Facing the end of its legislative session, Washington State House lawmakers alter a bill that passed the Senate. It is not clear if these changes will be acceptable.
The Washington State House of Representatives has moved the “Washington Privacy Act” (SB 5062) through two committees, changing the bill in ways that may make it unacceptable to the Senate. The bill is poised to move through a third committee and then quite possibly to the floor of the House where it may be changed even more. However, there is a deadline of 11 April for the House to pass a bill, and if the House does so, the legislature has until 25 April to enact a final bill.
Is the third year the charm? Will Washington join California and Virginia in enacting data privacy laws?
Cocktail Party
Beyond whether Washington state enacts a data privacy law, one must also consider how each additional state legislating on privacy changes the calculus in Congress. Will a third privacy regime, one admittedly less onerous to industry than the two California bills (i.e. the “California Consumer Privacy Act” (CCPA) (AB 375) and the “California Privacy Rights Act” (CPRA) (Proposition 24)), prompt Democratic and Republican stakeholders to reach agreement on the remaining issues blocking privacy legislation? Will the Democrats in Olympia fail to come to agreement again this year?
Meeting
The House Civil Rights & Judiciary Committee held a pair of hearings (here and here) on SB 5062 after the Senate passed the bill, the latter of which included changing the bill. Thereafter, the House Rules and Appropriations Committees held hearings (the latter being here), with the latter reporting out the bill. The bill was modified in the House Civil Rights & Judiciary Committee and the other committees have thus far signed off on those changes. Notably, Washington residents would be able to sue for privacy violations but only for injunctive relief and not for civil penalties. This limited private right to sue could possibly serve as a model for federal legislation since this has been long favored by most Democrats and opposed by most Republicans, for it would likely shield companies from large class actions looking for millions in dollars of damages. There are other tweaks that are likely disfavored by industry such as expanding the right of access to include the actual personal data a controller holds as opposed to categories of personal data.
Finally, two of the Congressional stakeholders on privacy and data security hail from Washington state, and consideration and possible passage of a state law may limit their latitude on a federal bill they could support. Senator Maria Cantwell (D-WA) and Representative Cathy McMorris Rodgers (R-WA), who are the chair of the Senate Commerce, Science, and Transportation Committee and ranking member of House Energy and Commerce Committee respectively, are expected to be involved in drafting their committee’s privacy bills, and a Washington state statute may affect their positions in much the same way as the CCPA and CPRA has informed a number of California Members’ position on privacy legislation, especially with respect to bills being seen as weaker than California’s privacy regime.
Geek Out
On 3 March, the Washington State Senate passed the “Washington Privacy Act” (SB 5062) by a 48-1 vote. SB 5062 tracks closely with the two bills produced by the Washington Senate and House last year lawmakers could not ultimately reconcile. However, there are no provisions on facial recognition technology, which was largely responsible for sinking a privacy bill in Washington State two years ago. (see here for analysis.) However, there is a rival bill in the House, perhaps the first among others, the “People’s Privacy Act” (HB 1433), is among the strongest privacy bills introduced in the United States (U.S.) (see here for more analysis.) Getting to agreement on privacy legislation in Washington will likely not prove easy.
Nonetheless, the bill as passed differs in a few ways from the legislation introduced. First, the passed bill carves out the state’s judicial branch and airlines. Second, it is made clear that controllers and processors are responsible only for the responsibilities the bill assigns them, suggesting there was concern that some ambiguities may have made controllers responsible for obligations processors are to meet and/or vice versa. Thirdly, the language barring the sale of personal information to third parties under loyalty and rewards programs was weakened. Previously, these sales could not occur unless three conditions were met; in the revised bill, controllers still cannot sell a person’s information unless the three conditions are met and the person has exercised her right to opt of the selling of her information. Fourth, the Joint Legislative Audit and Review Committee (a body consisting of four Representatives and four Senators) “must review the efficacy of the attorney general providing controllers and processors with warning letters and 30 days to cure alleged violations in the warning letters…and report its findings to the governor and the appropriate committees of the legislature” by 1 December 2025.
As mentioned, the House Civil Rights & Judiciary Committee took up the second substitute of SB 5062 and made changes. At the end of the bill as modified by the House Civil Rights & Judiciary Committee, an accurate summary of the changes in the bill is provided:
EFFECT: Makes the following changes in Part I of the bill relating to consumer personal data privacy:
(1) Modifies the definition of “deidentified data” to require that controllers take reasonable measures to ensure that the data cannot be associated not only with a natural person, but also with a household or device.
(2) Specifies that personal data includes pseudonymous data.
(3) Adds the definition of “minor” to mean an individual who is at least 13 and under 16 years of age under circumstances where a controller has actual knowledge of, or willfully disregards, the minor’s age.
(4) Modifies the definition of “targeted advertising” to mean displaying advertisements selected on the basis of a consumer’s activities across one or more distinctly branded websites, rather than across nonaffiliated websites. Specifies that targeted advertising does not include advertising based on activities within a controller’s own commonly branded websites, rather than a controller’s own websites.
(5) Exempts from the bill nonprofit organizations that are registered with the Secretary of State under the Charities Program, collect personal data during legitimate activities related to the organization’s tax-exempt purpose, and do not sell personal data collected by the organization.
(6) Provides that a consumer has the right to access the personal data a controller is processing, rather than the right to access the categories of personal data a controller is processing.
(7) Provides that, beginning July 31, 2023, a consumer may exercise the right to opt out of sale and targeted advertising by designating an authorized agent or via user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicates or signals the consumer’s choice to opt out.
(8) Provides that a controller must respond to a request to exercise the right to access personal data within 45 days of receiving the request.
(9) Allows a consumer to appeal within a reasonable period of time after a controller refuses to take action on the consumer’s right request, rather than after the consumer’s receipt of the controller’s notice that the controller did not take action on the consumer’s request.
(10) Requires the mandatory privacy notice to use clear and plain language and be understandable to the least sophisticated consumer, as well as be in English and any other language in which a controller communicates with the consumer to whom the information pertains.
(11) Requires controllers to obtain a minor’s consent prior to processing the minor’s personal data for the purposes of targeted advertising or the sale of personal data.
(12) Adds a private right of action for consumers alleging a violation of the consumer data rights. Limits remedies to appropriate injunctive relief and requires the court to award reasonable attorneys’ fees and costs to any prevailing plaintiff.
(13) Expires the right to cure violations one year after the effective date of the bill. Removes the statutory penalties from the provisions related to enforcement by the Attorney General and instead provides that after the expiration of the right to cure, when determining a civil penalty, the court must consider a controller’s or processor’s good faith efforts to cure as mitigating factors.
(14) Provides that the bill does not create any independent causes of action, except for the actions brought by the Attorney General. Specifies that nothing in the bill limits any other causes of action and that the rights and protections in the bill are not exclusive.
(13) Requires the Joint Legislative Audit and Review Committee study on the efficacy of the Attorney General providing controllers and processors to be completed by December 1, 2023, rather than December 1, 2025.
Makes the following changes to Part 2 of the bill relating to data privacy and public health emergency (private sector):
(1) Modifies the definition of “consent” to align with the same definition in Part 1 of the bill relating to consumer personal data privacy.
(2) Modifies the definition of “deidentified data” to require that controllers take reasonable measures to ensure that the data cannot be associated not only with a natural person, but also with a household or device.
(3) Adds a private right of action for consumers alleging a violation of the consumer data rights. Limits remedies to appropriate injunctive relief and requires the court to award reasonable attorneys’ fees and costs to any prevailing plaintiff.
(4) Expires the right to cure violations one year after the effective date of the bill. Removes the statutory penalties from the provisions related to enforcement by the Attorney General and instead provides that after the expiration of the right to cure, when determining a civil penalty, the court must consider a controller’s or processor’s good faith efforts to cure as mitigating factors.
(5) Provides that the bill does not create any independent causes of action, except for the actions brought by the Attorney General. Specifies that nothing in the bill limits any other causes of action and that the rights and protections in the bill are not exclusive.
Makes the following changes to Part 3 of the bill relating to data privacy and public health emergency (public sector):
(1) Modifies the definition of “consent” to align with the same definition in Part 1 of the bill relating to consumer personal data privacy.
(2) Modifies the definition of “deidentified data” to require that controllers take reasonable measures to ensure that the data cannot be associated not only with a natural person, but also with a household or device.
Makes nonsubstantive technical corrections, such as correcting “if” to “is” in the definition of “technology-assisted contact tracing” in Part 3 of the bill.
A number of these provisions bear note or explication. First, the private right of action is the highest profile change, but it is, as noted above, a limited right, for Washington state residents could sue for “appropriate injunctive relief,” a vague term that does not explain the range of injunctive relief available to plaintiffs. Would this allow people to ask for and receive restitution (i.e., the return or restoration of ill-gotten funds or a benefit) or restitution? If not, the extent of the relief could be to stop a controller or processor from engaging in activity that violates the new statute.
Moreover, the right to sue is limited to only some violations. People could only sue if one of their rights in Section 103 are violated (right to access, right to correct, right to delete, right to port one’s data, and a right to opt out of targeted advertising, the sale of personal data, and profiling people in ways that have legal effects) or those rights in Section 107 (the bar on processing personal data in ways that violate civil rights, processing sensitive data without consent, or processing the personal data of a minor for targeted advertising or selling her personal data without consent.)
People who sue would be able to ask the court to recover their costs and attorney’s fees, which could prove to be an incentive necessary to entice attorneys to take these cases even though they would not be able to recover civil damages.
It must also be noted the House’s bill makes clear that existing causes of action are not prohibited, and so, if a person could currently sue alleging a privacy violation under contract or tort law, she would still be able to do so after enactment. The Senate’s bill would not have allowed this.
The House’s bill also does away with the mechanism by which the attorney general must inform controllers and processors of violations, starting a 30 day period during which they can cure the violation and thus avoid an enforcement action. On 31 July 2023, this process would end, and the attorney general would not need to give entities notice and a chance to correct the wrongdoing before bringing an enforcement action. This was opposed by industry stakeholders in the hearings held on the revised bill.
The right of access is expanded. Now, in response to a request from a resident, controllers must provide the actual personal data they have on the resident. In the Senate-passed SB 5062, controllers only needed to provide the categories of personal information. Moreover, the House’s bill would include requests to access in the same 45-day clock controllers would have to respond to the other requests to exercise rights (i.e., right to delete, right to port, right to correct, and rights to opt out.)
Also of interest, the House’s bill expands the means by which one may exercise his rights to include the use of a designated agent or “user-enabled global privacy controls” (e.g., a browser plug-in or some other technological means) to convey the person’s wishes. And yet, as there is no rulemaking authority provided under either version of SB 5062, what constitutes user-enabled global privacy controls. Based on research about the difficulty of California residents seeking to exercise their rights, one can safely assume that Washington state residents will encounter resistance from businesses if they were to use such controls. What will suffice to serve as user-enabled global privacy controls may well fall to a court to hammer out.
The House added a new category of persons to the bill: minors. This class is defined as those between 13 and 16, and controllers and processors would not be able to sell their personal data or use it for targeted advertising unless the minor opts in.
Finally, privacy and civil liberties groups would like to see stronger provisions added to SB 5062. During testimony before the Appropriations Committee an attorney working with the American Civil Liberties Union questioned whether the attorney general would have the resources necessary to enforce the act in a meaningful considering that committee staff stated the attorney general’s office is only requesting funding for 3 ½ full time positions. This attorney also questioned the wisdom of not allowing plaintiffs to recover civil penalties, for, in his experience, very few attorneys would take such cases, especially in light of the tendency of courts not to allow litigants to recover all their attorneys costs.
Moreover, in the view of many of these organizations, the bill, even as amended, would allow much of current data collection and processing activities to continue. Washington state residents would potentially be faced with opting out with every controller if they do not want their personal data sold or do not want to be targeted by advertising. But, controllers would be able to use their personal data for a wide range of purposes regardless of whether a person objects. For example, the bill would allow controllers to collect personal data and then use it for its own targeted advertising because the definition of the practice exempts these activities if they are “[b]ased on activities within a controller’s own commonly branded websites or online applications.” And so, a Google or Facebook could bombard targeted ads at a user so long as they are based only on the personal data the company collected and processed.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.
Photo by Ben Dutton on Unsplash
Michael Kans 
One thought on “Data Privacy Bill Changed As It Moves Through House In Washington State”