Sponsors Take A New Run At Privacy Law in Washington State

Perhaps the third time is the charm? Legislators seek to pass a privacy law in Washington state for the third year in a row.

A group of Senators in Washington state’s Senate have introduced a slightly altered version of a privacy bill they floated last summer. A committee of jurisdiction will hold a hearing on 14 January 2021 on SB 5062. Of course, this would mark the third year in a row legislators have tried to enact the Washington privacy act. The new bill (SB 5062) tracks closely with the two bills produced by the Washington Senate and House last year lawmakers could not ultimately reconcile. However, there are no provisions on facial recognition technology, which was largely responsible for sinking a privacy bill in Washington State two years ago. The sponsors have also taken the unusual step of appending language covering the collection and processing of personal data to combat infectious diseases like COVID-19.

I analyzed the discussion draft that Washington State Senator Reuven Carlyle (D-Seattle) released over the summer, and so I will not recite everything about the new bill. It should suffice to highlight the differences between the discussion draft and the introduced legislation. Big picture, the bill still uses the concepts of data controllers and processors most famously enshrined in the European Union’s (EU) General Data Protection Regulation (GDPR). Like other privacy bills, generally, people in Washington State would not need to consent before an entity could collect and process its information. People would be able to opt out of some activities, but most could data collection and processing could still occur as it presently does.

The date on which the bill would take effect was pushed aback from 120 days in the discussion draft to 31 July 2022 in the introduced bill. While SB 5062 would cover non-profits, institutions of higher education, airlines, and others unlike the discussion draft, the effective date for the bill to cover would be 31 July 2026. The right of a person to access personal data a controller is processing is narrowed slightly in that it would no longer be the personal data the controller has but rather categories of personal data. The time controllers would have to respond to a certain class of request would be decreased from 45 to 15 days. This class includes requests to opt out of targeted advertising, the sale of personal data, and any profiling in furtherance of decisions with legal effects. Section 106’s requirement that processors have reasonable security measures has been massaged, rephrased and possibly weakened a bit.

One of the activities controllers and processors could undertake without meeting the requirements of the act was removed. Notably, they will no longer be able to “conduct internal research solely to improve or repair products, services, or technology.” There is also a clarification that using any of the exemptions in Section 110 does not make an entity a controller for purposes of the bill. There is a new requirement that the State Office of Privacy and Data Protection must examine current technology that allows for mass or global opt out or opt in and then report to the legislature. Finally, two of the Congressional stakeholders on privacy and data security hail from Washington state, and consideration and possible passage of a state law may limit their latitude on a federal bill they could support. Senator Maria Cantwell (D-WA) and Representative Cathy McMorris Rodgers (R-WA), who are the ranking members of the Senate Commerce, Science, and Transportation Committee and House Energy and Commerce Committee respectively, are expected to be involved in drafting their committee’s privacy bills, and a Washington state statute may affect their positions in much the same the “California Consumer Privacy Act” (CCPA) (AB 375) has informed a number of California Members’ position on privacy legislation, especially with respect to bills being seen as weaker than the CCPA.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Kranich17 from Pixabay

A Washington State Privacy Bill…Rises From The Dead

One of the sponsors of a privacy bill that died earlier this year has reintroduced a modified version with new language in the hopes of passing the bill next year.

Washington State Senator Reuven Carlyle (D-Seattle) has floated a new draft of privacy legislation in the hopes it will be pass after forerunner bills dying in the last two legislative sessions. Carlyle has made a number of changes in the “Washington Privacy Act 2021” documented in this chart showing the differences between the new bill, the last version of the bill passed by the Washington State Senate last year, the “California Consumer Privacy Act” (CCPA) (AB 375), and the “California Privacy Rights Act” (CPRA) (aka Proposition 24) on this year’s ballot. But in the main, the bill tracks closely with the two bills produced by the Washington Senate and House last year lawmakers could not ultimately reconcile. However, there are no provisions on facial recognition technology, which was largely responsible for sinking a privacy bill in Washington State two years ago. Carlyle has taken the unusual step of appending language covering the collection and processing of personal data to combat infectious diseases like COVID-19.

Big picture, the bill still uses the concepts of data controllers and processors most famously enshrined in the European Union’s (EU) General Data Protection Regulation (GDPR). Like other privacy bills, generally, people in Washington State would not need to consent before an entity could collect and process its information. People would be able to opt out of some activities, but most could data collection and processing could still occur as it presently does.

Washingtonians would be able to access, correct, delete, and port their personal data. Moreover, people would be able to opt out of certain data processing: “for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer.” Controllers must provide at least two secure and reliable means by which people could exercise these rights and may not require the creation of a new account. Rather, a controller can require a person to use an existing account to exercise her rights.

Controllers must act on the request within 45 days and are allowed one 45-day extension “where reasonably necessary, taking into account the complexity and number of the requests.” It is not clear what would justify a 45-day extension except for numerous, complex requests, but in any event, the requester must be informed of an extension. Moreover, if a controller decides not to comply with the request, it must let the person know within 45 days, the reasons for noncompliance, and how an appeal may be filed. People would be permitted two free requests a year (although nothing stops a controller from meeting additional requests for free), and controllers may charge thereafter to cover reasonable costs and to deal with repetitive requests. Controllers may also just deny repetitive requests, too, and they may also deny requests they cannot authenticate. In the event of the latter, a controller may ask for more information so the person can prove his identity but is not required to.

Each controller would need to establish an internal appeals process for people to use if their request to exercise a right is denied. There is a specified timeline, and, at the end of this process, if a person is unhappy with the decision, the controller must offer to turn the matter over to the Office of the Attorney General of Washington for adjudication.

Like last year’s bills, this draft makes clear the differentiated roles of controllers and processors in the data ecosystem regulated by Washington State. Processors must follow a controller’s instructions and has an obligation to help the controller comply with the act. These obligations must set out in a contract between each controller and processor “that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties.” Additionally, who is a controller and who is a processor will necessarily be a fact driven analysis and it is possible for one entity to be both depending on the circumstances.

Notably, processors must help controllers respond to requests from people exercising their rights, secure personal data, and assist in complying with Washington State’s data breach protocol if a breach occurs. Processors must implement and use security commensurate to the personal data they are holding and processing.

Controllers are obligated to furnish privacy policies to people that must include the categories of personal data processed, the purposes for any processing, the categories of personal data shared with third parties, and the categories of third parties with whom sharing occurs. Moreover, if a controller sells personal data for targeted advertising, a controller has a special obligation to make people aware on a continuing basis, including their right to opt out if they choose. Data collection is limited to what is reasonably necessary for the disclosed purposes of the data processing. And yet, a controller may ask for and obtain consent to process for purposes beyond those reasonably necessary to effectuate the original purposes disclosed to the person. Controllers would also need to minimize the personal data it has on hand.

Controllers must “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data…[that] shall be appropriate to the volume and nature of the personal data at issue.” Controllers would not be allowed to process personal data in a way that would violate discrimination laws. And so, controllers may not “process personal data on the basis of a consumer’s or a class of consumers’ actual or perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, lawful source of income, or disability, in a manner that unlawfully discriminates against the consumer or class of consumers with respect to the offering or provision of (a) housing, (b) employment, (c) credit, (d) education, or (e) the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation.” Controllers could not retaliate against people who exercise any of their rights to access, correct, delete, or port their personal data through offering differently priced or quality products or services. And yet, controllers may offer different prices and services as part of a loyalty program that is voluntary for people to join and may share personal data with third parties for reasons limited to the loyalty program.

Regarding another subset of personal data, consent will be needed before processing can occur. This subset is “sensitive data,” which is defined as “(a) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status; (b) the processing of genetic or biometric data for the purpose of uniquely identifying a natural person; (c) the personal data from a known child; or (d) specific geolocation data.”

The bill also bars a person waiving his or her rights under any type of agreement, and this will be null and void for reasons of public policy.

Controllers would not need to reidentify deidentified personal data to respond to a request from a person. However, the way this section is written gives rise to questions about the drafter’s intentions. The section would not require controllers to respond to requests from people to access, correct, delete or port personal data if the “controller is not reasonably capable of associating the request with the personal data, or…it would be unreasonably burdensome for the controller to associate the request with the personal data” if other conditions are true as well. Given that this provision comes right after the language on reidentifying deidentified data, it seems like the aforementioned language would apply to other personal data. And so, some controllers could respond to a request by arguing they cannot associate the request or it would be unduly burdensome. Perhaps this is not what the drafters intend, but this could become a route whereby controllers deny legitimate requests.

This section of the bill also makes clear that people will not be able to exercise their rights of access, correction, deletion, or porting if the personal data are “pseudonymous data.” This term is defined as “personal data that cannot be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” This is a concept that would seem to encourage controllers and processors to store data in a state that would strip identifiers from the personal data in order for them not to have to incur the cost and time of responding to requests. It bears note the concept and definition appear heavily influenced by the GDPR, which provides:

pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person

Data protection assessments will be necessary for a subset of processing activities: targeted advertising, selling personal data, processing sensitive data, any processing of personal data that presents “a heightened risk of harm to consumers” and another case that requires explanation. This last category is for those controllers who are profiling such that a reasonably foreseeable risk is presented of:

  • “Unfair or deceptive treatment of, or disparate impact on, consumers;
  • financial, physical, or reputational injury to consumers;
  • a physical or other intrusion upon the solitude or seclusion, or the
  • private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or
  • other substantial injury to consumers.”

These “data protection assessments must take into account the type of personal data to be processed by the controller, including the extent to which the personal data are sensitive data, and the context in which the personal data are to be processed.” Moreover, data protection assessments “must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing,  as mitigated by safeguards that can be employed by the controller to reduce such risks.” Moreover, the bill stipulates “[t]he use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller.” And, crucially, controllers must provide data protection assessments to the Washington Attorney General upon request, meaning they could inform an enforcement action or investigation.

Section 110 of the “Washington Privacy Act 2021” lays out the reasons one usually finds in privacy bills as to the circumstances when controllers and processors are not bound by the act, including but not limited to:

  • Comply with federal, state, or local laws, rules, or regulations;
  • Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
  • Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations;
  • Provide a product or service specifically requested by a consumer, perform a contract to which the consumer is a party, or take steps at the request of the consumer prior to entering into a contract;
  • Take immediate steps to protect an interest that is essential for the life of the consumer or of another natural person, and where the processing cannot be manifestly based on another legal basis;
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action;

Moreover, the act does “not restrict a controller’s or processor’s ability to collect, use, or retain data to:

  • Conduct internal research solely to improve or repair products, services, or technology;
    Identify and repair technical errors that impair existing or intended functionality; or
  • Perform solely internal operations that are reasonably aligned with the expectations of the consumer based on the consumer’s existing relationship with the controller, or are otherwise compatible with processing in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.

It seems reasonable to expect controllers and processors to try and read these provisions as liberally as they can in order to escape or circumvent the obligations of the act. I do not level this claim as a criticism; rather, it is what will undoubtedly occur if a regulated entity has halfway decent legal counsel.

One also finds legal liability for controllers that was in last year’s bill, too. The act makes clear that controllers cannot be liable for a processor’s violation if “at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation.” Consequently, even if a reasonable person could foresee that a processor would likely violate the act, unless the controller actually knows a violation is imminent, then the controller cannot be held liable. This structuring of the legal liability will likely result in controllers claiming they did not know of processors’ violations and create a disincentive for controllers to press processors to comply with the statutory and contractual requirements binding both.

The bill reiterates:

Personal data that are processed by a controller pursuant to [any of the aforementioned carveouts in Section 110] must not be processed for any purpose other than those expressly listed in this section. Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that such processing is:

(i) Necessary, reasonable, and proportionate to the purposes listed in this section; and

(ii) adequate, relevant, and limited to what is necessary in relation to the specific purpose or purposes listed in this section.

Finally, controllers bear the burden of making the case that the exception being used complies with this section. This would serve to check a regulated entity’s inclination to read terms and requirements as generously as possible for them and their conduct.

The bill would not create a new right for people to sue, but if there are existing grounds a person uses to sue (e.g. product liability, tort, contract law, etc.) and wins, the liability would be distributed between a controller and processor according to their liability.

In terms of enforcement by the Attorney General, violations of this act are treated as violations of the Washington State Consumer Protection Act, and violations are considered violations of the ban on unfair and deceptive practices with civil liability as high as $7,500 per violation. However, the Attorney general must first “provide a controller thirty days’ written notice identifying the specific provisions of this title the Attorney General, on behalf of a consumer, alleges have been or are being violated.” If a cure is affected, then the Attorney General may not seek monetary damages. But if a cure is not, then the Attorney General may take the matter to court.

The act preempts all county, city, and local data processing laws.

There is new language in the bill pertaining to public health emergencies, privacy, and contact tracing. However, the provisions are divided between two different titles with one controlling private sector entities and the other public sector entities. Incidentally, at the federal level, privacy bills have not tended to include provisions to address public health emergencies and instead standalone bills have been drafted and introduced.

In regard to private sector entities, controllers and processors would not be able to process “covered data” for a “covered purpose” which relates to the symptoms of infectious diseases and tracking their spread, unless certain conditions are met. For example, these entities would need to make available a privacy policy and people must consent to such processing. Additionally, controllers and processors would not be able to disclose “any covered data processed for a covered purpose” to any law enforcement agency in the U.S., sell “any covered data processed for a covered purpose,” or “[s]hare any covered data processed for a covered purpose with another controller, processor, or third party unless such sharing is governed by contract” according to the terms laid out in this section and disclosed to the person per the privacy policy that must be disclosed. However, private sector entities could disclose covered data processed for a covered purpose to federal, state, and local agencies pursuant to laws permitting such disclosure. So, this would likely be under public health or emergency laws.

This section of the bill defines “covered purpose” as

processing of covered data concerning a consumer for the purposes of detecting symptoms of an infectious disease, enabling the tracking of a consumer’s contacts with other consumers, or with specific locations to identify in an automated fashion whom consumers have come into contact with, or digitally notifying, in an automated manner, a consumer who may have become exposed to an infectious disease, or other similar purposes directly related to a state of emergency declared by the governor pursuant to RCW 43.06.010 and any restrictions imposed under the state of emergency declared by the governor pursuant to RCW 43.06.200 through 43.06.270.

There is a section that seems redundant. This provision establishes the right of a person to opt out of processing her covered data for a covered purpose, but the previous section makes clear a person’s covered data may not be processed without her consent. Nonetheless, a person may determine whether his covered data is being processed, request a correction of inaccurate information, and request the deletion of “covered data.” The provisions on how controllers are required to respond to and process such requests are virtually identical to those established for the exercise of the rights to access, correct, delete, and port in the bill.

The relationship and responsibilities between controllers and processors track very closely to those imposed for normal data processing.

Controllers would need to make available privacy policies specific to processing covered data. The bill provides:

Controllers that process covered data for a covered purpose must provide consumers with a clear and conspicuous privacy notice that includes, at a minimum:

  • How a consumer may exercise the rights contained in section 203 of this act, including how a consumer may appeal a controller’s action with regard to the consumer’s request;
  • The categories of covered data processed by the controller;
  • The purposes for which the categories of covered data are processed;
  • The categories of covered data that the controller shares with third parties, if any; and
  • The categories of third parties, if any, with whom the controller shares covered data.

Controllers would also need to limit collection of covered data to what is reasonably necessary for processing and minimize collection. Moreover, controllers may not process covered data in ways that exceed what is reasonably necessary for covered purposes unless consent is obtained from each person. But then the bill further limits what processing of covered data is permissible by stating that controllers cannot “process covered data or deidentified data that was processed for a covered purpose for purposes of marketing, developing new products or services, or engaging in commercial product or market research.” Consequently, other processing purposes would be permissible provided consent has been obtained. And so, a covered entity might process covered data to improve the current means of collecting covered data for the covered purpose.

There is no right to sue entities for violating this section, but it appears controllers may bear more legal responsibility for the violations of its processors regarding covered data. Moreover, the enforcement language is virtually identical to the earlier provisions in the bill as to how the Attorney General may punish violators.

The bill’s third section would regulate the collection and processing of covered data for covered purposes by public sector entities, and for purposes of this section controllers are defined as “local government, state agency, or institutions of higher education which, alone or jointly with others, determines the purposes and means of the processing of covered data.” This section is virtually identical to the second section with the caveat that people would not be given the right to determine if their covered data has been collected and processed for a covered purpose, to request a correction of covered data, and to ask that such data be deleted. Also, a person could not ask to opt out of collection.

Finally, two of the Congressional stakeholders on privacy and data security hail from Washington state, and consideration and possible passage of a state law may limit their latitude on a federal bill they could support. Senator Maria Cantwell (D-WA) and Representative Cathy McMorris Rodgers (R-WA), who are the ranking members of the Senate Commerce, Science, and Transportation Committee and House Energy and Commerce’s Consumer Protection and Commerce Subcommittee respectively, are involved in drafting their committee’s privacy bills, and a Washington state statute may affect their positions in much the same the “California Consumer Privacy Act” (CCPA) (AB 375) has informed a number of California Members’ position on privacy legislation, especially with respect to bills being seen as weaker than the CCPA.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo Credit: Ally Laws on Pixabay

Privacy Bill Revived and Revised in Washington State

The Washington state legislature is again trying to pass privacy legislation after an effort to do so last session fell short. If passed, this would constitute the second major privacy and data security bill enacted in the U.S. after the “California Consumer Privacy Act” (CCPA) (AB 375) and the revised bill contains significant differences from California’s now effective privacy regime. The “Washington Privacy Act” (SB 6281) generally provides protections and limits on how the personal data of Washington residents can be collected, processed, and disclosed and would apply to many companies in Washington state or doing business in the state.

Last week, the Senate Environment, Energy & Technology marked up and reported out the “Washington Privacy Act” (here are the links for the hearing agenda, documents, and video.) It is unclear whether this effort will succeed whereas last year’s bill stalled in the legislature largely over provisions on facial recognition technology. Nonetheless, some of the same key stakeholders in the legislature who pushed for privacy and data security legislation are again trying to get a bill enacted even though this year’s legislative session is only 60 days long.

According to the “Bill Report,” SB 6281:

  • Provides Washington residents with the consumer personal data rights of access, correction, deletion, data portability, and opt out of the processing of personal data for specified purposes.
  • Specifies the thresholds a business must satisfy for the requirements set forth in this act to apply.
  • Identifies certain controller responsibilities such as transparency, purpose specification, and data minimization.
  • Requires controllers to conduct data protection assessments under certain conditions.
  • Authorizes enforcement exclusively by the attorney general.
  • Provides a regulatory framework for the commercial use of facial recognition services such as testing, training, and disclosure requirements.

This bill, as currently drafted, would take effect on July 31, 2021, and the intent seems to be that it would become effective 18 months after passage and so this date may be pushed back depending on when it is enacted.

Personal data is defined broadly to include all information that can be linked or can reasonably be linked to a person aside from deidentified data and publicly available information. Undoubtedly, these two exceptions will be interpreted as widely as possible, so they bear further discussion. “Deidentified data” are “data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable natural person, or a device linked to such person, provided that the controller that possesses the data:

(a) Takes reasonable measures to ensure that the data cannot be associated with a natural person;

(b) publicly commits to maintain and use the data only in a deidentified fashion and not attempt to reidentify the data; and

(c) contractually obligates any recipients of the information to comply with all provisions of this subsection.”

These deidentification provisions track with language in other federal and state privacy bills, and the inclusion of inference strengthens the standard entities must meet before data are considered deidentified.

And, “publicly available information” is “information that is lawfully made available from federal, state, or local government records.” Some states allow the sale or accessing of information provided to the agency that licenses drivers and cars, and if Washington is one of these states, some personal information such as height, weight, ethnicity, and other data could be obtained through this exception.

Like most privacy legislation, there is an even more sensitive set of information. The “Washington Privacy Act” creates a category of “personal data:” “sensitive data,” which are:

(a) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status;

(b) the processing of genetic or biometric data for the purpose of uniquely identifying a natural person;

(c) the personal data from a known child [defined in the bill as all people 12 years of age and younger]; or

(d) specific geolocation data.

This category of personal data would be subject to extra protection in many but not all instances.

The Washington Privacy Act’s definition of process or processing data is very broad and would cover almost all activities undertaken by an entity manipulating data: “any operation or set of operations which are performed on personal data or on sets of personal data, whether or not by automated means, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.” Therefore, unlike a number of other bills which discuss collection and processing as separate terms, any such references to processing will encompass all the collection activities of entities covered by the bill.

A final definition to examine. The legislation defines “sale,” “sell,” or “sold” as “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.” The latter phrase is crucial, for many entities do not collect money for disclosing or sharing data but rather receives data in return or other things of value. Consequently, folding into the definition of sale those transactions in which personal data is given to another entity in exchange for something of value would ensure that many data transfers are considered sales. However, a sale would not include the following:

(i) The disclosure of personal data to a processor who processes the personal data on behalf of the controller;

(ii) the disclosure of personal data to a third party with whom the consumer has a direct relationship for purposes of providing a product or service requested by the consumer;

(iii) the disclosure or transfer of personal data to an affiliate of the controller;

(iv) the disclosure of information that the consumer

(A) intentionally made available to the general public via a channel of mass media, and

(B) did not restrict to a specific audience; or

(v) the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.

Obviously exception (iv) would place outside the definition of sell anything a person transmits from a public account on social media such as Twitter, Facebook, and the like.

Like other privacy bills such as the CCPA, data collection and processing related to employment would be exempt. The definition of “consumer” provides for this exemption but seems to go further in stipulating that Washington state residents “acting in a commercial…context” are also outside the scope of the definition. The definition of consumer is used throughout the bill and is the term upon which a number of the rights, protections, and obligations turn. Therefore, these employment and commercial exemptions may become the avenue by which some argue that their data collection and processing activities are outside the scope of some of the bill’s requirements.

Like the General Data Protection Regulation (GDPR), the bill divides those entities covered by its requirements into two groups: controllers and processors. The former are entities that determine the purposes and means of the processing of personal data and the latter are those that process data on behalf of controllers. However, the scope of those controllers and processors subject to the bill hinges on whether the entity has a presence in Washington or is selling products and services to Washington state residents. Moreover, an entity must also satisfy one of two other criteria before they are subject to the law. They must either have collected or processed the personal data of 100,000 or more Washingtonians in a calendar year or earn 50% or more their gross revenue from selling personal data and also control or process the personal data of 25,000 or more people.

Moreover, the bill makes clear that controllers and processors working together will not automatically be deemed liable for the misdeeds of the other should there be alleged violations of the statute. By the same token, when a controller and processor are “involved in the same processing…in violation of this chapter, the liability must be allocated among the parties according to principles of comparative fault.” Moreover, the bill requires that “[p]rocessing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties.” What’s more, a processor and controller may not be held liable for a third party’s violations in processing personal data sold by one of the former to the latter “provided that, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation.” It bears noting that “actual knowledge” is a higher standard than a should have known or constructive knowledge standard, opening the possibility that some controllers or processors may sell personal data in situations where a reasonable person would have known that violations by a third-party were likely.

However, a number of entities are carved out of the bill’s scope. For example, activities subject to “Health Insurance Portability and Accountability Act” (HIPAA) Gramm-Leach-Bliley, “Fair Credit Reporting Act” (FCRA), or “Family Educational Rights and Privacy Act” (FERPA) regulations are exempted to the extent they are in compliance. However, a closer read of these provisions suggest that just because an entity may be subject to and compliant with these and other federal privacy statutes does not mean all their data collection and processing activities are exempted. Rather, it appears any such activities outside the scope of those laws may be covered by the Washington state privacy and data security statute.

In terms of new responsibilities for covered entities, controllers must draft and make available “reasonably accessible, clear, and meaningful” privacy notices that inform people of

  • The categories of personal data processed by the controller;
  • The purposes for which the categories of personal data are processed;
  • How and where consumers may exercise the rights…including how a consumer may appeal a controller’s action with regard to the consumer’s request;
  • The categories of personal data that the controller shares with third parties, if any; and
  • The categories of third parties, if any, with whom the controller shares personal data.

Controllers would only be allowed to collect the bare minimum of personal data necessary for processing in light of notice provided to people and the activities the controller is undertaking. Generally, a controller “may not process personal data for purposes that are not reasonably necessary to, or compatible with, the purposes for which such personal data are processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent.”


Controllers would be barred from processing personal data in ways that violate federal and Washington state laws prohibiting discrimination. However, controllers may discriminate with respect to “offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offering is in connection with a consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.”  There are limits on when and how controllers may sell personal data with third parties (who are defined under the bill to be neither controller, processor, nor a subsidiary of either) unless the sale of personal data is clearly disclosed in the privacy notice, is reasonable necessary “to enable the third party to provide a benefit to which the consumer is entitled,” and “the third party uses the personal data only for purposes of facilitating such benefit to which the consumer is entitled and does not retain or otherwise use or disclose the personal data for any other purpose.”

And yet, controllers “may not process sensitive data concerning a consumer without obtaining the consumer’s consent, or, in the case of the processing of personal data concerning a known child, without obtaining consent from the child’s parent or lawful guardian, in accordance with the children’s online privacy protection act requirements.” As noted earlier, sensitive data include information indicating the race, national origin, sexual orientation, biometric data, and specific geolocation data. And while controllers and processors may not process in ways that violate federal and state law prohibiting discrimination, once consent is fairly obtained from a Washington state resident, they may process in virtually any way short of discrimination.

Finally, people cannot be forced to waive their rights. The Washington Privacy Act makes clear that “[a]ny provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer’s rights under this chapter shall be deemed contrary to public policy and shall be void and unenforceable.”

As noted, like many privacy bills, there are myriad exceptions to the obligations placed on controllers and processors which do not block either’s ability to:

  • Comply with federal, state, or local laws, rules, or regulations;
  • Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
  • Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations;
  • Investigate, establish, exercise, prepare for, or defend legal claims;
  • Provide a product or service specifically requested by a consumer, perform a contract to which the consumer is a party, or take steps at the request of the consumer prior to entering into a contract;
  • Protect the vital interests of the consumer or of another natural person; or
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action;

There are additional carve outs to the standards controllers and processors must meet under the Washington Privacy Act with respect their “ability to collect, use, or retain data” including

  • Conducting internal research to improve, repair, or develop products, services, or technology;
  • Identifying and repairing technical errors that impair existing or intended functionality; or
  • Performing internal operations that are reasonably aligned with the expectations of the consumer based on the consumer’s existing relationship with the controller, or are otherwise compatible with processing in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.

Such an exemption may result in the acquisition and processing of personal data against the wishes of people in a number of circumstances given how expansive the conditions under which the normal obligations do not apply.

Nonetheless, the legislature included language to limit processing under an exception and the controller bears the burden of demonstrating that the processing fits an exception.

Moreover, “[c]ontrollers must conduct and document a data protection assessment of each of the following processing activities involving personal data:

  • The processing of personal data for purposes of targeted advertising;
  • The sale of personal data;
  • The processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk of:
    • Unfair or deceptive treatment of, or disparate impact on, consumers;
    • financial, physical, or reputational injury to consumers;
    • a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; or (iv) other substantial injury to consumers;
  • The processing of sensitive data; and
  • Any processing activities involving personal data that present a heightened risk of harm to consumers.”

Controllers would have to keep these on file and then turn them over to the attorney general if requested during an investigation.

Under the “Washington Privacy Act” consumers would be given a number of rights they could exercise by contacting controllers who hold their personal data:

(1) Right of access. A consumer has the right to confirm whether or not a controller is processing personal data concerning the consumer and access such personal data.

(2) Right to correction. A consumer has the right to correct inaccurate personal data concerning the consumer, taking into account the nature of the personal data and the purposes of the processing of the personal data.

(3) Right to deletion. A consumer has the right to delete personal data concerning the consumer.

(4) Right to data portability. When exercising the right to access personal data pursuant to…a consumer has the right to obtain personal data concerning the consumer, which the consumer previously provided to the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means.

(5) Right to opt out. A consumer has the right to opt out of the processing of personal data concerning such consumer for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer.

The last right bears further elucidation on account of the use of a key phrase: “decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer.” The bill defines this to mean “decisions that include, but are not limited to, the denial of consequential services or support, such as financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services, and access to basic necessities, such as food and water.” These provisions would seem to be aimed at practices deemed “digital redlining” by the Obama Administration top describe practices or policies that would use data collected and processed to discriminate against people on the basis of real or perceived characteristics. Consequently, if an insurance company is processing the personal data of Washington state residents and on the basis of this processing is offering different rates to similarly situated people, a person could opt of the processing on the front, presumably because the controller disclosed these practices in its privacy notice.

Controllers must respond to the individual on the action taken regarding the request within 45 days but they may delay responding for an additional 45 days where “reasonably necessary.” There is to be an internal appeals process at the controller for requests that are denied and at a certain point in that process the individual or the controller may inform the state attorney general’s office.

However, as with many of the federal privacy bills, there are a number of circumstances under which these, and other consumer rights, do not have to be respected, including but not limited to complying with federal or state law or a government inquiry, protecting the “vital interest” of a person, protecting against fraud or theft and a range of other crimes, and other stated reasons or purposes.

Like an increasing number of federal privacy bills, there are provisions requiring controllers and processors to implement and maintain data security for the personal data being held. Controllers “shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such data security practices shall be appropriate to the volume and nature of the personal data at issue.” Likewise, processors would need to “[i]mplement and maintain reasonable security procedures and practices to protect personal data, taking into account the context in which the personal data are to be processed.” Additionally, processors must “[e]nsure that each person processing the personal data is subject to a duty of confidentiality with respect to the data.”

The Washington attorney general alone would be able to enforce the “Washington Privacy Act” as there is no private right of action in the bill for privacy violations and the legislature goes even further to stipulate there is no right to sue for violations under any Washington state law. The attorney general may seek injunctions and civil penalties of up to $7,500 per violation with no limit on the size of a total fine. As with all of the privacy and data security bills, enforcement will drive much of the actions taken by entities subject to the new statute.

While Washington state is not among the most populous states and theoretically the impact of any privacy law would be limited, it is the home of corporate headquarters for both Microsoft and Amazon. Hence, these, and other firms, may decide to adhere to these standards with respect to the privacy of people throughout the U.S. However, this new regulatory structure for privacy would be inconsistent with California’s, requiring entities subject to both state’s laws to navigate the different standards. Possibly, passage of a second major privacy statute could provide further impetus to Congress to act on privacy legislation that creates a national approach. Moreover, passage of a privacy law in Washington may affect the positions of Washington state lawmakers in the capital, particularly two key stakeholders: Senator Maria Cantwell (D-WA) and Representative Cathy McMorris Rodgers (R-WA) who are the ranking members of the Senate Commerce and House Energy and Commerce’s Consumer Protection and Commerce Subcommittee respectively. Both are involved in drafting their committee’s privacy bills, and a Washington state statute may affect their positions in much the same the CCPA has informed a number of California Members’ position on privacy legislation, especially with respect to bills being seen as weaker than the CCPA.

As noted earlier, the bill also addresses facial recognition technology, a policy area not usually joined to privacy legislation, and sets limits on the use of this new technology. The “Washington Privacy Act” defines “facial recognition service” as “technology that analyzes facial features and is used for the identification, verification, or persistent tracking of consumers in still or video images.” Processors that provide these technologies must also make available an application programming interface that would allow researchers to independently access and determine whether the facial recognition technology in question is accurate and fair. Processors must mitigate any negative results. Additionally, “[c]ontrollers must provide a conspicuous and contextually appropriate notice whenever a facial recognition service is deployed in a physical premise open to the public.” Controllers must also “must obtain consent from a consumer prior to enrolling an image of that consumer in a facial recognition service used in a physical premise open to the public” except if “for a security or safety purpose.” Additionally, “[c]ontrollers using a facial recognition service to make decisions that produce legal effects on consumers or similarly significant effects on consumers must ensure that those decisions are subject to meaningful human review.”