A Washington State Privacy Bill…Rises From The Dead

One of the sponsors of a privacy bill that died earlier this year has reintroduced a modified version with new language in the hopes of passing the bill next year.

Washington State Senator Reuven Carlyle (D-Seattle) has floated a new draft of privacy legislation in the hopes it will be pass after forerunner bills dying in the last two legislative sessions. Carlyle has made a number of changes in the “Washington Privacy Act 2021” documented in this chart showing the differences between the new bill, the last version of the bill passed by the Washington State Senate last year, the “California Consumer Privacy Act” (CCPA) (AB 375), and the “California Privacy Rights Act” (CPRA) (aka Proposition 24) on this year’s ballot. But in the main, the bill tracks closely with the two bills produced by the Washington Senate and House last year lawmakers could not ultimately reconcile. However, there are no provisions on facial recognition technology, which was largely responsible for sinking a privacy bill in Washington State two years ago. Carlyle has taken the unusual step of appending language covering the collection and processing of personal data to combat infectious diseases like COVID-19.

Big picture, the bill still uses the concepts of data controllers and processors most famously enshrined in the European Union’s (EU) General Data Protection Regulation (GDPR). Like other privacy bills, generally, people in Washington State would not need to consent before an entity could collect and process its information. People would be able to opt out of some activities, but most could data collection and processing could still occur as it presently does.

Washingtonians would be able to access, correct, delete, and port their personal data. Moreover, people would be able to opt out of certain data processing: “for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer.” Controllers must provide at least two secure and reliable means by which people could exercise these rights and may not require the creation of a new account. Rather, a controller can require a person to use an existing account to exercise her rights.

Controllers must act on the request within 45 days and are allowed one 45-day extension “where reasonably necessary, taking into account the complexity and number of the requests.” It is not clear what would justify a 45-day extension except for numerous, complex requests, but in any event, the requester must be informed of an extension. Moreover, if a controller decides not to comply with the request, it must let the person know within 45 days, the reasons for noncompliance, and how an appeal may be filed. People would be permitted two free requests a year (although nothing stops a controller from meeting additional requests for free), and controllers may charge thereafter to cover reasonable costs and to deal with repetitive requests. Controllers may also just deny repetitive requests, too, and they may also deny requests they cannot authenticate. In the event of the latter, a controller may ask for more information so the person can prove his identity but is not required to.

Each controller would need to establish an internal appeals process for people to use if their request to exercise a right is denied. There is a specified timeline, and, at the end of this process, if a person is unhappy with the decision, the controller must offer to turn the matter over to the Office of the Attorney General of Washington for adjudication.

Like last year’s bills, this draft makes clear the differentiated roles of controllers and processors in the data ecosystem regulated by Washington State. Processors must follow a controller’s instructions and has an obligation to help the controller comply with the act. These obligations must set out in a contract between each controller and processor “that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties.” Additionally, who is a controller and who is a processor will necessarily be a fact driven analysis and it is possible for one entity to be both depending on the circumstances.

Notably, processors must help controllers respond to requests from people exercising their rights, secure personal data, and assist in complying with Washington State’s data breach protocol if a breach occurs. Processors must implement and use security commensurate to the personal data they are holding and processing.

Controllers are obligated to furnish privacy policies to people that must include the categories of personal data processed, the purposes for any processing, the categories of personal data shared with third parties, and the categories of third parties with whom sharing occurs. Moreover, if a controller sells personal data for targeted advertising, a controller has a special obligation to make people aware on a continuing basis, including their right to opt out if they choose. Data collection is limited to what is reasonably necessary for the disclosed purposes of the data processing. And yet, a controller may ask for and obtain consent to process for purposes beyond those reasonably necessary to effectuate the original purposes disclosed to the person. Controllers would also need to minimize the personal data it has on hand.

Controllers must “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data…[that] shall be appropriate to the volume and nature of the personal data at issue.” Controllers would not be allowed to process personal data in a way that would violate discrimination laws. And so, controllers may not “process personal data on the basis of a consumer’s or a class of consumers’ actual or perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, lawful source of income, or disability, in a manner that unlawfully discriminates against the consumer or class of consumers with respect to the offering or provision of (a) housing, (b) employment, (c) credit, (d) education, or (e) the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation.” Controllers could not retaliate against people who exercise any of their rights to access, correct, delete, or port their personal data through offering differently priced or quality products or services. And yet, controllers may offer different prices and services as part of a loyalty program that is voluntary for people to join and may share personal data with third parties for reasons limited to the loyalty program.

Regarding another subset of personal data, consent will be needed before processing can occur. This subset is “sensitive data,” which is defined as “(a) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status; (b) the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; (c) the personal data from a known child; or (d) specific geolocation data.”

The bill also bars a person waiving his or her rights under any type of agreement, and this will be null and void for reasons of public policy.

Controllers would not need to reidentify deidentified personal data to respond to a request from a person. However, the way this section is written gives rise to questions about the drafter’s intentions. The section would not require controllers to respond to requests from people to access, correct, delete or port personal data if the “controller is not reasonably capable of associating the request with the personal data, or…it would be unreasonably burdensome for the controller to associate the request with the personal data” if other conditions are true as well. Given that this provision comes right after the language on reidentifying deidentified data, it seems like the aforementioned language would apply to other personal data. And so, some controllers could respond to a request by arguing they cannot associate the request or it would be unduly burdensome. Perhaps this is not what the drafters intend, but this could become a route whereby controllers deny legitimate requests.

This section of the bill also makes clear that people will not be able to exercise their rights of access, correction, deletion, or porting if the personal data are “pseudonymous data.” This term is defined as “personal data that cannot be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” This is a concept that would seem to encourage controllers and processors to store data in a state that would strip identifiers from the personal data in order for them not to have to incur the cost and time of responding to requests. It bears note the concept and definition appear heavily influenced by the GDPR, which provides:

pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person

Data protection assessments will be necessary for a subset of processing activities: targeted advertising, selling personal data, processing sensitive data, any processing of personal data that presents “a heightened risk of harm to consumers” and another case that requires explanation. This last category is for those controllers who are profiling such that a reasonably foreseeable risk is presented of:

  • “Unfair or deceptive treatment of, or disparate impact on, consumers;
  • financial, physical, or reputational injury to consumers;
  • a physical or other intrusion upon the solitude or seclusion, or the
  • private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or
  • other substantial injury to consumers.”

These “data protection assessments must take into account the type of personal data to be processed by the controller, including the extent to which the personal data are sensitive data, and the context in which the personal data are to be processed.” Moreover, data protection assessments “must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing,  as mitigated by safeguards that can be employed by the controller to reduce such risks.” Moreover, the bill stipulates “[t]he use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller.” And, crucially, controllers must provide data protection assessments to the Washington Attorney General upon request, meaning they could inform an enforcement action or investigation.

Section 110 of the “Washington Privacy Act 2021” lays out the reasons one usually finds in privacy bills as to the circumstances when controllers and processors are not bound by the act, including but not limited to:

  • Comply with federal, state, or local laws, rules, or regulations;
  • Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
  • Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations;
  • Provide a product or service specifically requested by a consumer, perform a contract to which the consumer is a party, or take steps at the request of the consumer prior to entering into a contract;
  • Take immediate steps to protect an interest that is essential for the life of the consumer or of another natural person, and where the processing cannot be manifestly based on another legal basis;
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action;

Moreover, the act does “not restrict a controller’s or processor’s ability to collect, use, or retain data to:

  • Conduct internal research solely to improve or repair products, services, or technology;
    Identify and repair technical errors that impair existing or intended functionality; or
  • Perform solely internal operations that are reasonably aligned with the expectations of the consumer based on the consumer’s existing relationship with the controller, or are otherwise compatible with processing in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.

It seems reasonable to expect controllers and processors to try and read these provisions as liberally as they can in order to escape or circumvent the obligations of the act. I do not level this claim as a criticism; rather, it is what will undoubtedly occur if a regulated entity has halfway decent legal counsel.

One also finds legal liability for controllers that was in last year’s bill, too. The act makes clear that controllers cannot be liable for a processor’s violation if “at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation.” Consequently, even if a reasonable person could foresee that a processor would likely violate the act, unless the controller actually knows a violation is imminent, then the controller cannot be held liable. This structuring of the legal liability will likely result in controllers claiming they did not know of processors’ violations and create a disincentive for controllers to press processors to comply with the statutory and contractual requirements binding both.

The bill reiterates:

Personal data that are processed by a controller pursuant to [any of the aforementioned carveouts in Section 110] must not be processed for any purpose other than those expressly listed in this section. Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that such processing is:

(i) Necessary, reasonable, and proportionate to the purposes listed in this section; and

(ii) adequate, relevant, and limited to what is necessary in relation to the specific purpose or purposes listed in this section.

Finally, controllers bear the burden of making the case that the exception being used complies with this section. This would serve to check a regulated entity’s inclination to read terms and requirements as generously as possible for them and their conduct.

The bill would not create a new right for people to sue, but if there are existing grounds a person uses to sue (e.g. product liability, tort, contract law, etc.) and wins, the liability would be distributed between a controller and processor according to their liability.

In terms of enforcement by the Attorney General, violations of this act are treated as violations of the Washington State Consumer Protection Act, and violations are considered violations of the ban on unfair and deceptive practices with civil liability as high as $7,500 per violation. However, the Attorney general must first “provide a controller thirty days’ written notice identifying the specific provisions of this title the Attorney General, on behalf of a consumer, alleges have been or are being violated.” If a cure is affected, then the Attorney General may not seek monetary damages. But if a cure is not, then the Attorney General may take the matter to court.

The act preempts all county, city, and local data processing laws.

There is new language in the bill pertaining to public health emergencies, privacy, and contact tracing. However, the provisions are divided between two different titles with one controlling private sector entities and the other public sector entities. Incidentally, at the federal level, privacy bills have not tended to include provisions to address public health emergencies and instead standalone bills have been drafted and introduced.

In regard to private sector entities, controllers and processors would not be able to process “covered data” for a “covered purpose” which relates to the symptoms of infectious diseases and tracking their spread, unless certain conditions are met. For example, these entities would need to make available a privacy policy and people must consent to such processing. Additionally, controllers and processors would not be able to disclose “any covered data processed for a covered purpose” to any law enforcement agency in the U.S., sell “any covered data processed for a covered purpose,” or “[s]hare any covered data processed for a covered purpose with another controller, processor, or third party unless such sharing is governed by contract” according to the terms laid out in this section and disclosed to the person per the privacy policy that must be disclosed. However, private sector entities could disclose covered data processed for a covered purpose to federal, state, and local agencies pursuant to laws permitting such disclosure. So, this would likely be under public health or emergency laws.

This section of the bill defines “covered purpose” as

processing of covered data concerning a consumer for the purposes of detecting symptoms of an infectious disease, enabling the tracking of a consumer’s contacts with other consumers, or with specific locations to identify in an automated fashion whom consumers have come into contact with, or digitally notifying, in an automated manner, a consumer who may have become exposed to an infectious disease, or other similar purposes directly related to a state of emergency declared by the governor pursuant to RCW 43.06.010 and any restrictions imposed under the state of emergency declared by the governor pursuant to RCW 43.06.200 through 43.06.270.

There is a section that seems redundant. This provision establishes the right of a person to opt out of processing her covered data for a covered purpose, but the previous section makes clear a person’s covered data may not be processed without her consent. Nonetheless, a person may determine whether his covered data is being processed, request a correction of inaccurate information, and request the deletion of “covered data.” The provisions on how controllers are required to respond to and process such requests are virtually identical to those established for the exercise of the rights to access, correct, delete, and port in the bill.

The relationship and responsibilities between controllers and processors track very closely to those imposed for normal data processing.

Controllers would need to make available privacy policies specific to processing covered data. The bill provides:

Controllers that process covered data for a covered purpose must provide consumers with a clear and conspicuous privacy notice that includes, at a minimum:

  • How a consumer may exercise the rights contained in section 203 of this act, including how a consumer may appeal a controller’s action with regard to the consumer’s request;
  • The categories of covered data processed by the controller;
  • The purposes for which the categories of covered data are processed;
  • The categories of covered data that the controller shares with third parties, if any; and
  • The categories of third parties, if any, with whom the controller shares covered data.

Controllers would also need to limit collection of covered data to what is reasonably necessary for processing and minimize collection. Moreover, controllers may not process covered data in ways that exceed what is reasonably necessary for covered purposes unless consent is obtained from each person. But then the bill further limits what processing of covered data is permissible by stating that controllers cannot “process covered data or deidentified data that was processed for a covered purpose for purposes of marketing, developing new products or services, or engaging in commercial product or market research.” Consequently, other processing purposes would be permissible provided consent has been obtained. And so, a covered entity might process covered data to improve the current means of collecting covered data for the covered purpose.

There is no right to sue entities for violating this section, but it appears controllers may bear more legal responsibility for the violations of its processors regarding covered data. Moreover, the enforcement language is virtually identical to the earlier provisions in the bill as to how the Attorney General may punish violators.

The bill’s third section would regulate the collection and processing of covered data for covered purposes by public sector entities, and for purposes of this section controllers are defined as “local government, state agency, or institutions of higher education which, alone or jointly with others, determines the purposes and means of the processing of covered data.” This section is virtually identical to the second section with the caveat that people would not be given the right to determine if their covered data has been collected and processed for a covered purpose, to request a correction of covered data, and to ask that such data be deleted. Also, a person could not ask to opt out of collection.

Finally, two of the Congressional stakeholders on privacy and data security hail from Washington state, and consideration and possible passage of a state law may limit their latitude on a federal bill they could support. Senator Maria Cantwell (D-WA) and Representative Cathy McMorris Rodgers (R-WA), who are the ranking members of the Senate Commerce, Science, and Transportation Committee and House Energy and Commerce’s Consumer Protection and Commerce Subcommittee respectively, are involved in drafting their committee’s privacy bills, and a Washington state statute may affect their positions in much the same the “California Consumer Privacy Act” (CCPA) (AB 375) has informed a number of California Members’ position on privacy legislation, especially with respect to bills being seen as weaker than the CCPA.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo Credit: Ally Laws on Pixabay

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s