentiality with respect to the data.”
The Washington attorney general alone would be able to enforce the “Washington Privacy Act” as there is no private right of action in the bill for privacy violations and the legislature goes even further to stipulate there is no right to sue for violations under any Washington state law. The attorney general may seek injunctions and civil penalties of up to $7,500 per violation with no limit on the size of a total fine. As with all of the privacy and data security bills, enforcement will drive much of the actions taken by entities subject to the new statute.
While Washington state is not among the most populous states and theoretically the impact of any privacy law would be limited, it is the home of corporate headquarters for both Microsoft and Amazon. Hence, these, and other firms, may decide to adhere to these standards with respect to the privacy of people throughout the U.S. However, this new regulatory structure for privacy would be inconsistent with California’s, requiring entities subject to both state’s laws to navigate the different standards. Possibly, passage of a second major privacy statute could provide further impetus to Congress to act on privacy legislation that creates a national approach. Moreover, passage of a privacy law in Washington may affect the positions of Washington state lawmakers in the capital, particularly two key stakeholders: Senator Maria Cantwell (D-WA) and Representative Cathy McMorris Rodgers (R-WA) who are the ranking members of the Senate Commerce and House Energy and Commerce’s Consumer Protection and Commerce Subcommittee respectively. Both are involved in drafting their committee’s privacy bills, and a Washington state statute may affect their positions in much the same the CCPA has informed a number of California Members’ position on privacy legislation, especially with respect to bills being seen as weaker than the CCPA.
As noted earlier, the bill also addresses facial recognition technology, a policy area not usually joined to privacy legislation, and sets limits on the use of this new technology. The “Washington Privacy Act” defines “facial recognition service” as “technology that analyzes facial features and is used for the identification, verification, or persistent tracking of consumers in still or video images.” Processors that provide these technologies must also make available an application programming interface that would allow researchers to independently access and determine whether the facial recognition technology in question is accurate and fair. Processors must mitigate any negative results. Additionally, “[c]ontrollers must provide a conspicuous and contextually appropriate notice whenever a facial recognition service is deployed in a physical premise open to the public.” Controllers must also “must obtain consent from a consumer prior to enrolling an image of that consumer in a facial recognition service used in a physical premise open to the public” except if “for a security or safety purpose.” Additionally, “[c]ontrollers using a facial recognition service to make decisions that produce legal effects on consumers or similarly significant effects on consumers must ensure that those decisions are subject to meaningful human review.”